Sucuri Malware Labs

Welcome to the labHome | Notes | Malware data | Signatures | Tools | About

The goal of the Sucuri Malware Lab is to share some of the latest malware we are seeing in the "wild" and to help educate our users and share information with the security community. For you have any questions, please email labs@sucuri.net.

We are also on Twitter at @sucurilabs.

If you are new here, you can check some of our resources:

Research Notes Malware data About

Latest note: Yahoo Leak You can check if your email is part of the yahoo leak here: http://labs.sucuri.net/?yahooleak. Thanks! (by Daniel B. Cid | more notes )

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infected	Type	Malware / Domains
18	iframe	http://www.2nf.com.vn/templates/beez/images/jpg.php
11	iframe	http://www.gtagaming.com//forums/images/lightbox/in.php
11	iframe	http://dragovend.ru/outstanding.html?2
10	iframe	http://4ucredit.ru/in.cgi?4
6	iframe	http://lghwee.pcanywhere.net/geowgjwiehgwvbb.cfg?11
6	iframe	http://games.webhost31.ru/adxcsub.php
5	iframe	http://jtyopol.freewww.biz/nighttrend.cgi?8
5	iframe	http://bing.jigsaw3org.us/?12
4	iframe	http://cportmuse.ru/Bermuda?8
3	iframe	http://vizus1.ru/qqcxtyc.php
3	iframe	http://veva.com.ua/cwnqqvk.php
3	iframe	http://immobiliareilsole.it/jdsbgpd.php
3	iframe	http://eda21.ru/hholydo.php
3	iframe	http://9857.aqq.ru/ufgsjox.php
3	iframe	http://55555-4.ru/jnontvd.php
2	iframe	http://www.diggsnet.com/vklctap.php
2	iframe	http://www.arts2heal.gr/xvlnfov.php
2	iframe	http://wordwestsides.ru/y434.lLljcl?default
2	iframe	http://transatlas.com.ua/gjgggsv.php
2	iframe	http://sysgaia.com/ydnsdun.php
		Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infected	Type	Malware / Domains
29	redirections	http://solfedgio6.ru/simple/go.php?sid=38
16	redirections	http://www.3dcgianimation.com/omzd.html?h=1883330
12	redirections	http://speardiver.com/ocef.html?h=1494741
8	redirections	http://eosusa.com/cewf.html?h=3312309
6	redirections	http://1006jrfjhjr.dynamicdns.org.uk:85/SNrXO5eZUmezafp1VSscRaEmTDduhjoEBK5
5	redirections	http://ypnofkiq.ru/count28.php
5	redirections	http://pyatnickiy.ru/track.php
5	redirections	http://positive-general.ru/example/status.php
5	redirections	http://eastmead1.ipower.com/hamf.html?h=690835
5	redirections	http://biskehud.ru/count5.php
4	redirections	http://www.pinnaclecoin.com/hccd.html?h=378885
4	redirections	http://tegxejiq.ru/count28.php
4	redirections	http://podilovy-fond.eu/hccd.html?h=378885
4	redirections	http://nashifitnes.ru/nonalco?5
4	redirections	http://mampoks.ru/track.php
4	redirections	http://interjeroidejos.com/aood.html?h=1413865
4	redirections	http://hecodat.de/zwmd.html?h=1579506
4	redirections	http://brg-catalogues.com/mzcf.html?h=3176257
4	redirections	http://aiv-shop.de/zczf.html?h=583044
3	redirections	http://www6.uiopqw.jkub.com/
		Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infected	Type	Malware / Domains
20+	spammer	http://buypropeciatop.soup.io,forumspam,2013-05
20+	spammer	http://buypropeciatop.soup.io/,forumspam,2013-05
20+	spammer	http://finproridecia.pen.io,forumspam,2013-05
20+	spammer	http://finproridecia.pen.io/,forumspam,2013-05
20+	spammer	http://powiekszaniepenisac.pl,forumspam,2013-05
