Skip links – Malware update – Fake AV Redirections

Weekly (kinda daily) malware update. You can track all our updates by following our malware_updates category.

*If your site has been affected with any of these issues, contact us at or visit to get help, or if you want to share some information with us.

Today we started to see a lot of sites infected with an iFrame malware from (yes, always the What is funny is that when we tried to access this site to identify what was going on, we were greeted with a page from the registrar saying that the domain was available:

The domain is available Continue to registration >>

If you want to build a site at this address, please visit us at

We found that very strange and tried to register the domain to see what was going on (their registration is free), but when we were close to completing the registration they said that the domain was not available anymore… Too bad.

A few hours later, that domain was already loading additional malicious iframes from, and many other intermediaries:

$ curl
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Frameset//EN” “”>
<title>Security report #7233 / 2011-04-25..

<frameset rows=”*,90″>
<frame src="
<frame src="″ noresize scrolling..

There are many other sites being used as intermediaries (and just by looking at the domain names you can guess that they try to push the infamous Fake AV), including hundreds of .com:

We are seeing WordPress and Joomla sites infected with this malware but attackers are certainly scanning for ANY type of target. So if you have a web site, make sure it is updated, you are using good passwords, etc ,etc (the normal guidelines).

We will post more details are we track them. If you have any question, let us know. If you need help with this type of malware, we are here to assist.

  • Cool