11 Dec, 2016

Self-Recovering Spam Bot Launched Exploitation from Entire IP Sub-Network

Learn how a self-recovering spam bot hacked thousands of Joomla websites and launched a massive spam campaign from compromised IP sub-networks.
It is not a surprise that a Weak Password leads to a compromised website. What is not upfront obvious is the scale of the damage that could happen when such necessary security measure as a Strong Password is neglected. It is a must for every company and business to enforce strict policy for the creation and proper maintenance of the authentication details on every level and across all of the assets. This post describes a recent case of the cyberattack that started as an authentication hacking and ended as massive Spam campaign.
Malware Investigation
There is a Black SEO/Spam poisoning campaign in the wild that was on our radar and that targets mainly Joomla websites. While handling several incidents related to it, we have discovered a new self-recovering Joomla oriented malware among various other malicious components.

The first PHP file that is executed upon accessing the website is root index.php, then it initializes some Joomla classes and invokes one of Joomla methods to generate the page. The attack vector starts with a Brute-Force. Once broke in, the malware compromises few Joomla core files and root index.php of the victim site. It also installed the SPAM module into one of the directories. The malware portion that was injected into the index.php file just before the general Joomla methods was responsible for verifying that SPAM gateway at /media/mod_languages/mailer.php was installed correctly, and then the rest of index.php was executed in a typical manner.
The Scale of the Spam
The interesting part here is that the attack (actual spamming via the spam gateway) is done from entire IP sub-networks. It means that several hosting companies (we cannot disclose the names) have their networks (not just a few hosts) thoroughly compromised with the same malware (belongs to the same bot network) as they sync attacks to this mailer gateway.

The Spam gateway is exploited approximately every 5 minutes to send Spam and to verify that index.php infection still exists.

Currently, there are more than 4000 unique IP address involved in the attack. The exploitation is done from entire IP sub-networks, and it is changing every hour. We have informed the hosting companies that own the affected subnets so that they could shut them down and resolve the issue.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk