Sucuri Labs Weekly Review – June 22nd – 2012

Have you checked out Sucuri Labs? We have been adding a daily feed of the top web-based malware
samples that we find every day, and the number of compromised sites as well.

We separate the data into three main categories:

• Hidden iframes
• Conditional redirections (genereally done via .htaccess)
• Encoded javascript.

This helps us understand how sites are getting compromised and how it is being executed in the browser.

Here are a few samples of the daily feed:

• 2012-06-22
• 2012-06-21
• 2012-06-20
• 2012-06-19
• 2012-06-18
• 2012-06-17

As far the top offenders for this week, here you go:

1. http://onmouseup.info/stats.php – .htaccess redirection that affected a couple hundred different web sites.
2. http://rec-creations.com/adv.php – Malicious iframe that has been active for a few weeks. And we keep seeing it.
3. http://google-adsens.com/in.cgi?2 – Malicious iframe to this domain pretending to be from Google. It is offline right now, but we keep finding sites compromised with it.
4. .ru redirections – Those have been going for many months, but they are still live. Some of domains are listed here: estra-talos.ru
5. Javascript injections from frankwsherb.in – We are seeing many sites with injections from frankwsherb.in (and similar domains). Mostly via an iframe hidden via encoded javascript.

For more details, just visit Sucuri Labs to see the dump for each day.