GoDaddy's Mass WordPress Blogs Compromise Serving Scareware

UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update “What’s Up with Go Daddy, WordPress, PHP Exploits and Malware?“.

UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign’s structure, the changed IPs, and the newly introduced scareware samples+phone back locations over the past few days.

Sample structure from last week: – – AS16276, OVH Paris
    – – – AS31103, KEYWEB-AS Keyweb AG
        – – – AS47869, NETROUTING-AS Netrouting Data Facilities

Detection rate:
– packupdate_build107_2045.exeGen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes – Result: 23/41 (56.1%) Phones back to and

Sample structure from this week: – – AS6851, BKCNET “SIA” IZZI
    – – – AS24940, HETZNER-AS Hetzner Online AG RZ
        – – – AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN
        – – – Email:

Detection rate:
packupdate_build9_2045.exeTrojan.Fakealert.7869; Mal/FakeAV-BW – Result: 9/41 (21.95%)

Sample phones back to:
– /?jbjyhxs=kdjf0tXm1J2a0Nei2Mrh24U%3D
– /Reports/SoftServiceReport.php?verint
– – Email:
– – – Emaikl:
– /chrome/report.html?uid=2045&wv=wvXP&
– /report.html?wv=wvXP&uid=50&lng=
– – Email:

Related scareware domains part of the ongoing campaign are also parked on the following IPs: – Email: – Email: – Email: – Email: – Email: – Email: – Email: – Email:

UPDATED: Thursday, April 29, 2010: remains active and is currently redirecting to – and –

Detection rate: packupdate_build107_2045.exeSuspicious:W32/Malware!Gemini; Trojan.Win32.Generic.pak!cobra – Result: 6/41 (14.64%) phoning back to new domains: – – Email: – – Email: – – Email:
    – – – Email:
    – – – Email:

The email was used for scareware registrations in December 2009’s “A Diverse Portfolio of Fake Security Software – Part Twenty Four“.

Parked on, AS46664, VolumeDrive ( are also:

Parked on, AS29073, ECATEL-AS , Ecatel Network ( are also:

Following last week’s Network Solutions mass compromise of WordPress blogs (Dissecting the WordPress Blogs Compromise at Network Solutions), over the weekend a similar incident took place GoDaddy, according to WPSecurityLock.

Since the campaign’s URLs still active, and given the fact that based on historical OSINT, we can get even more insights into known operations of cybercriminals profiled before (one of the key domains used in the campaign is registered to Yes, that Hilary Kneber.), it’s time to connect the dots.

One of the domains used – – Email: was redirecting to – and from there to – The front page of the currently not responding was returning the following message:

  • Welcome. Site will be open shortly. Signup, question or abuse please send to

Registered with the same email,,  is also another domain known have been used in similar attacks from February, 2010 –

Parked on are related scareware domains part of the campaign:

Detection rate for the scareware:
– packupdate_build107_2045.exe – VirusDoctor; Mal/FakeAV-BW – Result: 14/41 (34.15%) with the sample phoning back to the following URLs: – – Email: – – Email:

The same email was originally seen in December 2009’s “A Diverse Portfolio of Fake Security Software – Part Twenty Four“. Parked on these IPs are also related phone back locations:

Parked on – Email: – Email:

Parked on – Email: – Email: – Email:

Parked on – Email:

Although the is not currently responding, parked on the same IP, is another currently active domain, which is registered to

Parked on, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.: – Email: – Email: – Email: – includes a link pointing to – – Email:

The currently active campaign domain redirection is as follows: – – Email:
        – –

Parked on

Detection rate for the scareware:
– packupdate_build106_2045.exe – TrojanDownloader:Win32/FakeVimes; High Risk Cloaked Malware – Result: 7/41 (17.08%)

Just like in Network Solution’s case (Dissecting the WordPress Blogs Compromise at Network Solutions) the end user always has to be protected from himself using basic security auditing practices in regard to default WordPress installations. The rest is wishful thinking, that the end user would self-audit himself.

It seems that related activities are not going to go away anytime soon.

Related WordPress security resources:
20 WordPress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful WordPress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *