"This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files," he begins.
"This malware only infects first time visitors, it sets the ad-cookie cookie (er2vdr5gdc3ds) that expires in 24 hours and injects an invisible iframe," Sinegubko notes.After examining the different iframes used in this advertising campaign, the researcher observed a pattern involving third-level domains and advertising or AdMedia (a popular advertising network) in the path part of the URLs. Catalin Cimpanu of Softpedia writes that Sucuri has yet to confirm whether the ads indeed belong to AdMedia. All ads in this campaign load with a referral ID "Twiue123", which might refer in some way to one "Vasunya" (valera.valera-146 @ yandex.ru), an unknown individual to whom Sinegubko has traced the registration of the third-level domains using WHOIS records.
"This malware uploads multiple backdoors into various locations on the webserver and frequently updates the injected code," the researcher details. "This is why many webmasters are experiencing constant reinfections post-cleanup of their .js files."Sinegubko concludes by pointing out that if sysadmins are hosting several domains on the same hosting account, they must either isolate every site or work to clean/update/protect all of them simultaneously in order to escape the reinfection cycle.