YAWI — Mal/Badsrc-C

Image (1) paper.jpg for post 22592

On Friday, SophosLabs saw that the website of a major African Sunday newspaper was infected with Mal/Badsrc-C. We took steps to contact the sites owners and the site is thankfully now clean. So this morning the African diaspora instead of being infected by various pieces of Malware (Troj/Iframe-AU, Mal/JSShell-B, and Mal/TinyDL-T) can read news from home without fear of infection.

So why am I blogging about Yet Another Website Infected (YAWI)? Well the graph that our automated systems generated due to this infection was interesting.


The first line of nodes on the graph are websites infected with Mal/Badsrc-C including the African newspaper and an American University. The right hand side of the graph will attempt to download and install Mal/TinyDL-T. My colleagues Fraser and Vanja will be discussing this part of the graph in their talk, on Thursday, at the Virus Bulletin Conference in Ottawa.

The part that interested me was the group of nodes on the left hand side (highlighted in purple). All four of these purple nodes are or lead to:

  • Pay-Per-Click (PPC) sites
  • Get Paid To (GPT) sites
  • Search Engine Optimisation (SEO) sites

This attack is an example of Affiliate web-based malware and I will be talking about it further, on Wednesday, at the Virus Bulletin Conference.

If you have any comments about this blog article or any other please email via sophosblog@sophos.com.