Malwarebytes: Pushing Malware

LOS ANGELES—Anti-malware firm Malwarebytes reported on its blog yesterday about a malware infection on the heavily trafficked porn site,, which has an Alexa global rank of 350 and reportedly gets 5.6 million uniques a day. Despite the headline of the blog post by Jérôme Segura, , a update today reports on an email received from the porn site's owner claiming that the site was hacked. A message still across the top of all pages also reads, "Our site's been hacked. It's clean now. It may take some time to your browser to get the latest updates."

But the Malwarebytes update also states, "Beeg does not give out any details about the ‘hack’ which leaves the door open for some speculation. A big (no pun intended) question remains: how did a core JavaScript file like beeg[dot]com/users.js get injected? We’re not talking about some third-party ad on their site and some bad luck with malvertising, but really about a redirection that took place on the server itself.

"Short of seeing server logs showing the hack," adds Segura, "making a definite statement on what exactly happened is simply speculation. Google’s Safe Browsing shows that “Part of this site was listed for suspicious activity 962 time(s) over the past 90 days.” which is still a little concerning."

In the original post, Segura described in detail the manner of compromise to, which was first caught by a Malwarebytes honey port on March 18, with "the site serving a drive-by download that originated directly from iframe injections including one on beeg[dot]com itself. The domain within the malicious iframe does a typical 302 redirect to an exploit kit (Sweet Orange) landing page, shown below using some obfuscation, which prepares the exploits to be launched on the victim."

Two exploits were served in this instance, with Segura noting, "On a successful compromise, a binary is dropped. In this instance we had the popular Zbot Trojan by Malwarebytes , but the payload may vary per country."

While making no specific accusations about who might be directly responsible for the malware, Segura concludes, "The majority of website hacks are automated and not run by a human sitting behind a computer. There are scripts scanning the web for known vulnerabilities and weak passwords. At the same time, when a high-profile site gets compromised, one has to wonder whether this was the work of an individual who spent the time and effort on it. After all, when your site receives millions of visitors per day, even a few hours worth of malware infections would generate a lot of money."