Distributed Malware Network Outbreak Using Stats.php

We are seeing a large and distributed malware network comprised of thousands of infected websites that is growing very quickly. We call it “Stats.php” because all of the infected websites have the following iframe added to them:

<iframe src="http://hackedsite.com/stats.php" name="Twitter" ..

Stats.php malware

Stats.php is an iFrame Injection attack. This is not a new issue by any means, and we have been posting details in Sucuri Labs for a little while. However, lately we started to see an increase in the number of websites getting hacked by it (a significant increase in the last 3 days).

Once inserted, these iFrames can be controlled to distribute the malware of course, but they can also be used to add things like drive-by downloads, and other types of browser-based attacks. Although the exact vector is unknown, the malware has been found across sites with know outdated software, and in some cases known vulnerable versions.

Here is a preliminary shortlist of websites we are seeing used to attack, and the number of websites that have been compromised by each:

2415 http://creativeironart.net/images/stats.php
1906 http://pahgawks.com/download/stats.php
1748 http://onmouseup.info/stats.php
1524 http://cabaniaseleden.com.ar/stats.php
1451 http://oxsanasiberians.com/downloads/stats.php
1312 http://pairedpixels.com/vaca/stats.php
364 http://duygumatbaa.com/stats.php
185 http://www.lifeshiftdevelopment.com/stats.php
124 http://poseyhumane.org/stats.php
87 http://www.clane.org/gallery/stats.php
40 http://drbolivar.com/stats.php
33 http://fontana-euronics.com/stats.php
7 http://www.orso.it/stats/php

If you were to visit any of these directly, you would get either a blacklist warning from Google, or a 404 error as some have been removed.

How does a distributed web-based malware network function?

Site-X.com is hacked and a malicious file named stats.php is inserted into it. An iFrame is then added to source code from Site-Y.com/stats.php. Site-Y.com is also compromised, it has a stats.php file added to it, and an iFrame from Site-Z.com/stats.php added. When all is said and done, you have a large network of compromised sites, all linking to each other and all with the same malware.

If you have any questions about Stats.php or you want to add more info, feel free to leave a comment, or email us at info@sucuri.net.

Read more: Distributed Malware Network Outbreak Using Stats.php

Incoming search terms

Story added 8. July 2012, content source with full text you can find at link above.