We first detected malware from globalpoweringgathering.com almost a month ago, and posted on our blog about it. But in the last few days, we started to see a big increase in the number of sites infected with it.
We were able to catalog almost 3 thousand sites with this malware and Google lists almost 2 thousand sites in their safe browsing page (and it is growing each day – just yesterday it was less than 1 thousand):
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1815 domain(s), including clonestop.com/, warseer.com/, showbiz411.com/.
With some variations, with just a number changing:
Note that these are very similar to the “Hilary Kneber” malware distributed by these domains (hosted on the same IP addresses):
How are these sites getting hacked?
We are seeing multiple causes. The most common is related the usage of old versions of web applications (like WordPress, Joomla, etc). However, we are also seeing HTML-only sites hacked that are getting compromised via FTP due to stolen passwords. So make sure your sites are updated and change your passwords (making sure to use a strong password, that your desktop is not compromised, etc).
Other domains being used as intermediaries:
If you need any help cleaning up an infected site (or someone to do it for you), let us know.
Thanks for the info. My HTML site was compromised.
Do you have some deeper details about attack vector used to compromise websites targeted by this “worm”? Do you think that a WordPress 3.0.4 version could be vulnerable to this exploit?
On 2 joomla sites I had over 10k files infected: index.html and *.php