Updated: May 20, 2010
The bibzopl.com malware places a malware script right before </body> tag of a website's pages.
The original script, which began being placed on websites in February, created an iframe pointing to http://bibzopl.com/in.php.
The malware script is generated with the following php script that is placed at the top of the website's .php files:
The php script is added to the website's .php files with another php file, that file is removed from the website when it is run. It is most likely that the file, which infects the .php files with the malware, is added to the website due to a security vulnerability within Go Daddy's systems. This malware appears to only affect websites hosted by Go Daddy, though similar malware has infected other providers. It is not limited to website with WordPress installations as some people, including Go Daddy, have been claiming. Go Daddy has variously claimed that the malware is due to banner ads, it is due to third party software, that they cannot comment of the issue due to security protocol, that it is due to outdated WordPress installations, and that they do not have security vulnerability that is causing the infection. In Go Daddy's most recent, on May 12, statement on the issue they claimed the source of the issue is users with outdated software that has been exploited. On May 13, an Go Daddy employee said in their support forum that they did not know the source of the infection. If you are Go Daddy customer who has been infected, we would be interested to know what response you have received from Go Daddy about this issue.