We are seeing a large and distributed malware network comprised of thousands of infected websites that is growing very quickly. We call it “Stats.php” because all of the infected websites have the following iframe added to them:
<iframe src="http://hackedsite.com/stats.php" name="Twitter" ..
Stats.php is an iFrame Injection attack. This is not a new issue by any means, and we have been posting details in Sucuri Labs for a little while. However, lately we started to see an increase in the number of websites getting hacked by it (a significant increase in the last 3 days).
Once inserted, these iFrames can be controlled to distribute the malware of course, but they can also be used to add things like drive-by downloads, and other types of browser-based attacks. Although the exact vector is unknown, the malware has been found across sites with know outdated software, and in some cases known vulnerable versions.
Here is a preliminary shortlist of websites we are seeing used to attack, and the number of websites that have been compromised by each:
.. and lots more sites ..
If you were to visit any of these directly, you would get either a blacklist warning from Google, or a 404 error as some have been removed already.
How does a distributed web-based malware network function?
Site-X.com is hacked and a malicious file named stats.php is inserted into it. An iFrame is then added to source code from Site-Y.com/stats.php. Site-Y.com is also compromised, it has a stats.php file added to it, and an iFrame from Site-Z.com/stats.php added. When all is said and done, you have a large network of compromised sites, all linking to each other and all with the same malware.
If you have any questions about Stats.php or you want to add more info, feel free to leave a comment, or email us at firstname.lastname@example.org.