Inverted WordPress Trojan

A trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, send out spam, or inject hidden links and malware. The trojan model is easy to understand: package malware inside something useful and have webmasters install it themselves.

This week I came across something that I can call an inverted trojan — malware (installed without webmaster consent) that added useful features to WordPress.

Read More

Website Backdoors Leverage the Pastebin Service

We continue our series of posts about hacker attacks that exploit a vulnerability in older versions of the popular RevSlider plugin. In this post we’ll show you a different backdoor variant that abuses the legitimate Pastebin.com service for hosting malicious files.


Read More

The Art of Website Malware Removal – The Basics

When talking about defense against malicious hacks, the attack vector is a common topic for Information Security (InfoSec) professionals. The primary concern is to understand the anatomy of the attack and prevent it from happening again. However, there is a less glamorous task that must take place once an attack vector is exploited; that is malware removal (a.k.a., cleaning up the mess).

The task of cleaning, removing, malware often falls on your shoulders as the website owner / administrator.

While unfortunate and frustrating, malware infections greet us like flat tire or a burst water pipe in the middle of the night. It’s never expected, it’s always while you are sleeping and it’s impacts are felt greatly. They hurt search engine rankings (i.e., SEO), spread malware to users, introduce branding issue, cause websites to be shutdown and a slew of other less than pleasant experiences. The important thing to note though, is that like other problems that surprise us in life, malware infections must be dealt with quickly and correctly. You cannot drive your daily commute on a flat tire, nor can you operate a website that is infected with malware.

Malware needs to be removed as soon as possible before the consequences begin to amplify themselves and their impacts.

Four Common Malware Families Affecting Websites

Like the real-life pests and diseases that they are named for, worms, viruses, and other types of cyber-menaces that have earned metaphorical aliases have many varieties, purposes, and ways to deal with different types of malware. The treatment of one kind of skin infection may have no effect when applied to another, and attempting to remove a hornet nest with the same caution as a bird nest would lead to disastrous results. The scenario is virtually the same when cleaning an infected website.

Due to the multitude of technologies, languages, frameworks and tools, code on the web can be as diverse as human culture itself. This brings about millions of possibilities to achieve very similar goals in software development. Malware takes on this model, and rears it’s ugly head in many different forms, functioning to serve many different purposes.

1. Blackhat SEO Spam Injections

Everybody who reads this blog has seen it before: a website with some very out of place looking advertisements, that are usually of the pharmaceutical, pornographic, knock-off designer brand or fast-money lending nature. These websites have been hit by a criminal user looking to feed off of the website’s traffic in order to advertise for products and services that would normally be very restricted or banned by most hosting policies. Using the victim website as a billboard, the hacker earns commission based income off of the number of clicks or forced redirects that are generated because of the injected malware.

The malicious code that causes injected spam content can be structured in several ways, placed in many locations, or be encoded in a multitude of ways to appear like normal software. Because of this, it is very difficult to have an across-the-board detection method for all types of SEO spam. There are many varieties in the wild that infect websites every day. Furthermore, some infections are scripts can activate based on time or events on your site. These can constantly update posts and pages to display junk or redirect users to affiliate pages, even after you’ve done the work to get rid of it. This can cause a major strain on cleanup, so the best solution is to be prepared with a full backup. By updating to a recent clean version from before a successful attack, website owners can go back in time to a moment before the hack took place, and update their security measures to make sure their content is not overshadowed by blackhat SEO spam.

2. Phishing

Little do many webmasters know, but millions of websites across the internet have pages that definitely should not be there. These hidden pages are home to code that is crafted to resemble other websites on the Internet, like BofA.com, Amazon.com, eBay.com, Hotmail, Gmail, Facebook, and many others.

The hackers that put these pages on your site are using them to trick other users to mistakenly put their credentials into a form controlled by the hackers, instead of the official website they think they are sending their password to. This is the reason those policy memos from your bank are always telling you to thoroughly check the links you click when going to manage your finances, or that you should never click a link to go to your bank account from your email. Those links may actually be under the control of someone looking to steal your information, to then steal your money, from pages hosted on a website of an unknowing person, not actually looking to help criminals steal usernames and passwords.

