Compromised Websites Hosting Calls to Java Exploit

September 12, 2012 by 1 Comment

Remember that Java 0 day vulnerability that was discovered a few weeks ago and took a while to get patched by Oracle? You know, the one that caused a large portion of the security community to recommend everyone to disable Java completely in their browsers?

Java Exploits

Well, it wasn’t hype. This vulnerability has been exploited since then, and now it’s the #1 vulnerability exploited by newer exploit kits found on compromised websites. The detection rate is also very low by AntiVirus products (7 out of 42 on Virus total):

Read More

Filed Under: hacked, java, Malware, malware_updates, vulnerability Tagged With: , , , ,

Sociable WordPress Plugin Security Warning

September 7, 2012 by 7 Comments

If you are using the Sociable WordPress Plugin (plugin with 1,777,161 downloads), be very careful when visiting the plugin’s page settings. We recommend that you disable it or remove it for now, at least until it gets fixed.

A customer alerted us to the issue, when you visit the settings page (e.g., site.com/wp-admin/options-general.php?page=sociable_select) you get a malware warning from Google (this site may harm your computer).

What is going on?

The issue is that the plugin is loading an image from a site that is currently compromised (inside this file: includes/class-sociable_Admin_Options.php):

http://balon24.com.ar/wp-content/plugins/sociable/images/Fueto_Sociable.png

That causes the browser to redirect to http://commitse.ru/ (known malware site). This is what happens when you load that image:

$ curl -D – -A “” http://balon24.com.ar/wp-content/plugins/sociable/images/Fueto_Sociable.png

HTTP/1.1 302 Found
Date: Fri, 07 Sep 2012 21:02:59 GMT
Server: Apache
Location: httx://commitse .ru
Content-Length: 266
Content-Type: text/html; charset=iso-8859-1

There are some discussions on the WordPress forums about it here: http://wordpress.org/support/topic/plugin-sociable-image-causing-malware-detected-flags, but in the mean time, we recommend users delete or disable the plugin.

It doesn’t look like the plugin was compromised, just an external image was used and the site housing that image is currently compromised.

We will post more details when we have it.

Filed Under: Malware, malware_updates, plugin, vulnerability, WordPress Tagged With: , , , ,

WordPress Pluggable.php Being Compromised

August 15, 2012 by 3 Comments

The last few days we have seen a large number of WordPress sites compromised with a hidden malware payload that lands inside wp-includes/pluggable.php. This is not a WordPress vulnerability, WordPress is simply being targeted as the host.

WordPress pluggable.php

This malware is not new and we have been seeing variations of it since June, 2012. However, for the last few days the number of sites compromised have multiplied, prompting this post.

We are still tracking down how the sites are getting hacked, but so far we noticed a few similarities between them.


Read More

Filed Under: hacked, Malware, malware_updates, WordPress Tagged With: , , ,

Redirection Malware Very Good Leads to Fake AV

August 8, 2012 by Leave a Comment

If you look at our Labs malware dump for the last few days, you will find something odd in the name of the top domains distributing malware:

712 redirections http://moi-verygoods.ru/simmetry?6
154 redirections http://moiverygoods.ru/simmetry?6
135 redirections http://webverygoods.ru/simmetry?6
131 redirections http://moiverygoods.ru/simmetry?6
88 redirections http://24-verygoods.ru/in.cgi?9


Read More

Filed Under: hacked, htaccess, Malware, malware_updates Tagged With: , , ,

Blackmuscats Conditional Redirections to Fake AntiVirus

July 31, 2012 by 23 Comments

We are seeing many sites today compromised with the Blackmuscats conditional redirection. This malware causes anyone visiting the hacked site to be redirected to a Fake AV (AntiVirus). Why Blackmuscats? All the compromised sites have .htaccess redirections pointing to files ending in “blackmuscats?5″.

So far we have detected more than 8,000 sites with this type of redirection and the number is growing (last night we had only found a few hundred).

Note: this is a conditional redirection, so you are only sent to the malware site if you are coming from a search engine, not if you visit the site directly.

Here are some of the domains being used as part of this malware campaign:

Read More

Filed Under: hacked, Malware, malware_updates Tagged With: , ,

New Web Malware Attacks Using .Ru/In.CGI?16

July 19, 2012 by 7 Comments

What does an orange roller, a purple beetle, an orange moth, a green pillar, and a green cricket have in common? Not much, but they are all being used as malware domains to distribute .Ru/In.CGI?16 which is affecting thousands of web sites lately.


Read More

Filed Under: hacked, Malware, malware_updates Tagged With: , ,

vBulletin Websites Using VBSEO Being Infected with Malware

July 16, 2012 by 3 Comments

We are seeing a large number of vBulletin/vBSEO websites getting compromised lately and we keep getting requests for info as to what’s going on.


Read More

Filed Under: hacked, Malware, malware_updates, vbulletin Tagged With: , , ,

Distributed Malware Network Outbreak Using Stats.php

July 8, 2012 by 7 Comments

We are seeing a large and distributed malware network comprised of thousands of infected websites that is growing very quickly. We call it “Stats.php” because all of the infected websites have the following iframe added to them:

<iframe src="http://hackedsite.com/stats.php" name="Twitter" ..

Stats.php malware

Stats.php is an iFrame Injection attack. This is not a new issue by any means, and we have been posting details in Sucuri Labs for a little while. However, lately we started to see an increase in the number of websites getting hacked by it (a significant increase in the last 3 days).

Read More

Filed Under: hacked, Malware, malware_updates Tagged With: , ,

Malware That Pretends To Be Google

July 5, 2012 by Leave a Comment

Malware authors (AKA the criminals or the bad guys), use many advanced techniques to hide their activities. From encoding, to encrypting, to auto-generated random domains, conditional redirections and many other interesting methods.

In the middle of all their advanced options, they also use simple techniques to confuse the end user to think that a malicious domain is from a legitimate organization. As of late, it seems the usual organization chosen is Google.

What do you think a user will think when they see the following code on their site:

<iframe src="http://google-adsens.com/in.cgi?2"…


Read More

Filed Under: Malware, malware_updates Tagged With: ,

Uploadify, Uploadify and Uploadify – The New TimThumb?

June 26, 2012 by 12 Comments

We are seeing a lot of noise again regarding the Uploadify script vulnerabilities affecting some WordPress themes/plugins. If you are not familiar, Uploadify allows anyone to upload anything they want to your site without any authentication.

Very very useful, no? Maybe, but at what cost? If a bad guy/gal knows that you have the Uploadify script, they can upload anything they want too (backdoors) and hack your site.

First, Uploadify is nothing new. When we were reporting on the TimThumb vulnerabilities, we were also notifying everyone about the issues with uploadify.

Been Around

  1. In October of 2011 we warned everyone to remove and check for Uploadify: Remove Unused/Testing/Debug Software From Your Site
  2. We put out a post in August of 2011 listing themes affected by TimThumb, we also listed the ones Using uploadify as unsafe: Timthumb Security Vulnerability – List of Themes
  3. An oldie but goodie, TimThumb (Tip of the Iceberg), Uploadify was also included


    4. Read More

Filed Under: Malware, malware_updates, sucuri, vulnerability Tagged With: , , ,
«Older Posts
Newer Posts»