Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Sucuri Research Labs

The home of our Security Operations Group, including our Malware Research and Incident Response teams.

When a website is compromised, one of the most interesting and challenging tasks we perform is identifying all malware to prevent attackers from regaining access to the resource. They may use different type of malicious codes and techniques depending on their final objectives.

Read More ...

We’ve already described several times how credit card stealing malware hides a data collecting script behind an image URL. When people see URLs that end with .jpg, .png, or .gif they normally don’t expect them to do anything malicious. Third-party JavaScripts are much more suspicious, still it is possible to use them in a way to coax webmasters into considering them benign.

When checking yet another credit card stealing JavaScript injected into the /js/ccard.js file in Magento, we noticed this line:

Read More ...

Cookies are an important part of a visiting session on a website. It is used not only to keep track of actions taken on a specific website by a particular user, but also its login sessions. Having those cookies stolen can easily lead to a compromise of any admin area you visit and allow the attacker to know what you did on that specific website.

These types of attack (Cookie Stealing and Session Hijacking) are not the most common ones due to the complexity involved in the process and because they are usually time sensitive (cookie expiration).

During an incident response investigation, we found a Cookie Stealing malware pretending to be working with one of WordPress’s core domains. Hackers injected an obfuscated (typical eval(function(p,a,c,k,e,d) obfuscation) JavaScript code at the bottom of legitimate .js files such as wp-includes/js/hoverIntent.min.js. Once decoded we see the following:

Read More ...

Some attackers seem to like signing their scripts. This fact is especially true for defacements and backdoors, where attackers show their pride stating that they “owned” a site by signing their own malware. Sometimes they write their expressions and nicknames on the title or in the middle of the file:

Read More ...

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infectedTypeMalware / Domains
55iframehttp://poseyhumane.org/stats.php
6iframehttp://zumobtr.ru/gate.php?f=1041671
6iframehttp://ads.rzb.ir/image.php?size_id=7
4iframehttp://www.cascadecowcutters.org/wp-content/upgrade/update.php
4iframehttp://couriertracking247.in/
2iframehttp://stjohnsdryden.org/img/common/download.php
2iframehttp://bucknine.cf/visionovni17.html
1iframehttp://www.trypie.info/update.php
1iframehttp://vefire.ru/apps/11/
1iframehttp://criosfera.cf/marahmerah17.html
Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infectedTypeMalware / Domains
9redirectionshttp://goodhotwebmart.in/
6redirectionshttp://www.mpzbearing.in/
5redirectionshttp://portal-d.pw/XcTyTp
4redirectionshttp://default7.com
4redirectionshttp://alfsystem.com.my/includes/domit/1.php
2redirectionshttp://wwwjazztel.com/?folio=9PO6Z3MVF
2redirectionshttp://ww1.zibahairsalon.com/?folio=9POGF6H4I
2redirectionshttp://ww1.mtclassificados.net/?folio=9POGF6H4I
2redirectionshttp://top-24h-can-store.com/redirect.php?z=viagra
2redirectionshttp://summerphotography.net/?folio=9PO6Z3MVF
2redirectionshttp://slonova-gora.com/?folio=9POGF6H4I
2redirectionshttp://nubiangraphics.com/?folio=9PO6Z3MVF
2redirectionshttp://myflippincoach.biz/Deals/MyFlippinCoach/
2redirectionshttp://mathaids.com/?folio=9PO6Z3MVF
2redirectionshttp://luxurytds.com/go.php?sid=
2redirectionshttp://luckyherbssupply.in/
2redirectionshttp://laatminute.com/?folio=9PO6Z3MVF
2redirectionshttp://huaweidevices.es/?folio=9POGF6H4I
2redirectionshttp://hotmp3s.com/?folio=9PO6Z3MVF
2redirectionshttp://goldpole.com/?folio=9PO6Z3MVF
Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infectedTypeMalware / Domains
20spammerhttp://123livesex.com/,forumspam,2014-01
20spammerhttp://20min.ch,forumspam,2014-01
20spammerhttp://90210daily.com/,forumspam,2014-01
20spammerhttp://EzAdBlaster.com,forumspam,2014-01
20spammerhttp://absolutefringe.com,forumspam,2014-01
20spammerhttp://adaptfunrun.org/,forumspam,2014-01
20spammerhttp://andresmarcossanchez.com/MichaelKors/ ,forumspam,2014-01
20spammerhttp://appliancelandinc.com/,forumspam,2014-01
20spammerhttp://audiobookkeeper.ru/,forumspam,2014-01
20spammerhttp://australiainternetsearch.com/,forumspam,2014-01
20spammerhttp://autism.sedl.org/index.php/about-us,forumspam,2014-01
20spammerhttp://axanaxplease.com/,forumspam,2014-01
20spammerhttp://ayurvedatradicional.com/wordpress/ ,forumspam,2014-01
20spammerhttp://azezhomeloans.com/body.html,forumspam,2014-01
20spammerhttp://baltimorecomiccon.com/sponsors/,forumspam,2014-01
20spammerhttp://bashkiaprrenjas.com/,forumspam,2014-01
20spammerhttp://bellezzaamica.it/Moncler-Sale-With-Free-Shipping.html,forumspam,2014-01
20spammerhttp://birdsofstkittsnevis.com/files/,forumspam,2014-01
20spammerhttp://bmaphoenix.org/young-professionals/,forumspam,2014-01
20spammerhttp://bradblaze.com.au/,forumspam,2014-01
Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infectedTypeMalware / Domains
12javascripthttp://div-class-container.ru/m/": var a910ab1=[855,915,955,960,973,887,970,971,976,963,956,916...
22javascript<script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c...
20javascript<script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c...
17javascript<script src="http://pops.virgilio.us/pop.php?id=1"></script>
10javascript<script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c...
9javascript<script type="text/javascript">var pid='52877';var pixel='468x60';var c_pid='YWQ2LmV1';var pare...
9javascript<script type="text/javascript" src="http://psicholog-msk.ru/scripts/kd7tvnbv.php?id=3023929"></...
3javascript<script>izs=19099;tm="168242";</script><script language="JavaScript" type="text/JavaScript" cha...
2javascript<script type="text/javascript" src="http://ledomaine-miltat.fr/crbst_pa_0_p_22dshk39np8ay/wqqry...
1javascript<script type="text/javascript" src="http://ledomaine-miltat.fr/crbst_pa_0_p_22dshk39np8ay/wqqry...
Limited view... Only the top entries being displayed.