After an “extensive investigation”, Go Daddy today released a statement with their findings about the bibzopl.com malware that has been infecting some Go Daddy hosted websites beginning in February. They claimed the malware infection is due to users running an outdated version of WordPress that have been “set up in a particular way”. This information is inaccurate as the malware has infected websites that are not running WordPress and websites running version 2.9.2 of WordPress. The malware infects files with the php extension. Since WordPress uses .php files and is the most popular content management system, a lot of the websites infected have been WordPress based. This possibly led to their inaccurate identification of the underlying issue that caused the websites to become infected. If Go Daddy does not discover and fix the actual underlying issue, websites could again be infected with malware.
Here is Go Daddy’s entire statement:
WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.
After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way.
This underscores the importance of installing the latest Web applications, no matter where you are on the Internet. If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.
And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure, and in a safe place.
Earlier this week Google began labeling results that are suspected of containing malware in the mobile version of Google search. Since August of 2006 Google has been labeling suspected websites and blocking access to them in their standard search results. The only change made for the mobile version is that label placed under the result states “This site may harm your device.”. The message in the standard search uses the word computer instead of device.
Last week the Gumblar malware was neutralized when the files containing its malware infection code were replaced with code that attempted to neutralize iframes. Today, those files have been modified to redirect users to files on other websites that contain the malware code. Like the original websites that hosted the malware code, these new hosts are websites that have been compromised by the malware. This is different than most attacks where the malware code is stored on a website controlled by the individuals behind the malware.
The Gumblar malware, which returned in the past several weeks, appears to be neutralized for the moment. In its return, Gumblar was using compromised websites to host its malware code instead of a website owned by the person(s) behind the hack. Other websites that have been compromised by Gumblar, then have code inserted into them that causes a file, with the malware code, to be loaded from one the websites that host the malware.
Gumblar inserted backdoor scripts as part of its hack, which someone other than the original hacker could have used to change the code stored on the host websites. It is also possible that the originally hacker made the change for some unknown reason.