Archives for March 2012

Varying Degrees of Malware Injections Decoded

It is no longer the day of human-readable injections, or even the use of basic encoding schemes like base64. Instead we’re seeing a rise in complex, and in some instances, elusive encoding schemes that carry with them a big punch.

There are varying degrees of malware injections that include some of the following traits:

  • Encoding (pretty basic)
  • Encryption & Encoding (a bit more exciting and challenging)
  • Concatenation & Encryption & Encoding ( gets our hearts pumping a bit faster)
  • Cameleon integration (flows with existing code and difficult to detect)

In this post we’ll look at an instance where the malware leverages a combination of encoding, concatenation and cameleon traits to impact the end-user.

Read More

Website Cross-contamination: Blackhat SEO Spam Malware

We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.

We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:

Read More

WordPress Third Party Vulnerability – Deans FCKEditor with PWWANGS Code for WordPress(version 1.0.0)

You have heard me write in the past about understanding the true Vulnerability within WordPress. In that post I talk to the benefits of the platform and how those same benefits are also its weakness. This post is an example that brings that point home, specifically about staying diligent with your plugins.

It was recently released that a plugin for WordPress, Deans FCKEditor with PWWANGS Code Plugin for WordPress, was known to contain a very serious vulnerability that gives hackers full control to modify, upload and execute files within your WordPress install (source PacketStorm). This vulnerability is actually not new and was found for version 1.0.0. That’s not the point though, what is, is that this version is in fact vulnerable.
Read More

Intelligent (Pharma) Spam Decoded

We are seeing a rise in the use of intelligent SPAM – a.k.a Pharma Hack – across a number of platforms. We recently found a nice injection that made us salivate, we figured you’d be just as interested

It is of no surprise to us that attackers are always looking for ways to trick us and more importantly our users. This gem of a find was no different.

SPAM = “Stupid, Pointless Annoying Message”.

SPAM, in the form of unsolicited e-mail messages, is a problem that we face every day.  Imagine sending a client a link to a newly released product, they get to the page, and BAM they’re greeted with advertisements for pharmaceutical products (Viagra / Cialis / Male Enhancers). What do you think the impact would be?
Read More

WordPress – Understanding its True Vulnerability

Everyday we manage thousands of clients running a wide range of applications, built across a number of different platforms. It should be of no surprise that a good number of them leverage the WordPress platform. This in itself can lead folks to scream from the mountain tops of the applications insecurities, we’re here to say that is just not so.

With Popularity Comes A Target

Many know, but yet many more don’t, that WordPress dominates rival CMS applications by significant margins. We are not saying this in terms of functionality or breadth, but rather by end-user adoption. We will not dabble with why and how it has accomplished this, but rather on what this means to you, the end-user.

Read More

Brute force attacks against WordPress sites

We talk a lot about the importance of using strong passwords, but sometimes it it hard to see how important it really is, or what can happen if we do not use a strong one. Most people only realize this after they have been compromised for the first time.

Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and never changes it.

Why is it bad that the password is easy and never changed?

There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..). Yes, the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware roaming the interwebs.

Read More

Conditional Redirect Malware Decoded – Eval base64_decode Example

I have this beautiful website and now there’s all this garbled code across all of my PHP files. What’s it do, and how did it get there?

This is a quick post to show you some encoded crud that can attack your site, and do some pretty bad stuff.

Encoded Payload – Eval( base64_decode)

Generally speaking, we see this type of payload dropped into PHP, HTML, and JavaScript files. They are typically dropped into an environment through a known vulnerability in outdated software. This isn’t the only entry point, but definitely the one we see the most.

Read More

A Little Tale About Website Cross-Contamination

Mary has a site that she really cares about, its called She has learned how to monetize her blog through the use of ads, this allows her to make her living. She uses WordPress and always keep it updated. She also keeps her plugins updated, uses strong passwords, accesses the admin panel via SSL and takes all the security recommendations very seriously.

She uses a shared server and her host offers her unlimited domains. Over the years she has taken advantage of this offering, adding a few sites here and there. One such site was, it’s used to try new themes and plugins.

Read More

Web Hosting Provider ServerPro Hacked, Defaced, & Blacklisted by Google

Even the pro’s are susceptible to attack. Web hosting provider ServerPro has been compromised and completely defaced. This has been ongoing for more than a few days with no resolution.

ServerPro boasts to have over 200,000 clients over a 10 year stand. Although there is no direct proof that this attack affects a wide portion of their client base, we have seen a few of their clients experiencing the same issue.

If you were to visit the site, which we recommend against, you would get the beautiful Google infection banner:

ServerPro Blacklisted by Google

Read More

Latest Mass Compromise of WordPress sites – More Details

We are getting lots of questions about the latest mass compromise targeting WordPress sites (redirecting to fake AV) that has affected over 30,000 domains.

The first question is how are these sites getting hacked? On all the cases we analysed, they either had outdated versions of WordPress, or of a plugin. We can safely rule out any new vulnerability on WordPress itself.

We also posted about it a week ago when we detected this malware campaign using domains.

As we promised in the previous post, this is an update to what we are seeing.

More Details

Read More