Titles, Imprints and Marks Left by Attackers

Labs Note

Some attackers seem to like signing their scripts. This fact is especially true for defacements and backdoors, where attackers show their pride stating that they “owned” a site by signing their own malware. Sometimes they write their expressions and nicknames on the title or in the middle of the file:

<title>Ow3nd </title><center><div id=q>Your Site Has Been Ow3nd By ...

Or like in this malware sample:

<title>#Pwned</title><p> ... </p><h3> ... ownz you</h3> ...

Or even the classic one:

<title>Hacked by …

We have seen thousands of defacement title variations (and even more backdoor patterns), and still we find new variations every day.

By looking at a file’s title, we may be able to tell if a file is malware. Though, most of the times, finding malware requires much deeper scanning, decryption and deobfuscation processes, making the task to be difficult and time consuming. If you don’t use such a scanning and want to make sure you didn’t miss any defacements or backdoors on your server, you can have us scan your site for thousands of different malware patterns.

You May Also Like