20+	spammer	http://propeciasxl.pen.io,forumspam,2013-05
20+	spammer	http://propeciasxl.pen.io/,forumspam,2013-05
20+	spammer	http://www.2013jordantop.com/,forumspam,2013-05
20+	spammer	http://www.2013jordantop.com/index.php?route=product/category,forumspam,2013-05
20+	spammer	http://www.chloehanabi.com/,forumspam,2013-05
20+	spammer	http://www.chloematsuri.com/,forumspam,2013-05
20+	spammer	http://www.lovepaulsmith.japanbuy.jp/,forumspam,2013-05
20+	spammer	http://www.miumiucity.com,forumspam,2013-05
20+	spammer	http://www.miumiuroom.com/,forumspam,2013-05
20+	spammer	http://www.miumiuvivid.com/,forumspam,2013-05
20+	spammer	http://www.paulsmith.japanbuy.jp/,forumspam,2013-05
20+	spammer	http://www.paulsmithsummer.japanbuy.jp/,forumspam,2013-05
20+	spammer	http://www.restaurant-primavera.at/wp-content/upgrade/go/montblanc/,forumspam,2013-05
20+	spammer	http://www.restaurant-primavera.at/wp-content/upgrade/go/montblancde/,forumspam,2013-05
20+	spammer	http://www.stylessline.com,forumspam,2013-05
		Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infected	Type	Malware / Domains
10	javascript	http://americanmobile.ca/forum.php?tp=675eafec431b1f72": var t="";var arr="646f63756d656e742e77...
4	javascript	http://124.217.249.45/~user/html/TDS/go.php?sid=1: function v51865b5a5fbba(v51865b5a5fc6a){ fun...
2	javascript	http://zbestprice.org/tent/KcW8: function v4a2fb30324343(v4a2fb3032472a){ function v4a2fb30324b...
2	javascript	http://ynwqmwhnlw.organiccrap.com/d/404.php?go=1: s="";try{q=document.createElement("p");q.appe...
2	javascript	http://pokesack.ru:8080: var t="";var h="";var G;if(G!='m'){G=''};var D_="";function C() {var S...
1	javascript	http://securityandroidupdate.iway-services.com.ar/fix.php": var enkripsi="'1Aqapkrv'1G'2Ckd'0:l...
1	javascript	http://medicaidarmedicare.com: jsr1=[105,46,116,101,99,47,114,100,58,97,100,116,114,111,101,104...
1	javascript	http://bocpoo.com/?2289843": eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C...
1	javascript	http://biotechpharmhealthcare.com: jzs1=[99,104,97,98,112,104,104,116,47,97,99,116,114,116,105,...
267	javascript	<script type="text/javascript" src="http://sem-dv.ru/jquery-update.php"></script>
134	javascript	<script type="text/javascript" language="javascript" > function zzzfff() { var ik = document.cr...
100	javascript	<script type="text/javascript" language="javascript" > function zzzfff() { var jtc = document.c...
53	javascript	<script src="http://changeip.changeip.name/rsize.js"></script>
39	javascript	<script type="text/javascript" src="http://sodiummetal.com/wp-content/plugins/wp_modx/jquery-1....
34	javascript	<script type="text/javascript" language="javascript" > function zzzfff() { var pr = document.cr...
26	javascript	<script type="text/javascript" src="http://sodiummetal.com/wp-content/plugins/wp_modx/jquery-1....
16	javascript	<script src="http://sweepstakesandcontestsnow.com/nl.php?nnn=1"></script>
11	javascript	<script type="text/javascript" src="http://abrahamspath.org.uk/cb.php">"POC"</script>
10	javascript	<script src=http://dibsalimentos.com.br/images/kphz/gifimgud.php ></script>
9	javascript	<script src=http://il-falco.de/__installation/indexc.php ></script>
		Limited view... Only the top entries being displayed.