27 Oct, 2016
Self-recovering Black SEO & Spam Infection Hits WordPress Installations
Learn how to detect and remove a self-recovering WordPress malware that injects spam pages and bypasses quarantine.
There is a Black SEO/Spam poisoning campaign running that targets mainly the WordPress websites. While handling several incidents related to it, we have discovered a new self-recovering WordPress oriented malware among other malicious components. Let’s take a look at all of them.
Backdoors To Control the Attacked Website
We still don’t know if there is any relation between infections, but all of the examined websites contained numerous generic PHP shells and backdoors which names have the following format:

  • footer[\d]{0,2}.php
  • login[\d]{0,2}.php
  • stats[\d]{0,2}.php
  • user[\d]{0,2}.php
  • gallery[\d]{0,2}.php
  • sql[\d]{0,2}.php
  • file[\d]{0,2}.php
  • object[\d]{0,2}.php
  • license[\d]{0,2}.php
  • ferg[\d]{0,2}.php
  • dirs[\d]{0,2}.php
  • global[\d]{0,2}.php
  • include[\d]{0,2}.php
For readers who are unfamiliar with the regular expression rules: [\d] means numeric symbol 0-9 and {0,2} mean that at most two consequent digits. For example “dirs12.php”

We assume that all these backdoors/shells are used for general management of the infected websites and didn’t handle any specific functionality.

The Spamming Module
All spam infection were dropped in separate folders having short names 2-3 characters ( like “se”, “hov” and so on).

To make the spam page effective, this malicious PHP script searches for keys using the 3 major search engines and gathers the results to make the HTML files.
Following are examples of spam HTML files that we found:

  • ofdm-thesis-matlab-code.html
  • 3-part-thesis-statement-examples.html
  • essay-on-the-souls-of-black-folks.html
  • essay-on-nobel-prize-winner-kailash-satyarthi-1.html
  • literature-review-example-fashion.html
  • how-to-make-a-history-research-paper-outline-1.html
  • impact-factor-research-paper.html
  • wolf-thesis-sarajevo.html
  • nutrition-month-2014-essay-writing.html
  • child-slavery-research-paper.html
Other Malicious Content
In addition to the mentioned components, this infection included malware dumper responsible for downloading additional malware from third-party site:
.htaccess file infection code and the go.php module responsible for handling HTTP request accessing any of spam HTML pages:
Quarantine Does Not Help
And here comes the most interesting part. Hackers have equipped this campaign with the quarantine bypass module. This infection recovery module is responsible for infecting near .htaccess file and restoring the go.php module if it was quarantined by one of WordPress plugins.
Your website is infected with the malware or is blocked by search engines?
If you suspect that your WordPress is infected, you can use recently release of updated Quttera WordPress Malware Scanner capable of detecting such infection.

Here at Quttera we’re cleaning this and other kinds of malware on a daily basis. If you’d like our malware analysts to help you, just select appropriate ThreatSign! anti-malware plan and get back online.

For other issues and help: Quttera's help-desk