3. Drive-By Downloads

Malware can be difficult to detect, and often employs social engineering tactics, or methods that trick users into playing into the clutches of the attacker. Forms, pop-ups, ads and other site functions can be compromised to force a user to click on something other than intended, or answer a question where the secret answer is actually Yes, I would like to download that .exe file.

These infections, called Drive-By Downloads, are incredibly dangerous to end-users, as they allow attackers to escalate their control from an infected website, to the potential administrative access of any computer that accesses that website. Once the malicious payload has been delivered to the victim user’s machine, it may activate automatically or wait to be activated by some other method before scraping the user’s machine of sensitive information, and sending that along with remote access privileges to a waiting attacker.

4. Backdoors

While some infectious files are meant to actively perform tasks, create spam or attack visitors, other types are meant to lay in wait, and appear only to the hackers that know they are there. These are called backdoor infections. These can lead to large scale attacks by allowing the attacker to build up a number of websites to use as attack surfaces. They can look very different in separate cases, but often have a similar function at the end of their task list: to provide the hacker with the access needed to control the website or server at any chosen time.

Backdoors can serve multiple purposes, ranging from being able to reinfect websites after cleanup, to linking the targeted site to a network of other sites used in DDoS attacks, or massive spam mail campaigns.

Scrubbing Away the Hacker Residue

Learning to deal with each type of malware infection individually is quite challenging at a technical level, but having a plan to get back to normal under any circumstance is important nonetheless.

If detection fails, a keen eye is needed to analyze website content, functionality and code for any signs of intrusion. Once a thread is noticed, it must be followed to determine where in the files or database that the malware located, so that it can be removed.

Once the code showing the infection (i.e., symptom) is removed you must ensure that you go through the rest of the website and remove / repair any backdoors or potential attack vectors. In further efforts to prevent reinfection, all software should be updated fully to minimize the chance of known vulnerabilities being exploited, and all passwords changed, to eliminate the risk that they were stolen during the attack.

It can always be assumed that a stable backup from before a time where malicious files or database entries existed on the server will solve almost any problem. It is therefore, extremely important to maintain backups that are scheduled to be made on a timeframe that will suit to overwrite the infected aftermath of a website. We’ve spoken about backups at length before, but it’s a necessity.

Contrary to popular belief, malware removal is not a Do It Yourself (DIY) project. It has affected the brightest developers and security professionals; it’s time consuming, and can be the cause of many restless nights and days. If you find yourself in this predicament know that there are professionals out there that specialize in this work.

Remember, website infections are like Icebergs, they only display 10% of the problem.

ASP Backdoors? Sure! It’s not just about PHP

I recently came to the realization that it might appear that we’re partial to PHP and WordPress. This realization has brought about an overwhelming need to correct that perception. While they do make up an interesting percentage, there are various other platforms and languages that have similar if not more devastating implications.

Take into consideration Microsoft ASP and Windows IIS Web Servers. They too share their burden of infections, yet we don’t give it, rather share, as much as we probably should.

Windows IIS Server Infections

The attack vectors for Windows IIS servers are the same as what you would expect on Linux Apache servers:


Read More

MailPoet Vulnerability Exploited in the Wild – Breaking Thousands of WordPress Sites

A few weeks ago we found and disclosed a serious vulnerability on the MailPoet WordPress Plugin. We urged everyone to upgrade their sites immediately due to the severity of the issue. The vulnerability allowed an attacker to inject anything they wanted on the site, which could be used for malware injections, defacement, spam and many more nefarious acts.

This is not something we’re excited to report, but we were right.

A few days ago we started to see a massive number of WordPress sites compromised with malware. The malware code had some bugs, it was breaking many websites, overwriting good files and appending various statements in loops at the end of files.

