Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla

This past week we have seen a sharp increase in the use of old tactics designed to poison your search engine results – also known as Search Engine Poisoning (SEP) attacks. If you use our free scanner, SiteCheck, you’ll likely see something like the following:

Sucuri - ViewState Infection

You’re probably wondering, what the heck, how is that SEO SPAM? Allow me to explain what this is doing.

The Payload

As you might be able to tell this is some pretty JavaScript, this is what it actually looks like:

<script language="JavaScript">
function xViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','88879181928187863473749187849392773592878834213333..
l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;) {t+=m.charAt(v++);
if(t.length==2){z+=String. fromXCharCode( parseInt(t) +25-l+a);
t='';}}x[l-a]=z; }document .X. write("<'+x[0]+' '+x[4]+'>."+x[2]+"{' +x[1]+'}</'+x[0]+'>');}
x ViewState ();
</script>

If you modify it slightly you can get it to tell you what it’s doing, for instance, in this case it’s calling a specific div:

<style undefined>.nemonn{position:absolute;top:-9999px}</style>

What’s that Do?

What really matters is what it’s outputting. As you can see it’s calling the .nemonn class and setting it’s positioning at -9999px. This means you’d never see it. Why? Because your browser is a graph for lack of a better word. The X and Y both start at 0, to better understand I turn to our favorite Dre Armeda to explain:

So by default on absolute positioning you add the top property. The value 0 on that property places whatever object you’re setting the rule flush to the top, hence position: absolute; top:0;. If you change absolute: 0; to lets say absolute: 100; it will push the content down from the top 100 pixels. Hence when you see -9999px it is negative so it pulls it up over top by 9999 pixels. The same thing can be done left/right/bottom by adding the appropriate property – left: 0; right: 0; bottom: 0;

In short, the class being called, nemon, is being pushed off the screen. You’d never see it, but Google sure will. Now when you look at the class you might see something like this:

Sucuri - ViewState - SEP Attack

Pretty nasty, but here is the thing. This isn’t new, it’s actually old but hasn’t been used for a while, at least not as extensively as we have seen it this past week. It seems to be targeting mostly WordPress and Joomla websites. If you find yourself in this predicament you can always contact us and have us clean it for you, or you can go about it yourself.

We’re currently seeing two different variants, xViewState and dnnViewState, first is targeting WordPress and the second is targeting Joomla. WordPress users check your theme files, and Joomla users check your modules.

Cheers and happy hunting!

Scan your website for free:
About Tony Perez

I'm a technologist with a passion for the Information Security domain. I am especially interested in malware reverse engineering, incident handling and response as well as offensive counter measures. Catch my personal rants on tonyonsecurity.com and follow on twitter at perezbox.

  • http://www.friv3.org.in/ friv3

    We always find interesting things in the share and full of useful information of the topic.thank you for sharing it

  • http://www.candleforex.com/ CandleForex

    Where in the theme files should a person look? header.php?

  • dualxeon64

    We found it in modules on our joomla site It was in the slide show mod we have on the site.

  • Darrel

    I have a similar hack on my website in the functions. Php file. If the code hides spam at the top of my website. I can remove but hacker keeps adding code. Is ther any way to prevent someone mmodifying my functions. Php file?

  • deweb bouwmeester

    WordPress plugin Social Media Widget had a similar issue very recently (i.e. start of April ’13). Nemo would be injected as part of the widget. Ref http://wordpress.org/support/topic/anyone-know-why-social-media-widget-was-removed for some more details.

    • http://www.faithforlogicalmen.org/ Brian Freytag

      I just want to make it clear that I have not been the maintainer of Social Media Widget since January of 2013 (version 2.9.7).

      This post is to disassociate myself with this issue. I want the record to reflect that this issue arose months after I passed off the widget and have not had SVN access since signing over the widget in January. As the original creator of Social Media Widget and beginning its legacy, I want to remain clean of this in the case I decide to release a new WordPress plugin.

      I had a discussion with the current maintainer whom I transferred the rights over to – It seems that one of the freelancers that he hired to do some updates decided to go rogue or his password was cracked, though you will have to hear it from him for the full story.

  • http://www.kizi2.com/ kizi 2

    Thank you for what you have shared. I needed this. I have wordpress blog, I will apply on my blog.

  • http://www.jugarfriv.org/ friv

    Nice share info. wordpress up to date. thank you

  • Kiai Kim

    Thank you so much! Was able to clean my site just in time for Earth Day! (plastickills.org)

  • tienlyvan
  • Pingback: Payday Loan Spam affecting Thousands of Sites | Sucuri Blog

  • Pingback: 2012 Web Malware Trends Report Summary | Sucuri Blog

  • http://www.yepi6.org/ yepi 6

    Thank you for providing the information, it will be very useful to me and I will share this information to my friends.

  • http://www.kizi-2.net/ kizi 2

    thanks, the information you provide will help me limit the virus in my computer.

  • http://www.y8u.org/ Juegos Friv

    This is a very completely different informational article. It’s attention-grabbing and original and it extremely engages the reader. i like your soak up this subject material.

  • http://www.y8u.org/ Yepi Friv

    I don’t generally get to browse long on-line, however i am glad to possess found this text.

  • http://www.y8friv.asia/ Friv 4

    I am seldom stricken by articles or writers, however you’re exceptional.

  • http://yepi-games.kizifriv1.com/ Yepi Friv

    I would not have announce had it created port of entry look dangerous.

  • http://www.minecraftgames.info/ minecraft

    motngaydispamucchedeochiudc

  • http://www.yepi-yepi.com/ Yepi Friv

    If you find yourself in this predicament you can always contact us and have us clean it for you, or you can go about it yourself. I will consider

  • Cindy

    Tony, I thank you so much for this article; you fixed my problem.

  • J. Arlington

    Thanks for the info! You fixed my problem.

  • http://www.friv2friv3friv4.com/ friv 2 friv 3 friv 4

    Thank you for what you have shared. I have wordpress blog, I will apply on my blog

  • http://frostybot.com/ Frostybot Marketing Corp.

    If you are using Joomla Auston Slideshow is one of the modules effected.

  • Alan Langford

    Looks like this has been around for a while indeed. Just found a copy in mod_JoomlaShareThis, installed in May 2012. In this case the payload was a click hijacking virus, so it’s more than just black hat SEO..