The Anatomy of Website Malware: An Introduction

Anatomy of Malware: Introduction

We see a lot of files infected by website malware on a daily basis here at Sucuri Labs. What we don’t see is very many categories of infections. The purpose of this blog post series is to provide an overview of the most common infection categories and types of website malware.

Are you interested in how backdoors, injectors, hacktools, or spam redirectors look and operate on a website? I’ll be covering these topics (and many others) in my upcoming articles. In this first post, I’ll start with the basics and offer an introduction to this fascinating and dangerous world.

What is Website Malware?

To begin, we should first ask ourselves what malware even is.

Wikipedia says:

“Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network. “

That’s the default definition, but for our needs, let’s add “website” to the list of targets. The core of our business here at Sucuri is fighting website malware. This includes analyzing malicious files, cleaning infected websites, and protecting our clients from future infections.

Obviously, it’s a long-term, neverending fight. Malware authors are always trying to outsmart us, but by using various proactive approaches we’re setting the balance and taking every measure to ensure that we’re one step ahead of website threats.

And what about website malware behavior? There are numerous malware types seen on compromised websites. Even two variants of the same malware family can behave in slightly different ways.

For example, you may have noticed unwanted ads popping up on a site where you were looking for information. Or perhaps you were unexpectedly redirected to some completely unrelated site with explicit or inappropriate content. Or the site could be completely hacked – a so-called “defaced” site, which lacks any useful content and typically contains only a message from the hacker.

But these are just a few of the symptoms that are clearly visible to site visitors, who may eventually notify the site owner of the undesirable behavior. In the worst case scenario, there are no visible malware signs – at least not for the site’s visitors.

Infected websites can be disabled by their hosting companies without any advance warning. This can lead to problems with your site’s reputation, blacklisting, remediation costs, or even financial loss if you are an online merchant. Your customer’s credit card (and other sensitive, private information) could be intercepted and stolen. The consequences of a breach of this magnitude are very serious and can lead to staggering fines and legal action.

Why Does Malware Exist?

A long time ago in a galaxy far, far away during the beginning of the computer boom, various “viruses” were originally prepared as Proofs of Concept by those who wanted to prove themselves or simply demonstrate an issue. Malware had a more academic purpose.

Later on, when computers started to play a more dominant role in our everyday lives, this changed. Some really harmful, malicious pieces of code were brought to life by bad actors. While the malware, though really dangerous, its primary purpose was to wreak havoc and damage to an environment.  Even nowadays, we can see analogies to these malware types.

Over time, when techniques became well known and the internet began to grow exponentially, the purpose of malware started to shift from academic. It transitioned from purely harmful and humor-based intentions to something that would provide attackers with economic benefits. And while there were less and less single malware creators, more specialized teams surfaced.

The motivation for creating malware moved from “Because I can!” to “Because we’ll make a profit out of it!”.

In other words, those three phases of malware evolution could be outlined in the following manner:

  1. 1970 – “Let’s see if we can destroy this computer.”
  2. 1990 – “Let’s destroy this computer (evil laugh).”
  3. 2000 – “Let’s infect this computer secretly and profit from it.”

Nowadays, the majority of malware we see is designed to generate a profit for bad actors. Common methods of generating direct revenue through malware campaigns include: stealing private data, such as credit card information, or spreading spam to trick people into buying pharmaceuticals or other peculiar products. Attackers may also plant backdoors on a site to gain unauthorized access at their leisure and infect a site with another type of malware at a later date.

How Can I Protect My Site Against Malware?

While the posts from this series are not aimed on protection but more on “knowing the enemy”, the answer is obvious. Use a reliable security product that covers a range of website security areas. Look for a service that not only deals with an existing infection but also monitors and proactively avoids future attacks.

A good example is our Website Application Firewall, which proactively blocks hacking attempts while virtually patching existing vulnerabilities on clients’ systems. In combination with our Server-Side Scanner, which performs regular checks and monitoring services, we provide a robust solution that mitigates current and future threats to your website. It’s important to note that no solution is 100% successful–malware authors are creative in their approaches and zero-day vulnerabilities can occur.

The basics of securing a website should start with good personal habits, such as:

In other words, care about your website. Consistent maintenance and good security practices will reduce the attack surface and limit the entry points for attackers..

What Can You Expect from Following Blog Posts?

In the continuation of this series, I’ll cover the most common types of website threats including various examples and variants to document the diverse world of malware. I’ll demonstrate how backdoors behave, expose the inner workings of redirectors, and describe common forms of injectors. I will also explain what hacktools are and illustrate how some huge infections such as doorway generators are built.

Knowing what type of threat you’re dealing with is the first step to victory. In the case of website security, we can enjoy every victory we achieve because this war is neverending. Stay safe and keep your eyes open!

You May Also Like