According to Websense, a piece of malware that found as antivirus software has reportedly found on around 30,000 unique sites. The malware effects in such a way that when a user loads the page, they are redirected to the .rr.nu top-level domain that mimics a Windows security scan, asking the user to download the program and clear viruses from the computer. The source of the malware is not known yet although over 85 percent of the affected sites are US-based. The short piece of injected code:
A quick query of this site shared by Sucuri shows the current live domains:
- $ curl -sq http://www.lilypophilypop.com/g_load.php
- http://uotes98satur.rr.nu/
- http://ixeld52erlya.rr.nu/
- http://ile68depa.rr.nu/
- http://cie69svoi.rr.nu/
- http://ues02the.rr.nu/
- http://ordonv12ectorct.rr.nu/
- http://ngv83ete.rr.nu/
- http://waranc72hexcit.rr.nu/
- http://ereaso88nsphas.rr.nu/
- http://erbac03klogwi.rr.nu/
- http://rtfall80shesdo.rr.nu/
- http://mitexp80ressman.rr.nu/
- http://tingst30iffles.rr.nu/
- http://ford53blue.rr.nu/
- http://trill18ionsa.rr.nu/
