• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Website Malware – The SWF iFrame Injector Evolves

April 2, 2015Peter Gramantik

FacebookTwitterSubscribe

Last year, we released a post about a malware injector found in an Adobe Flash (.swf) file. In that post, we showed how a SWF file is used to inject an invisible, malicious iFrame.

It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varieties infecting both WordPress and Joomla websites. Though it’s uncertain how many iterations existed in the wild when we first reported the issue, this time we’ve found a lot of websites where the infection looks similar:

infected-site-name.com/images/banners/kxc.swf?myid=1d57987c38051fdc93ea7393b448003e
Identifying the Flash Infection

The similarities are easy to spot once you know what they are. The malicious .SWF file is always stored in /images/banners/ and the file name is three random characters followed by .SWF with an ID parameter appended:

xyz.swf?myid=1d57987c38051fdc93ea7393b448003e

So, how does the infection look this time around? Here is the Flash file decompiled:

Malicious SWF Infection
Malicious code has similarities to the infection reported in November
The Same Hacker at Work

Apparently, the malware author is the same. Variable names, coding logic, and useragent condition are all indicators of this. However, the source website delivering the malicious payload is different. Also, while there were mostly Joomla based websites affected previously, we’re also seeing WordPress sites with this infection.

Ben Martin, a member of our Remediation Team, found infected Flash objects matching our description that were injected inside a WordPress database:

SWF infected the WP database
Similar infected .SWF found in the WordPress database
The Impact Five Months Makes

This time, many more sites are being affected — several hundred, maybe more.

Another difference is that at the time of my original post on this infection, no AntiVirus company detected this threat. This time, about half of vendors are detecting the issue:

VirusTotal Results show 23/57 vendors detect the malware
VirusTotal: 23/57 vendors detect malicious content

Malware evolves every day, and I’m sure we’ll see more variations of this particular strain in the future. You can be sure that we will share our findings with you every time. In the interim, if you find yourself troubled with something similar be sure to look for professional help and get back to business.

Stay safe and keep your eyes open!

FacebookTwitterSubscribe

Categories: Joomla Security, Website Malware Infections, Website Security, WordPress SecurityTags: Conditional Malware, SQL Injection

About Peter Gramantik

Peter Gramantik is Sucuri’s Sr. Malware Researcher who joined the company in 2013. Peter’s main responsibilities include crafting signatures for new malware, and improving existing and researching new detection techniques. His professional experience covers 15 years of fighting malware. When Peter isn’t researching malware, you might find him doing technical and cave dives, riding his Harley Davidson, playing the guitar and singing in a band, or cooking BBQ for his family and friends. Connect with Peter on Twitter.

Reader Interactions

Comments

  1. Canuck

    April 2, 2015

    While no replacement for proper security software and practices, most ad-blocking software blocks everything from ‘/banners/’.

    • Denis Sinegubko

      April 3, 2015

      And browser features like “click-to-play” and extensions like NoScript will definitely help against most drive-by attacks

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.