Self-recovering Black SEO & Spam Infection Hits WordPress Installations

· Read in about 2 min · (376 Words)

Background

There is a Black SEO/Spam poisoning campaign running that targets mainly the WordPress websites. While handling several incidents related to it, we have discovered a new self-recovering WordPress oriented malware among other malicious components. Let’s take a look at all of them.

Backdoors To Control The Attacked Website

We still don’t know if there is any relation between infections but all of the examined websites contained numerous generic PHP shells and backdoors which names have the following format:

  • footer[\d]{0,2}.php
  • login[\d]{0,2}.php
  • stats[\d]{0,2}.php
  • user[\d]{0,2}.php
  • gallery[\d]{0,2}.php
  • sql[\d]{0,2}.php
  • file[\d]{0,2}.php
  • object[\d]{0,2}.php
  • license[\d]{0,2}.php
  • ferg[\d]{0,2}.php
  • dirs[\d]{0,2}.php
  • global[\d]{0,2}.php
  • include[\d]{0,2}.php

For readers who are unfamiliar with the regular expression rules: [\d] means numeric symbol 0-9 and {0,2} mean that at most two consequent digits. For example “dirs12.php”

We assume that all these backdoors/shells are used for general management of the infected websites and didn’t handle any specific functionality.

The Spamming Module

All spam infection were dropped in separate folders having short names 2-3 characters ( like “se”, “hov” and so on).

To make the spam page effective, this malicious PHP script searches for keys using the 3 major search engines and gathers the results to make the HTML files.

27-10-2016-searchengine.jpg

Following are examples of spam HTML files that we found:

  • ofdm-thesis-matlab-code.html
  • 3-part-thesis-statement-examples.html
  • essay-on-the-souls-of-black-folks.html
  • essay-on-nobel-prize-winner-kailash-satyarthi-1.html
  • literature-review-example-fashion.html
  • how-to-make-a-history-research-paper-outline-1.html
  • impact-factor-research-paper.html
  • wolf-thesis-sarajevo.html
  • nutrition-month-2014-essay-writing.html
  • child-slavery-research-paper.html
  • Other Malicious Content

    In addition to the mentioned components, this infection included malware dumper responsible for downloading additional malware from third-party site:

    27-10-2016-malware-dumper.png

    .htaccess file infection code and the go.php module responsible for handling HTTP request accessing any of spam HTML pages:

    27-10-2016-htaccess-infection.png

    Quarantine Does Not Help

    And here comes the most interesting part. Hackers have equipped this campaign with the quarantine bypass module. This infection recovery module is responsible for infecting near .htaccess file and restoring the go.php module if it was quarantined by one of WordPress plugins.

    27-10-2016-infection-recovery.png

    Your website is infected with the malware or is blocked by search engines?

    If you suspect that your WordPress is infected, you can use recently release of updated Quttera WordPress Malware Scanner capable of detecting such infection.

    Here at Quttera we’re cleaning this and other kinds of malware on a daily basis. If you’d like our malware analysts to help you, just select appropriate ThreatSign! anti-malware plan and get back online.

    For other issues and help: Quttera's help-desk

    Malware clean-up and hacking recovery for websites

    Get your website cleaned and removed from blacklists. Prevent traffic loss and protect your visitors now.

    economy

    119$

    /yr

    1 domain
    Blacklisting removal
    Malware clean-up
    Daily malware scanning
    Malware scan reports by email
    Re-scan anytime
    Create Account
    professional

    399$

    /yr

    5 domains
    Blacklisting removal
    Malware clean-up
    Daily malware scanning
    Malware scan reports by email
    Re-scan anytime
    Create Account

    more plans

    Need help? contactus@quttera.com

    Newsletter

    What's in newsletter?

    Example newsletter



    © 2017 Quttera Ltd. All rights reserved.