At the time of the post, the root cause of the malware injections was a bit of a mystery. After a frantic 72 hours, we are confirming that the attack vector for these compromises is the MailPoet vulnerability. To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website.

All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account (cross-contamination still matters).

Exploited in the Wild

The attacks always start the same, with the attackers trying to upload a custom (and malicious) theme to the site:

194.79.195.139 - - [05/Jul/2014:01:41:30 -0700] "POST /wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://site.com.com/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0"

Once they succeed in uploading the malicious theme, they access their backdoor inside /wp-content/uploads/wysija/themes/mailp/:

194.79.195.139 - - [05/Jul/2014:01:41:31 -0700] "GET /wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "Mozilla/5.0"
194.79.195.139 - - [05/Jul/2014:04:08:16 -0700] "GET /wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.0" 200 12 "-" "Mozilla/5.0 (Windows)"
The Result

They get full control of the site.

The backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place.

So if you see this error on a site:

Parse error: syntax error, unexpected ')' in /home/user/public_html/site/wp-config.php on line 91

It means it was likely hacked through this vulnerability.

Mass Infections

MailPoet is a very popular plugin with almost 2 million downloads, so as you can expect, when such severe vulnerability is identified, it can be mass exploited.

This is the total number of hacked sites that we were able to identify so far (per day):

Sucuri-MailPoet-Infections

This is based on sites scanned on our free sitecheck scanner. The number of hacked sites is likely much larger.

Upgrade Mailpoet!

If you are running MailPoet, we recommend upgrading it asap to the latest version. Users of our Website Firewall (CloudProxy) have been protected against this threat since day 0. However, if you do not have a firewall (WAF) on your website, you have to upgrade the plugin or remove it altogether to avoid more issues.

Disclosure: Insecure Nonce Generation in WPtouch

If you use the popular WPtouch plugin (5M+ downloads) on your WordPress website, you should update it immediately.

During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server. Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.

So to make a long story short, if you’re running WPtouch, then update immediately!

Update (11:18am) This disclosure only applies to 3.x versions of WPtouch. Administrators using 2.x and 1.x versions of the plugin will not be affected by the vulnerability.

What Are the Risks?

First of all, this vulnerability can only be triggered if your website allows guest users to register. If your site falls within this category, a logged­-in attacker could potentially take over your website by uploading a backdoor (remote shell) inside your website’s directories, allowing him to do anything he wants with your website.

Technical Details

If you read our last disclosure, you may remember that we mentioned that the WordPress “admin_init” hook should not be used as an authentication method. This bug illustrates another reason that the “admin_init” hook should not be used in this way (though, it does so more subtly).

In the file “core/class­wptouch­pro.php“, the “admin_initialize()” method was called by the “admin_init” hook.

Here is the interesting piece of it:

function admin_initialize() {

(…)
// load the rest of the admin scripts when we’re looking at the WPtouch Pro page
if ( $this­>admin_is_wptouch_page() ) {
(…)

} else {
$localize_params = array(
‘admin_url’ => get_bloginfo(‘wpurl’) . ‘/wp­admin’,
‘admin_nonce’ => wp_create_nonce( ‘wptouch_admin’ )
$localize_params ););

(…)
// Set up AJAX requests here
wp_localize_script( ‘wptouch­pro­other­admin’, ‘WPtouchCustom’,
}
(…)
}

If you notice the admin nonce getting generated and then added to WordPress script’s queue, then you can probably see where we’re going with this.

function handle_upload_file() {
$this­>cleanup_post_and_get();
header( ‘HTTP/1.1 200 OK’ );
$nonce = $this­>post[ ‘wp_nonce’ ];
if( wp_verify_nonce( $nonce, ‘wptouch_admin’ ) ) {
switch( $this­>post[ ‘file_type’] ) {
(…some upload mechanism…)
}
}
die;
}

This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there.

All an attacker had to do in order to compromise a vulnerable website was:

  1. Log­in and get his nonce via wp-admin.
  2. Send an AJAX file upload request containing the leaked nonce and his backdoor.

