29 Mar, 2017

Adware in Free CMS Plugins

Learn how Quttera’s incident response team discovered and fixed a hidden adware function in a free CMS plugin that blacklisted a website.
As for the definition in CMS (Content Management System), a plugin is a collection of code files that adds one or more features to your website. After you install the core code for your CMS, you can install your choice of plugins. Depending on the nature and the design of your site, you can choose from thousands of plugins available on the internet. Our incident response team encountered one peculiar issue where the website got blacklisted for distributing adware to its visitors.

When we started the site investigation, everything seemed reasonable, and the website did not exhibit any adware-like behavior. But once our heuristic engine emulated a different GEO location access point the issue was picked up on the fly. The trigger was based on the GEO location of the website visitor’s. We then traced it and found out that there is this free plugin that has an embedded adware function.

The plugin is rather simple, but the invocation of the files needed is somewhat dubious let's dig in to find out more about the plugin.

For starters, the plugin was being called at the HEAD of the index.php, like any other plugins:
Then we followed the code, and it brought us here:
As you can see the image above pretty scares regular users to check the code, but this technique was commonly used by programs that have suspicious behavior. The rest of the code was heavily obfuscated to thwart any newbies on de-obfuscating the code and Voila! - the adware function of the plugin was uncovered.

We also noticed at the beginning of the script that it opens and gets the content of a PNG (Portable Network Graphics) file.
Now, as far as we know, PNG files are being used solely for imaging purposes, but when we checked the contents of a file, it showed database entries of advertisements waiting to be displayed such as:

1. Rush Essays
2. Sending Videos
3. Comfort for Dogs
4. Mobile Phone Booster
5. Lens Design
6. Cars
7. Fast Loans
And many others!

During the runtime of the script, it updated these lists of ads as well as the content of the PNG file changes from time to time.

We checked with the website owner if he intentionally implemented such kind of the online advertisement, but unfortunately, it was not the case. Usually, the adware is being called in the footer section of the site to at least hide the intention of the creator of the plugin. One can argue whether such practice is valid or not and whether this is more of an ethical question to the author of the plugin. However, to avoid the deception, the plugin should at least inform users prior or upon the download that such advertisement will take place on their websites (it could be in EULA or README or other relevant places).

Our incident response team was able to resolve the case swiftly and to also educate the customer on how to deal with this kind of issues next time they use another FREE plugin.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk