Category: Website Malware

For Several weeks Go Daddy has been blaming the bibzopl.com malware, that has been infecting some Go Daddy hosted websites since February, on users running either outdated versions of WordPress or outdated versions of software installation in general. These are both not true as the malware has infected websites running up to date software and websites not running any web software, which we and others have been telling Go Daddy. In a topic, in Go Daddy’s Community Forums, about the code that is causing the website’s files to become infected a Go Daddy employee using the username ScottG said they are “currently working on determining the source of the file”. The employee also claimed that Go Daddy had been aware of the code. It was nearly two weeks ago that they had claimed they had determined source of the infections. No explanation was given why they previously claimed that they had determined the source of the infections and why they have not admitted that their previous information was wrong.  The employee also said that they are having to get help from other hosting provider to secure their own systems.

Here is Go Daddy’s employee entire post:

This is information that we have been aware of and are currently working on determining the source of the file. This is not an issue that is localized to Go Daddy. Several other hosting companies are seeing this same attack and we are working with them to determine the source of the attacks and the best way to mitigate them.

Early this morning a new variant of the bibzopl.com malware, this variant calls a JavaScript file from holasionweb.com, infected a large number of Go Daddy hosted websites. By this morning their PR department had already contacted us again, with continued misinformation about the issue. If they eventually decide to work on discovering and fixing the underlying security  issue, instead of running a PR campaign that claims they are secure, the websites would stop getting reinfected.

Go Daddy continues to claim, when not claiming the issue is due to outdated WordPress installations, that this malware is due to “Individuals running outdated applications and software”. As we have posted before , and Go Daddy is well aware of, the malware has infected websites running up to date software and websites not running software.

If you are Go Daddy customer who has been infected and is running updated software, we would be interested to know what response you have received from Go Daddy about this issue.

In an interview Tuesday, Go Daddy’s Chief Information Security Officer Todd Redfoot claimed that the bibzopl.com malware that has been infecting some Go Daddy hosted websites was due users with outdated versions of WordPress installed in their account, which were exploited. Last Friday Go Daddy made the same claim, but by Monday they were claiming that issue was with users running outdated software, not just WordPress. In our contact with them they made they stated that it was not WordPress specific. There was no explanation for the most recent change in the claimed source of the infections.

The malware has infected websites and accounts that did not contain WordPress installations, and websites and accounts that only had WordPress installations running the latest version. There is no reason they should be unaware of this because they claimed to have “scanned our 4M hosted sites to identify sites impacted”, we have mentioned this information in our contact with them, their clients who do not have WordPress installations have been contacting them about the malware, and there are many comments on the Internet from their clients who do not have WordPress installations.

Mr. Reedfoot also stated that Go Daddy first spotted the “attack” on May 1, but the malware infections actually began in February and began to infect a large number of websites in April.

Go Daddy’s continued attempts to deflect the blame for issues within their own systems will not solve the issue. If they do not discover the actual underlying issue and fix it, websites could be reinfected with malware.

Go Daddy has released another statement about the bibzopl.com malware that has been infecting some Go Daddy hosted websites. The most recent statement continues their misinformation about the issue, while claiming that they are a “target for speculation and misinformation”

The largest piece of misinformation is that the cause of the malware is outdated software whether WordPress, as Go Daddy first blamed, or other software. The malware has infected websites running up to date software and websites not running any web software. As we have explained, since February, the malware infects files with the php extension. Many pieces of web software use the .php files, possibly leading to Go Daddy’s most recent inaccurate identification of the issue.

In their most recent statement Go Daddy claimed “both the prevention and the cure not under ” their control, which is not true. The cause of the infection is due an issue within Go Daddy’s systems. They are the only ones that can discover and fix the issue.

There has also been misinformation that the malware has infected websites not hosted on Go Daddy. What seems to be causing confusion is that some people are unaware that there are many different hacks and pieces of malware out there, and they are not all related. The binglblats.com malware, that has been infecting Network Solutions hosted websites due to security issues they have,which has been claimed to the same is unrelated. The vast majority of hacks and malware are due passwords compromised due to password stealing malware on computers, outdated software, SQL injections, and other issues that have nothing to do with hosting providers. This malware has only infected Go Daddy hosted websites.

Here is Go Daddy’s entire statement:

Go Daddy Cares! Here’s some info…

We do take our position as an Internet leader seriously, especially when it comes to security. This is why we are going the extra mile to get the word out. We appreciate your invitation to answer the question, ‘What is Go Daddy doing to help?’

As the world’s #1 Web host provider, Go Daddy is a logical target for speculation and misinformation. With this exploitation issue, both the prevention and the cure are not under our control — because the customer decides whether to update the software they run. (If you think about it, it’s like forgetting to lock your car and blaming the auto manufacturer when your car is stolen.) Our job is to help identify issues and inform our customers about how they can protect their sites.

This is why we are working to proactively communicate and educate Internet users about this situation.

Here are a few of the initiatives we have going right now.

As a service to our customers and all Internet users:

• Go Daddy scanned our 4M hosted sites to identify sites impacted (we did this immediately upon learning about the issue last week, and again over the weekend).
• Contacting Go Daddy customers impacted by phone and/or email to let them know how to protect their sites (in some cases, we’ve alerted them even before they realize they are impacted).
• Go Daddy is also taking the leadership role with educational communication — posting Help Articles to our Community & Customer Service pages to provide “1,2,3 Info” on how to properly update software.
  
  We’ll update the Help Articles as needed and also be posting another Help Article with actual illustrations/screen shots to make the security update process easy for even the most remedial of Web users to follow.

Phil Stuart
Go Daddy Communications

On Friday, Go Daddy released a statement that claimed that “extensive investigation” they had determined that bibzopl.com malware that has been infecting some Go Daddy hosted websites was due to users running an outdated version of WordPress that had been “set up in a particular way”. In our post about the statement, we explained why this was inaccurate and warned that if the actual underlying issue was not discovered and fixed websites could again be infected with malware. Early on Saturday the websites were reinfected, this time the malware calls a JavaScript file from kdjkfjskdfjlskdjf.com.

By this morning Go Daddy had amended their statement. They have removed the claim to having performed an “extensive investigation” into the issue. The have also removed the claim that the malware is WordPress specific, simply blaming the infections on the use “outdated software”. This claim is inaccurate as it has infected websites running up to date software and websites not running software. As we have explained since February the malware infects files with the php extension. Many pieces of web software use the .php files, possibly leading to Go Daddy’s most recent inaccurate identification of the issue. Again, if the actual underlying issue is not discovered and fixed websites could be reinfected with malware.

Here is Go Daddy’s amended entire statement:

If you are experiencing difficulties with your site, you may be using outdated software and unknowingly hosting malware.

For easy-to-understand information on how to remove the malware and update your software, please click on our Help Article.

If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure and in a safe place.

After an “extensive investigation”, Go Daddy today released a statement with their findings about the bibzopl.com malware that has been infecting some Go Daddy hosted websites beginning in February.  They claimed the malware infection is due to users running an outdated version of WordPress that have been “set up in a particular way”.  This information is inaccurate as the malware has infected websites that are not running WordPress and websites running version 2.9.2 of WordPress. The malware infects files with the php extension. Since WordPress uses .php files and is the most popular content management system, a lot of the websites infected have been WordPress based. This possibly led to their inaccurate identification of the underlying issue that caused the websites to become infected. If Go Daddy does not discover and fix the actual underlying issue, websites could again be infected with malware.

Here is Go Daddy’s entire statement:

WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.

After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way.

This underscores the importance of installing the latest Web applications, no matter where you are on the Internet. If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure, and in a safe place.

Last week the Gumblar malware was neutralized when the files containing its malware infection code were replaced with code that attempted to neutralize iframes. Today, those files have been modified to redirect users to files on other websites that contain the malware code. Like the original websites that hosted the malware code, these new hosts are websites that have been compromised by the malware. This is different than most attacks where the malware code is stored on a website controlled by the individuals behind the malware.

Dasient, which monitors website for malware, reported that an estimated 640.000 websites and 5.8 million web pages were infected with malware in the third quarter of 2009. A significant portion of those infected websites, 39.6%, were reinfected during quarter. Websites can become reinfected if the vulnerability that allowed the website to be hacked into is not secured or another vulnerability is discovered. Most infection code consisted of  JavaScript (54.8%) or an iframe (37.1%), with other code, such as .htaccess redirects, accounting for 8.1%.

The Gumblar malware, which returned in the past several weeks, appears to be neutralized for the moment. In its return, Gumblar was using compromised websites to host its malware code instead of a website owned by the person(s) behind the hack. Other websites that have been compromised by Gumblar, then have code inserted into them that causes a file, with the malware code, to be loaded from one the websites that host the malware.

The code on those websites hosting the malware has now been changed from the malware infection code to Javascript that neutralizes iframes and a message that reads “iframes are EVIL! Hate Zeus!”. If the iframe neutralizing code is loaded on a website that contains other malware scripts, which occurs in some cases, it could possibly disable those scripts.

Gumblar inserted backdoor scripts as part of its hack, which someone other than the original hacker could have used to change the code stored on the host websites. It is also possible that the originally hacker made the change for some unknown reason.