• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Labs Notes Monthly Recap – Feb/2017

March 3, 2017Estevao AvillezEspanolPortugues

10
SHARES
FacebookTwitterSubscribe

Every month we recap the latest posts on Sucuri Labs, written by our Malware Research Team (MRT) and Incident Response Team (IRT).

The Sucuri Labs website provides technical analysis and industry updates directly from our teams on the front line. You can read past-monthly recaps for an overview of the posts we’ve released.

Last month, we saw several new methods attackers use to sustain their campaigns as long as possible. This month, we notice a lot of spam campaigns using hacked sites to host redirects and acting as an intermediary. We also go over a few interesting new tactics we discovered while cleaning hacked sites.

Ghost From the Past

Denis Sinegubko

If a site stays infected for a long time before anyone notices, it can be partly due to the obfuscation elements that hackers add to hide their tracks.

We found a piece of malware on a website recently that was designed only to be used in 2011, therefore, the website has contained the malware injection for over five years.

Read More

When Malware Injection Goes Wrong

Ben Martin

If you have used Google Search Console (formerly Webmaster Tools) or Google Analytics, you may be familiar with the verification file that you can upload to the root of your site.

We look at a backdoor that uses the same naming convention as the HTML files that Google uses to verify site owners.

Read More

Spam Content Injection

Samuel Odendaal

We look at an infection that loads content from an external website and displays spam on the front page of the victim’s website only for visitors coming from search engine results.

The malicious file is actually a copy of the victim’s sites wp-blog-header.php, which loads on every page view. Every site compromised by the attacker had its own malicious copy of this WordPress core file, causing an infinite loop to regenerate the malicious injection if removed.

Read More

.user.ini SEO Spam Redirect

John Castro

We see an infection in NGINX sites that use INI files on a per-directory basis, similar to .htaccess files in Apache.

Attackers are using the auto_prepend directive to load PHP content before the page loads. This allows the attacker to evade search engines and assemble redirects to arbitrary spam content.

Read More

Backdooring Sites Using Exotic PHP Functions

John Castro

Most often, malware is written with simple PHP functions. This time we look at an attack using a function normally reserved for testing: register_tick_function()

The malware acts like a backdoor while allowing arbitrary command execution without the traditional noisy obfuscation methods we often find.

Read More

Hiding Malicious Code Using White Spaces

Yuliyan Tsvetkov

When looking at a file, if you do not use the word wrap then it’s easy enough for attackers to hide content using white spaces.

Rather than using complex, obfuscated code, these attackers added white spaces in the beginning of the file. If a webmaster doesn’t notice the horizontal scroll bar, they might not realize there is a ton of malicious code hiding just to the right.

Read More

Checking Blacklisted Domains or IP for Spamming

Luke Leal

A pharma-spam email campaign is using hacked sites to host redirects in order to avoid spam filters. One malicious file is placed on multiple hacked websites which redirect to the illegal pharma site, and the spam emails send visitors to hacked sites as an intermediary.

Furthermore, the script will terminate the campaign and choose another hacked site if the redirect responds with HTTP code 202; which means the hacked site has been blacklisted.

Read More

RealStatistics Goes TrafficAnalytics

Rodrigo Escobar

This campaign uses a fake analytics site in its malicious code, redirecting visitors through multiple sites until it reaches a spam page containing ads.

Interestingly enough, several sites contained the Search-Replace-DB tool. The file was placed in the site’s root directory and allows unauthorized access to modify the database content.

Read More

10
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Sucuri UpdatesTags: Industry Reports, Malware Updates

About Estevao Avillez

Estevao Avillez is Sucuri’s Senior Director of Security Research, who joined the company in 2013. Estevao’s main responsibilities include leading the Research Group, which includes the Malware, Vulnerability and WAF/Sucuri Infrastructure. His professional experience covers 15 years with planning, project and operations management. Estevao has also worked in various areas such as logistics and supply chain, media and communication, telecommunications, and trading relationships with customers. He’s worked as a consultant in financial, strategic and operational management. When Estevao isn’t keeping our customers safe, you might find him taking care of his kids and running. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Getting Started with Sucuri Webinar

Getting Started with Sucuri Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.