Major WordPress Malware Threat – Active VisitorTracker Campaign

For the last couple of weeks Sucuri have been tracking a new Malware threat that has gained significant traction over the last 48-72 hours. The threat they call the “Active VisitorTracker Campaign” is easy to identify due to very specific “visitorTracker_isMob” code being used.

As of the 18th September 2015, a little over 6 million websites now infected, with over 5 million of those infections occurring in the previous 48 hours.  The chart created by Sucuri shows the rate of infections below:


As you can see, the rate of infection is significant.

What does the Active VisitorTracker Malware do?

According to Sucuri, the final goal of the infection is to redirect the visitors of the website to a Nuclear Exploit Kit landing pages, which can in turn use a number of techniques to infect the physical computers of those visitors.  Some examples of the methods used include infecting the visitors computer using Flash, Silverlight, PDF, and Internet Explorer to install malware or ransomware.

For a more detailed \ technical article on the Nuclear Exploit Kit click here.

The exploit works by inserting the following code in to your website:

function visitorTracker_isMob( ){
var ua = window.navigator.userAgent.toLowerCase();
if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|mi..|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc .. |vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(ua.substr(0,4))) {
return true;
return false;
} /* .. visitorTracker .. */ /*

This code will then force the visitors web page to load an iframe from one of the Nuclear Exploit Kit landing pages which then infects the visitors computer.

An example of the exploit in action has been noted by Jerome Segura from MalwareBytes showing an infection on a site owned by a large security provider (Coverity):


But they are not the only major security company affected by this exploit.

Sucuri itself is infected by this Malware (Update – False alarm)

We originally ran a story that implied that Sucuri was itself infected by this malware, due to both Norton antivirus and their own Sitecheck flagging what has turned out to be a false positive.  We have updated this article to remove the screenshots and other information showing the false positive, but retained the information from Sucuri responses below in case anyone is looking for an update:

Update 1: We have since heard back from Sucuri:

indeed, since we publish details about attacks and malicious code on, this can sometimes be flagged in SiteCheck. Not a big deal, though — you can see it’s alerting about a blog post that actually discusses the malware in question.

Regarding Norton flagging our labs site, I’ll escalate this to one of my seniors to have a look.

Certainly, this could be a false alarm, but with Norton also flagging the issue the concern is legitimate and until we hear back further we recommend exercising caution.

Update 2: Sucuri CEO added his response:

You can find the full response of the CEO, Tony Perez, in the comments below, but for ease of reading we have highlighted the pertintent part below:

Thanks for sharing our information, but I did want to let you know it is a bit misleading. We are not and have not been compromised by this infection. [..]

Yes, we flagged ourselves. and it caused others, like Norton to flag us as well.. these however are false positives. We have direct lines of communication with many vendors

Update 3: Norton warning cleared

A second response from the Support team at Sucuri:

Just an update that the Norton warning has been cleared too.

They generated the warning for the same reason that sitecheck did, because it saw the "visitorTracker_isMob" code in one of our labs notes. The snipped we posted was never functional and would not cause any issue to anyone’s visiting it. However, was close enough to the real malware that caused our malware scanning to generate an alert.

It is quite reassuring they cleared this false positive with Norton so quickly.

17% of Infected Sites already blacklisted by Google

The seriousness of this Malware can not be understated.  Not only are you opening up your Visitors computers to malware \ ransomware, but Google appears to be very quickly blacklisting any websites affected by this exploit.

According to Sucuri, 17% of all websites they have discovered with the exploit are already blackisted by Google and other popular blacklists.

How to check if your Site is infected with the VisitorTracker Malware?

The easiest way to check if your website is infected is to use the free tool by Sucuri.  If you are infected you will receive a result as follows:

Sucuri SiteCheck Sucuri infection

The above example is a false positive, as it refers to the Sucuri notes which contain a copy of the offending code, however it will give you some idea of what to expect.  If you have a positive result yourself, we highly recommend using Sucuri’s service to clean up your website.  Just select the “clean up my site” button, and choose the appropriate subscription.  Requesting a cleanup takes less than a minute, and your site will be fixed.  In addition, the relevant applications for removing any blacklists will also be made.

How can you protect yourself as a website visitor?

Whilst we haven’t checked all computer firewalls \ antivirus programs but we can confirm that Norton successfully prevented us from visiting a website infected with this malware.

We run this site using the Sucuri Firewall product, and can highly recommend them if you want to increase the security, and performance of your website.

  1. Reply Tony Perez September 19, 2015 at 3:31 pm


    Thanks for sharing our information, but I did want to let you know it is a bit misleading. We are not and have not been compromised by this infection.

    As an organization we invest heavily in research, specifically the public disclosure of that research to keep communities such as this one informed. This sometimes requires us to release snippets of malware variants, such as was the case here.

    Yes, we flagged ourselves.. 🙁 and it caused others, like Norton to flag us as well.. these however are false positives. We have direct lines of communication with many vendors

    If you have any other questions, please let me know I’d be happy to expand on the subject if required.

    Tony Perez
    Sucuri – CEO

    [email protected]

    • Reply Jonathan September 19, 2015 at 7:25 pm

      Thank you. I have updated the article in light of your comments, and also emailed you directly.

Leave a reply