The SiteLock support teams are always encountering new types of malware. This week we’ll discuss a recent infection of WordPress theme files, header files specifically, brought to our attention by SiteLock’s Security Concierge, or SECCON, Team.
Where Was This New Malware Discovered?
- The script builds a URL and saves it to a variable named n_url.
- The n_url variable is then URI encoded and used as a parameter in another variable.
- The script is injected only if the website’s title and the referrer are present.
Let’s look at the n_url variable. It starts as malicious PHP, which is written or uploaded to a compromised site. Often this malicious PHP is written or uploaded as a file named jquery.min.php. It then adds the aforementioned title of the site, the referrer, and finally the source, or the host itself. Again, this URL is URI encoded and included in the new script tags.
End Result Of The Injected Malware
Objectives include a ‘media player upgrade,’ which could be adware or worse, an exploit kit, or blackhat lead generation and survey sites promising socially desirable electronics in exchange for personal information and a nominal purchase.
We’ve since seen the infection include index.html files as well, though nowhere near the numbers of WordPress header.php files. SiteLock implemented a malware signature for the infection, which was added to our database of identified malware and is used by SMART (Secure Malware Automatic Removal Tool) .