Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About
A backdoor injector code we found on a compromised site:

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.



Lots of compromised sites redirecting to TDS:

And that's just a small sample. We have detected just in February over 500 sites compromised exactly like that.



If you look at the top domains distributing malware for the last days (and months), what do you see in common?

Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com, mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, we identified more than 15,000 different sub domains from them being used to distribute malware.

Don't get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklisting and some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with the thousands of malicious domains that they host.

*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.



We keep seeing fake jQuery sites popping up and being used to distribute malware. One was jquerys.org, other was jquery-framework.com and the new one is jqueryc.com (199.59.241.179).

And this new one seems to be affecting many web sites in the last few days. All of them have the following on their header or index.php files:



Which redirects any visitor to the web site to jqueryc.com where it is then sent to other random spammy domains (seems like a TDS is in place).

Update:We are also seeing some sites with this javascript file being included: http://www.jqueryc.com/jquery-1.6.3.min.js, which just redirects back to jqueryc.com via the same window.top.location.href in javascript.

*Note that the domain was just registered (20-nov-2012), so it is not being flagged anywhere.
**The official jquery sites are jquery.org or jquery.com. Other variations are likely fake.

It seems that the .co.cc (sub TLD) that used to be mass used by spammers and malware is now gone. Their registration page is offline:



And we hope it stays that way.

If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curl or file_get_contents call to http://wordpresstest2.info/1.txt. When you visit this site, it generates random iframes:



That are displayed on the compromised sites.

We are seeing a large number of sites compromised with an iframe pointing to http://fenwaywest.com/media/index.php . Just in the last 3 days, we identified almost 10,000 sites with it:



On all the compromised sites have the iframes similar to this one:



The domain is hosted at 50.28.53.157, but currently offline (redirecting to Google), so we can't really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.

Update 2012/Oct/12: Their site was fixed and is not loading malware anymore.

If you are using any widget/code from http://badgeplz.com/, remove it asap from your site. It has been compromised and is serving malicious code. So if you have any widget from there, it will be loaded from your site as well (blackhole exploit kit).

Example:



Note only that, but their main site is compromised as well.

A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added: :



Once that is loaded into the browser, it redirects anyone visiting the site to:



Where it tries to make the browser load some malicious PDFs or Jar files:



And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.

Fake jquery site

2012-09-07  by  Daniel B. Cid
Seeing many sites with a fake jquery links on them from jquery-framework.com (just registered on 2012/08/05): :



If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting users to http://browser-31.com/s/3013.