For developers, the key takeaway from all of this should be to avoid using nonces by themselves to protect sensitive methods. Instead, make sure to always add functions such as “current_user_can()” or something similar to confirm a user’s right to do something.

Update as Soon as Possible!

This vulnerability illustrates, yet again, the reason that attackers will always be able to find some way into your system. If you’d been adhering to the principle of least privilege, you would still be vulnerable because of a small error in the code, and since humans write code, there will always be errors that attackers will be able to exploit.

In this case, the great thing is that we disclosed the vulnerability to the WPtouch team and they swiftly put a patch online to correct this issue (version 3.4.3 WPtouch Changelog). In order to correct this issue on your website, all you have to do is to update the plugin on your administration panel. And like we said before, you should do so ASAP.

Finally, if you’re noticing anything strange with your website, make sure to check out our easy to understand malware symptoms. If you need help, we’re always available to take a look at your website to make sure hackers haven’t taken control of your environment.

For our customers: The good news is that every website that is protected by our Website Firewall – CloudProxy is already protected against this vulnerability, so that means your website is secure.

Case Study: Complexities of “Simple” Malware

You know when you pull a string on a sweater and it just keeps going and going? You wonder when or if it will ever stop? From time to time, that’s how malware can feel. Even if you’re not a website security expert, it’s important to understand just how complicated hackers are willing to make their attacks in order to infect your website and 1,000’s of others at the same time.

What Does Complex Malware Look Like?

Recently, our remediation team member Guilherme Scaldelai alerted me to an interesting infection that he had found on one of our client’s sites. Instead of just being some simple injection placed within the site code, the malware was systematic and meant to integrate with the structure of the site. This is what it looks like when malware gets complex. Let’s look at it step by step.

viaworm1

In this case, what is really interesting is that we didn’t just catch the result of the infection (infected files), but we also caught the infector (the script which infected them). Let’s take a look at the infector functions to see what they actually do.


Read More

WordPress Plugin Alert – LoginWall Imposter Exposed

When you work with malware for a while, you start to become very good at pattern recognition. A couple sites in every hundred cleaned might be infected in a similar way, so remembering earlier problems helps to quickly solve the problem for the current site. You might not know exactly why something seems fishy at first, but you follow your instinct because something gnaws at you. Eventually, you start to see a pattern.

In the last couple of weeks we’ve noticed such a pattern when a bunch of websites were contaminated with malware from an infected plugin posing as a valid one called LoginWall.

The legitimate version of LoginWall is a SaaS-based solution that protects against brute force attacks for WordPress-based sites. LoginWall also doubles as a simple, but strong, password authentication tool for the admin account without using hardware tools. In short, it’s a nice plugin… as long as you’ve got the valid one.

How Do You Know If the Plugin is Valid?

First, remember that you should only trust plugins that are hosted within WordPress or directly from the author’s page. We wrote about this last month, but it’s important to keep hammering the point home.

Read More

PHP Callback Functions: Another Way to Hide Backdoors

We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter.

Everyone who writes code in PHP knows what the eval() function is for. It evaluates a string as PHP code. In other words, it executes the code. But there are certainly many other ways to run code, some of which are not always so obvious. The most popular and commonly used one is the preg_replace() function.

According to its description, the preg_replace functions “performs a regular expression search and replace.” Unfortunately, when using the “e” modifier, this function also runs the code. Yes, there are more ways of running the code without using the eval() function. Example could be the create_function(), or the assert() function. All these options for running code makes malware analysis a more complex a process.

Read More

Joomla Plugin Constructor Backdoor

We recently wrote about backdoors in pirated commercial WordPress plugins. This time it will be a short post about an interesting backdoor we found in a Joomla plugin.

It was so well organized that at first we didn’t realize there was a backdoor even though we knew something was wrong. Here’s what the code of the plugin looks:

joomla_backdoor

Nothing suspicious at first glance. Nothing is encrypted, nothing is obfuscated and no excessive comments. Just normal Joomla plugin code.

Read More