Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About
We posted yesterday about the Blackmuscats .htaccess redirection that was affecting thousands of web sites.

They are still happening (and growing), but the attackers decided to switch names to "nonalco", "mimosa" and other random keywords for their files:

The redirection is still the same, going from those .ru domains, to additional second level .ru domains and them to a .pl:

So far we have identified more than 17,000 sites with this type of malware. More details as we track them.

We are seeing thousands of sites compromised with an iframe from cndexit.com:

This is the iframe that we detected:

Google has already flagged this domain and found it to be responsible for the infection of more than 1.5k sites:

We can't say for sure how sites got hacked, but we will post more details when we have them. If your site is compromised, our team can clean it for you: http://sucuri.net/signup

Yahoo Leak

2012-07-12  by  Daniel B. Cid
You can check if your email is part of the yahoo leak here: http://labs.sucuri.net/?yahooleak.

This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:

When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in the number of queries for port 8443 (used by Plesk).

Top malware entry for the day: poseyhumane.org/stats.php

It seems to be the stats.php "malware" of the day. Related to our post here: Distributed Malware Network Outbreak Using Stats.php.

We also identified a CC (command and control server) for these infections: http://botstatisticupdate.com/stat/stat.php. More info to come soon.

A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com. Now we are seeing a few sites with the same redirection but to google.com.

This is what we are seeing on some hacked sites (.htaccess file):

We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can't say for sure. We will post more details when we find out what is going on.

While looking at a compromised site, we found an interesting mass mailer in there. The content was encoded using eval/gzinflate and base64_decode:

But when switching the "eval" for "print" we could see the mass mailer hidden and what it was doing:

What I found interesting is that this spam tool stored all the emails in the database and the script supported options to update the email list, change content and many things like that. And every few hours the attackers would access it, update the emails and spam everyone in there.

Yesterday we listed www.google.com as being used for .htaccess conditional redirections on hacked sites. Google does no evil, so what happened?

We identified the source of the malware, which looks for certain user agents and IP addresses and redirects to www.google.com if it comes from them or to the real malware if not.

This is the code:

So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests are coming from them, they ignore the connection and redirect to www.google.com.

That's why we were seeing www.google.com and listed it on our malware dump (already fixed).

For all the other users (the victims), the malware was contacting to get the URL to redirect (generally in the .tk domain). Any questions, let us know.

We are seeing something very strange on a few compromised sites lately. Instead of doing .htaccess redirections to malware sites, the attackers added the "malware" to redirect users to msn.com.

This is what we are seeing on some hacked sites (.htaccess file):

If you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from search engines (Google, Bing, Yahoo and even Twitter/Facebook) to msn.com instead of going to the real site.

Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can't say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). :)

We are seeing many sites compromised with malware from thesea.org/media.php. All sites had the following added to the .htaccess file:

So far we detected more than 500 sites with this type of redirection in the last few days.