Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About

Every day we analyse hundreds of new malicious files. Some of them are simple backdoors, injected iframes, or one liner defacements.

Another type of malware, equally interesting, are the ones that interact with authentication interfaces. These malicious codes may allow attackers to log-in with a particular set of bogus credentials or completely circumvent security measures implemented to prevent unauthorized access to the back-end.

Read More ...

Our Incident Response process makes sure we remove all malicious files and other small pieces of code inserted in good files that could be used to re-gain access to the environment. These pieces of malware could be very easy to detect based on encoding level, obfuscation, suspicious functions and few other variables. Some malware, on the other hand, try to hide themselves in plain sight by using regular PHP or JavaScript functions or pretending to be an authority they are not.

Read More ...

We wrote a lot about malware in invisible iframes. This story is about a different type of invisible iframes that hackers may place on your site.

As you know, many large ecommerce sites have affiliate programs that allow third-party publishers to send traffic their way in exchange for commission on purchases. Amazon.com is the most well known example of a site with a public affiliate program. Millions of sites participate in it. As many other such sites, Amazon realizes that people referred to their store via affiliate links may not immediately make a purchase. Some of them need time to think, compare prices on other sites, research alternatives, etc. Still Amazon wants to acknowledge the role of the affiliate if the referred visitor returns to the Amazon later and makes the purchase then. Technically, it is done by placing an affiliate cookie on the visitors computer for a certain period of time (in case of Amazon it’s 24 hours); and if that particular user buys anything from Amazon before the cookie expires, the affiliate who referred them is eligible for some commission.

Sometimes we find hidden amzn.to iframes on hacked sites.

Read More ...
When a website is compromised, attackers perform post-exploitation tasks to  maintain  access to the site for as long as possible. One of these actions is usually the creation of admin users to remotely control the site or automate the creation or distribution of spam content. Unfortunately (for them), it’s really easy to detect and remove these fake users and they have to find and execute new techniques to actually hide them. During an investigation, we found a small piece of code inside the file "/current_wp_theme/functions.php" that caught our attention:

Read More ...

Search and Backdoor

2017-01-18  by  Luke Leal

The ubiquity of “unlimited” shared hosting platforms has incentivized malware in trying to infect as many adjacent website directories as it can to increase its overall surface area. The more infected the area is, the more likely that at least one piece of malware can evade detection long enough to successfully reinfect the web hosting environment.

When a website is infected or compromised, the malicious user will often times leave a backdoor that can be used to regain unauthorized access to the website or system. A backdoor doesn’t necessarily have to be an existing malicious file; it can also be within a database or running process. A database backdoor could be a shell script included within a row of a table that is loaded on a certain URL. Or in some cases, it can involve an actual user being inserted into a CMS database with full privileges by the malicious user.

I encountered a malicious file that upon execution will go one level above the root of the infected WordPress or Joomla site:

Read More ...

Often times a malware author will try to provide some type of camouflage to their malware’s coding in an effort to disguise an unsuspecting eye from its true intentions. I recently came across an interesting example from a malicious file used to bypass authentication when accessing wp-admin:

Read More ...

Magento malware that steals details of customer credit cards is a prevalent problem during the last couple of years. We write a lot about various modifications of such malware and the tricks hackers use. When you look back, it’s interesting to see how common ideas may be reused in different steps of the attack.

Read More ...

We wrote multiple times about malware attacks that store their scripts on Pastebin.com and load them either to the server once they break into it or directly to the infected web pages

However Pastebin.com can’t be called a reliable hosting for malware. You can report any paste and it will be removed if Pastebin.com finds it inacceptable. For example, when we find that a certain paste is being used in ongoing attacks, we report them.

What happens when a paste is removed from Pastebin.com? Of course, hackers eventually notice it and create new pastes and reconfigure the attack to use them, but for some period of time their attack is disrupted. From time to time we find signs of such disrupted attacks on infected sites. For example, recently our scanner found this file on a hacked site: skin/adminhtml/default/kontools/promailerv2.php.

Read More ...

When webmasters or hosting companies look for malware, they usually search for encrypted code, encoded payloads, suspicious functions and much more. If they happen to find any of those instances, it’s a common practice to either remove or rename the file in question.

If the file being flagged hits a certain amount of suspicious code or raises red flags based on different variables, hosting companies may rename those files from file.php to file.php.suspected (Appending .suspected in the end) - this way the file loses its ability to be interpreted by the webserver. However, sometimes there are backdoors nearby ready to release the prisoners.

The following code was found during an incident response investigation:

Read More ...

When dealing with compromised scenarios, our team has to be very thorough to remove all pieces of malware in the infected website. Most of the time attackers don’t inject single bits of code but a variety of malware to increase the chances of maintaining access to the compromised resource while reducing the chances of getting caught.

Read More ...