14 Nov, 2018

Suspicious Icon Files on Your Website

Harmless-looking files on your website aren't always harmless. They can be malware in disguise. By using a file extension that shouldn't be able to execute, they avoid getting caught by anti-malware software.
Harmless-looking files on your website aren't always harmless. They can be malware in disguise. By using a file extension that shouldn't be able to execute, they avoid getting caught by anti-malware software. By themselves, they're harmless. But if an attacker can get them to run as executable files, they can do all kinds of damage.

Certain Trojans try to disguise malicious code as icon files and put them into your website. They're files with the extension .ico. The most common version is the file favicon.ico, which displays an icon in the address bar when users visit your site. It's likely to be the only .ico file you have.
If you see others with names like favicon_56adb3.ico or .01b547ac.ico, you need to be suspicious. There's a high chance that they're something evil in disguise.
An especially aggressive type of malware called Vawtrak uses icon files to conceal hostile code. It attacks banking sites to steal account information.
Uncovering the Deception
You can view these files in your browser, and they won't do anything bad. They won't display anything, either, since their content isn't actually an icon file. It's executable PHP code.
To tell for sure, view the files in a text editor. That's safe. If it's a real icon, you'll see what looks like gibberish text, probably with lots of blanks and accented characters. If the file is an impostor, the beginning will look something like this:


You can spot the difference between the normal and malicious .ico files below:
What's going on is that the "icon" is really an executable PHP file. Popular website engines such as WordPress and Drupal run the PHP programming language, so most Web servers support it and will run any PHP file in the website directory when a browser calls it up as a page.
This should be harmless if nothing else is wrong. PHP files will run only if they have the .php extension. An icon file shouldn't run as PHP. A second trick is necessary to make that happen. But if those files are in your Web directory, likely, some disguised activity is underway.

Usually, the trick is that some other PHP file uses the "include" directive to call up the disguised file.
Unlike execution from the browser, the "include" directive will accept any file extension. Security software will look at the PHP file and see it doesn't do anything nasty. It includes another file, but that one has the .ico extension, so it doesn't get scanned. As a result, the nasty code never gets noticed.
An extra level of subterfuge is to start the file name with a period (.). File names with a period as their first character don't show up in listings unless you specifically ask for them. They may go uncaught for a long time. With a Linux command line, you need a command like this to spot them all:

# ls -a *.ico

Upload Directories
Another way those files can get onto your site is by uploading. If the site lets visitors upload files, it's taking a serious risk. At a minimum, your upload directory should be outside your Web directory. Otherwise, the person who uploaded the file can then "view" it in a browser, letting it run.

Again, an icon file by itself won't do anything, but the intruder can also upload a PHP file that includes the icon. It might pass any malware scans since it doesn't seem to do anything serious by itself. But with that one-two punch, the attacker has the ability to run any code at all on your website. Only trusted users should be allowed to upload files.
Possible Effects
If these files run as PHP code, they can do all kinds of harm. The following list is just a sampling:

  • Crypto Jacking: In itself, computationally mining for Bitcoin and other cryptocurrencies is a legitimate activity. The process discovers new blocks in the blockchain, and the miner is rewarded with a small amount of the currency. By design, it takes a lot of computing, and there's money to be made (literally made) by stealing computing power for this purpose. This is known as "crypto jacking." It will slow down the server's performance and may make it less stable.

  • Spyware: The files may monitor activity on your site, stealing passwords or financial information. They will upload the information to a server that gathers personal data from every infected website.

  • Adware: The hostile files might replace legitimate content on your site and inject ads. The ads could lead to sites that will try to deliver more malware to your visitors.

  • Spam Email: The files could send out an email to unwilling recipients, including phishing messages. The mail will come from your IP address and could lead to legitimate mail from your servers being blocked.

  • DDoS Attacks: Large numbers of infected machines can join in a botnet that creates enough traffic to cripple even a large website.

  • Creation of Unauthorized Servers: Malware can set up a separate server in which you don't know is running, allowing unauthorized parties access to your server as if they had a local account on it.
Fixing the Problem
If you find bogus icon files, the first step you can take is to remove them all. A shortcut for finding them all is:

grep “<php” *.ico

This will slow down any attack in progress that uses those files. However, you aren't out of the woods just by doing that. If such files are on your server, it's likely that other nasty stuff is there, and it may just regenerate those files. If you find malicious icon files on your website, you should definitely run a full scan for malware.

If resource-theft operations like crypto jacking are in progress, they don't directly affect the website other than degrading its performance. They can stay in place for a long time without being noticed. Users just wonder why the site is so sluggish.

A hostile code can hide in files with any harmless-looking extension. Icon files are an attractive choice because no one pays much attention to them. Unlike JPEG or PNG files, they normally aren't used in Web pages. The trick behind successful hacking is often just not to get noticed. Success in cybersecurity requires noticing everything.

To protect your website and remove this and other kinds of malware, we have created an All-in-one Website Protection Platform. In helps to increase cybersecurity and reduce IT costs. Everything you need to manage the cybersecurity risks - a website firewall, an incident response team to fix hacking, advanced malware scanning techniques, DNS/IP checkups, malware and blacklists removal, and advanced features to boost your business security online - all in one place. For more info and to sign up - ThreatSign Website Antimalware.