The My Opera free Web hosting service is hosting malicious code, just the latest prominent hosting service to be gamed by malware distributors. Less than a month after Google’s Code hosting service was found to be hosting and serving malicious executables, a search of Opera Software’s My Opera free hosting service has also turned up malicious programs, according to a researcher at Kaspersky Lab.
My Opera, a free online hosting service for users of the Opera Web browser, played host to a PHP based IRC botnet, according to a post by Dmitry Bestuzhev, a researcher at Kaspersky Lab. The bot appears to have originated in Brazil, based on an analysis of the code, though its not clear who posted it to the My Opera hosting service or when, Bestuzhev said.
Bestuzhev, communicating with Threatpost via instant messenger, said that he reported the malicious My.Opera.com URLs to Opera Software and that the company has removed them from its site.
My.Opera.com allows users to set up free accounts with 1 GB of disk space for hosting photos, blogs and other content. The four year old free hosting site has more than six million members.
Bestuzhev said a routine scan of My.Opera.com pages turned up both the source of the PHP IRC bot and a working version of the bot, as well as an IRC channel server for coordinating communications within the botnet and the password for the channel. The account in question was not protected by a password, he said.
Like other free hosting services, My.Opera.com is an ideal resource for cyber criminals looking to host their wares on domains with legitimate reputations that are also easy to access.
“There was no hacking, just signing up and installing (the bot),” Bestuzhev said.
In August, Web security firm zScaler found a number of malicious programs hosted on servers used to power Google Code, a free, Web based platform that provides tools and resources for developers who want to work on projects related to Google’s various open source software. The company claimed that regular anti malware scans of its servers failed to spot the malicious programs, which included a malicious downloader programs, Trojan horses, backdoor programs and password stealing key logging programs that target massively multi player online games like World of Warcraft.
PHP based malware can be difficult to identify because the core application files are text based, rather than compiled binaries with easy to spot signatures. That requires either manual auditing of the files to divine their purpose, or filtering for likely malicious strings, he said.
In a blog post, Bestuzhev said that free hosting services are popular among criminals who are looking to upload and disseminate malicious programs. Hosting domains like fileave, ripway, rapidshare and 110mb are common dumping grounds for malicious programs, he wrote.
To date, Kaspersky has identified fewer than 100 malicious accounts on the My.Opera.com servers, but Bestuzhev said he expects to find more, as the browser company struggles to monitor the content of its fast growing hosting service and social network.