Spotting Malicious Injections in Otherwise Benign Code

Being able to spot suspicious code, and then determine whether it is benign or malicious is a very important skill for a security researcher. Every day we scan through megabytes of HTML, JS and PHP. It’s quite easy to miss something bad, especially when it doesn’t visually stick out and follows patterns of a legitimate code.

Let’s take a look at this screenshot:

seo-position-report .net  - Good or Bad?

seo-position-report .net – Good or Bad?

We can see two scripts at the bottom of the HTML code. The scripts are not obfuscated, have variables with clear names (seoJsHost, amount, orderId) and comments. The structure and placement of the scripts resembles Google’s scripts (e.g. Google Analytics). And we can see that the first script loads a JS file from “seo-position-report .net/SEO-report/js/seoTrac.js“, which suggests that it’s some kind of SEO tracker.

So far so good. There are many little-known third-party trackers — it’s probably one of those. It’s typical for them to load additional scripts from their sites.

The second script most likely configures the code loaded by the first script and prepares it to work with the current site. Quite plausible. So nothing suspicious — let’s move on to the next file…

Stop! Not so fast. You should not trust the code that you see for the first time. Let’s dig deeper, what exactly does the seoTrac.js do? Here is the complete source code:

window.location='http://js.seo-position-report.net';

It’s a page redirection code. It always redirects visitors to that js.seo-position-report.net page. This is not an expected behavior for a script that positions itself as a tracker. Moreover, this redirect prevents execution of the second script.

Now it’s clear that both scripts are simply masking the unwanted redirect and can be considered malicious, regardless of what that js.seo-position-report.net does. By the way, currently it redirects to various ad networks which point to scam ads, adultfriendfinder, and sometimes to parked domains.

Don’t Judge a Book by It’s Cover

What looked quite benign at the first glance, ended up being malicious after a more thorough analysis. So don’t be fooled by the look of code. Scrutinize everything that you can’t recognize.

As a website owner or webmaster, you should be familiar with all the third-party scripts that your website uses so that you could easily spot anything that doesn’t belong. I realize, that it may be not trivial for modern sites that use dozens of different scripts. No problem, you need to employ some sort of integrity control for your site. For example, use a version control system, or simply compare (e.g. diff) server files with canonical backup copies. This way you’ll eliminate the “human factor” and won’t need to rely on your code reading skills only.

Security Advisory – Medium Severity – WP eCommerce WordPress Plugin

Sucuri - WP eCommerce Vulnerability

Advisory for: WordPress WP eCommerce Plugin Security Risk: Medium (DREAD score : 6/10) Exploitation level: Easy/Remote Vulnerability: Information leak and access control bypass. Patched Version: 3.8.14.4 If you’re using the popular WP e
Read More

Drupal Warns – Every Drupal 7 Website was Compromised Unless Patched

The Drupal team released an update to a critical SQL Injection vulnerability a few weeks ago and urged all their users to update or patch their sites as immediately. Today the the Drupal team released a strong statement via a public service
Read More

Threat Introduced via Browser Extensions

CouponDropDown Malware Ads

We love investigating unusual hacks. There are so many ways to compromise a website, but often it's the same thing. When we see malicious code on web pages, our usual suspects are: Vulnerabilities in website software Trojanized software
Read More

ASP Backdoors? Sure! It’s not just about PHP

Sucuri - ASP Backdoor 4

I recently came to the realization that it might appear that we're partial to PHP and WordPress. This realization has brought about an overwhelming need to correct that perception. While they do make up an interesting percentage, there are various
Read More

Google Blacklists Bit.ly

Screen Shot 2014-10-25 at 10.23.45 AM

If you ever shortened a URL using bit.ly or if you use it anywhere, be aware that Google recently blacklisted all bit.ly pages through its Safe Browsing program. It means that anyone using Chrome, Firefox or Safari will get a nasty The site ahead
Read More

Popular Brazilian Site “Porta dos Fundos” Hacked

SiteCheck Found Malware on Porta dos Fundos

A very well known Brazilian comedy site, "Porta dos Fundos," was recently hacked and is pushing malware (drive-by-download) via a malicious Flash executable, as you can see from our Sitecheck results: If you do not want the joke to be on
Read More

Manipulating WordPress Plugin Functions to Inject Malware

cform-function-hijack

Most authors of website malware usually rely on the same tricks, making it easy for malware researchers to spot obfuscated code, random files that don’t belong, and malicious lines injected at the top of a file. However, it can become difficult when t
Read More

The Details Behind the Akeeba Backup Vulnerability

Akeeba JSON Payload found by Sucuri

It's been a month since our disclosure of a low-severity vulnerability affecting Akeeba Backup version 3.11.4, which allowed an attacker to list and download backups from a target website using the extension's JSON API.  As promised, here's the
Read More

Malvertising Payload Targets Home Routers

Screen-Shot-2014-10-16-at-12.41.07-PM

A few weeks ago we wrote about compromised websites being used to attack your web routers at home by changing DNS settings. In that scenario the attackers embedded iFrames to do the heavy lifting, the short fall with this method is they require a
Read More