Website Malware – The SWF iFrame Injector Evolves

Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame.

It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varieties infecting both WordPress and Joomla websites. Though it’s uncertain how many iterations existed in the wild when we first reported the issue, this time we’ve found a lot of websites where the infection looks similar:

infected-site-name.com/images/banners/kxc.swf?myid=1d57987c38051fdc93ea7393b448003e
Identifying the Flash Infection

The similarities are easy to spot once you know what they are. The malicious .SWF file is always stored in /images/banners/ and the file name is three random characters followed by .SWF with an ID parameter appended:

xyz.swf?myid=1d57987c38051fdc93ea7393b448003e

So, how does the infection look this time around? Here is the Flash file decompiled:

Malicious SWF Infection

Malicious code has similarities to the infection reported in November

The Same Hacker at Work

Apparently, the malware author is the same. Variable names, coding logic, and UserAgent condition are all indicators of this. However, the source website delivering the malicious payload is different. Also, while there were mostly Joomla based websites affected previously, we’re also seeing WordPress sites with this infection.

Ben Martin, a member of our Remediation Team, found infected Flash objects matching our description that were injected inside a WordPress database:

SWF infected the WP database

Similar infected .SWF found in the WordPress database

The Impact Five Months Makes

This time, many more sites are being affected — several hundred, maybe more.

Another difference is that at the time of my original post on this infection, no AntiVirus company detected this threat. This time, about half of vendors are detecting the issue:

VirusTotal Results show 23/57 vendors detect the malware

VirusTotal: 23/57 vendors detect malicious content

Malware evolves every day, and I’m sure we’ll see more variations of this particular strain in the future. You can be sure that we will share our findings with you every time. In the interim, if you find yourself troubled with something similar be sure to look for professional help and get back to business.

Stay safe and keep your eyes open!

Joomla! 3.3.5 Released – Fixing High Priority Security Issues

Update: It seems like there is a glitch in the new version and the Joomla team is urging its users not to upgrade yet. From their twitter:

Screen Shot 2014-09-30 at 4.04.31 PM

Original post:

The Joomla team just released versions 3.3.5, 3.2.6 and 2.5.26, patching high priority security issues. The first one is an Remote File Include (RFI) vulnerability and the second one is a Denial of Service (DoS) vulnerability that affect all previous versions. If you are using Joomla, stop what you are doing and update it now!

The good news for our clients and what’s very exciting for us, me especially, is to see how the virtual hardening on our CloudProxy Website firewall protected our clients automatically against this vulnerability. As our researchers started to analyze the disclosure, we quickly noticed that it was already covered and the URL used to trigger this bug was already blocked by default. It means that our clients got zero-day protection without anyone even knowing about this issue.

For more information on these vulnerabilities, you can get straight from the Joomla! release notes:

High Priority – Core – Remote File Inclusion:

Project: Joomla!
SubProject: CMS
Severity: Moderate
Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
Exploit type: Remote File Inclusion
Reported Date: 2014-September-24
Fixed Date: 2014-September-30
CVE Number: CVE-2014-7228

Inadequate checking allowed the potential for remote files to be executed.

This issue was discovered by Johannes Dahse and disclosed to Akeeba (and Joomla). The Akeeba team released a good post explaining the issue. We recommend reading if you are interested in the technical details.

Medium Priority – Core – Denial of Service:

Project: Joomla!
SubProject: CMS
Severity: Low
Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
Exploit type: Denial of Service
Reported Date: 2014-September-24
Fixed Date: 2014-September-30
CVE Number: CVE-2014-7229

Inadequate checking allowed the potential for a denial of service attack.

Again, if you are using the Joomla! we highly recommend updating immediately.