Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About
As we know, one of the main payloads of a successful attack is to maintain access to the compromised server for as long as possible. Today we found this simple but effective password stealer for Joomla.



It was injected in /administrator/components/com_login/models/login.php, and the code just captures the $credentials array, username and password to be more specific, and writes to a login.txt file, which was accessible through the internet.

To make things even easier for the attacker, it writes the date and time of the capture on Chicago Timezone (so is the attacker in Chicago?).

Just came across this backdoor (decoded):



It looks like a normal backdoor, but the interesting part and the one I didn't understand completely was this one:

What is it doing?

Why is it reading from php://input? From the PHP manual it explains:

That explains.

We woke up this morning to many reports and people asking why the PHP.net site is being blacklisted. We did not get a chance to analyze it while it was compromised, but it seems that one of their javascript files (static.php.net/www.php.net/userprefs.js) was modified to inject a malicious iframe from "http://lnkhere.reviewhdtv.co.uk/stat.htm".

That's the supposed bad code: http://pastebin.com/raw.php?i=nAess4xL

It seems the PHP team fixed it already and requested Google to clear it. If anyone has more info, we would love to hear it.



A common keyword that people use to find hidden injections on web sites is "base64_decode". You often see injections that look like "eval ( base64_decode" or eval ( gzinflate ( base64_decode" being used by the attackers.

So most web security tools have some signatures to look for it (specially on WordPress).

Well, the attackers do know about it as well and we are starting to see some interesting variations for it. For example, instead of injecting base64_decode, they are injecting as a variable:



And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allows then to bypass many security filters.



Piwik is an open source web analytics software that is used by many web masters. And the bad guys are using their popularity to try to make their malware injection harder to detect. They do that by injecting malicious javascript calls from a domain that looks like came from the Piwik project: www.piwik-stat.com/piwik.js. This is what is being injected:



It is not an uncommon tactic (we see if often with jquery), but as a web master if you see anything from pwiki-stat or similar variations, it is likely fake. The official (and trusted one) is http://piwik.org/.



Today we found a malicious iframe that was being loaded from juquery.com (another fake jquery site). It consisted of the following code hidden inside one of the plugins:



It forces the site to contact juquery.com/jquery-1.6.3.min.js on every page load and display whatever content is provides. It is currently displaying the following malicious payload (triggered by sitecheck):



Which creates another iframe based on the payload hosted at: httx://www.juquery.com/compability.php?0.09432658250443637:



Which also decodes to the iframe loading script:



It seems that fake jquery sites are becoming more and more popular and only jquery.com and jquery.org should be trusted.

I don't think we have logged about it lately, but an old infection (that started early this year) is still going strong. The result is this code being injected to the site when visited by certain browsers:



And the hidden code that generates it is tricky to find and generlly hidden inside one of the theme files or wp-includes (on WordPress sites). It looks like this:



All that to the end goal: Inject an iframe from *no-ip.biz (and other free domains) that will redirect the browser of the victim to Fake AV.



A backdoor injector code we found on a compromised site:

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.



Lots of compromised sites redirecting to TDS:

And that's just a small sample. We have detected just in February over 500 sites compromised exactly like that.



If you look at the top domains distributing malware for the last days (and months), what do you see in common?

Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com, mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, we identified more than 15,000 different sub domains from them being used to distribute malware.

Don't get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklisting and some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with the thousands of malicious domains that they host.

*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.