Find out what the malicious piece of code looks like

Mar 6, 2012 10:48 GMT  ·  By

In the past couple of months mass infections were not uncommon and now security experts believe they stumbled upon another one. Websense found that 30,000 unique websites are currently compromised to redirect their visitors to sites that promote shady antivirus software.

A total of 200,000 webpages, part of the 30,000 sites, have been compromised, apparently the campaign being designed to target mostly ones hosted by the WordPress content management system.

After multiple redirects, victims are taken to a website that performs a fake scan, pointing out a large number of infections and threats that affect the system. The scan is designed to appear as if it takes place in a Windows Explorer window, but in reality it’s nothing more than a webpage that’s cleverly set up to dupe users.

When the scan is complete, the user is urged to install an antivirus tool that would allegedly remove the pieces of malware. However, the antivirus installer is nothing more than a Trojan that once installed can give its master complete control over the infected machine.

Statistically speaking, more than 85% of the compromised website are located in the United States. This doesn’t mean that only US internauts are exposed to this threat, the sites being also visited by individuals from Turkey, Brazil, UK, India, China, South Africa, Jordan, Canada, Philippines and Taiwan.

The injected code is usually placed before the </body> tag and it looks like the one in the screenshot. Website administrators who suspect that their websites may be compromised should check their code for the malicious script.

Judging by what the experts tell us, if one of the webpages displays the code, then most likely the entire site is compromised and each page should be thoroughly checked and cleaned up.