• What’s up with Sitemeter?

    It has been a busy day. Lots of interesting things have happened over the course of the last few hours. One interesting issue which we faced today was when trying to help out on badwarebusters.org today. It seems that one of our scans popped up a script hosted by Site Meter as potentially malicious. This gets interesting because this kind of code acts as a tracker to measure how many hits a site gets, where the users are coming from, how much time they spend on a page etc. The important point being this code is deployed on tons of websites. Some of the interesting websites I visit also have this code. I was intrigued to see why this popularly used counter was popping up as suspicious.

    We had a look at our logs, local dumps and analysis and saw that the Site Meter script was pushing in an iFrame pointing to dg.specificclick.net using a body-onload event to trigger the event. Interestingly, dg.spe cificclick.net, has been associated with multiple cases of Internet misdemeanor. [0] [1] [2] [3] [4]

    It is surprising to see companies that have widely established customer bases to link to questionable content.

    The code from the Site Meter script is presented below, the offending part is clearly visible.

    // Copyright (c)2006 Site Meter, Inc.
    // <![CDATA[
    var SiteMeter =
    {
     init:function( sCodeName, sServerName, sSecurityCode )
     ** code removed for brevity **
     onPageLoad:function()
     { 
    
     var newIFrame = document.createElement("iframe");
     newIFrame.frameBorder = 0;
     newIFrame.width = 0;
     newIFrame.height = 0;
     newIFrame.src = "http://dg.specif icclick.net/?u=" + encodeURIComponent(document.location) + "&r=" + encodeURIComponent(SiteMeter.getReferralURL()); 
    
    ** code removed for brevity **
    
    SiteMeter.init('s29rottweilers', 's29.sitemeter.com', ''); 
    
    var g_sLastCodeName = 's29rottweilers';
    // ]]>
    

    The SafeBrowsing report from Google about this site follows:

    What is the current listing status for schwarzerwaldrottweilers.com?

    Site is listed as suspicious – visiting this web site may harm your computer.

    Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

    What happened when Google visited this site?

    Of the 6 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-24, and the last time suspicious content was found on this site was on 2009-11-24.
    Malicious software includes 8 trojan(s), 2 worm(s). Successful infection resulted in an average of 16 new process(es) on the target machine.

    Malicious software is hosted on 11 domain(s), including 89.138.243.0/, donnelscreekfarm.com/, ho-fashion.com/.

    This site was hosted on 1 network(s) including AS26496 (PAH).

    Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, schwarzerwaldrottweilers.com appeared to function as an intermediary for the infection of 11 site(s) including tillieiszler.blogspot.com/, ghadaghadadolbier.blogspot.com/, adansharlott.blogspot.com/.

    Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 11 domain(s), including tillieiszler.blogspot.com/, ghadaghadadolbier.blogspot.com/, adansharlott.blogspot.com/.