Malware Decoded: How SiteLock Cleans Infected Websites

March 19, 2015 in SiteLock Research

Identifying and cleaning malware is part of our everyday life here at SiteLock, and we know for many website owners cybersecurity can be an intimidating topic. That’s why we thought we’d share a simple case of what a common infection looks like, and demonstrate how SiteLock finds, fixes, and prevents malware.

During a malware clean of a new customer’s site, we found some simple, well-known malware — a perfect example for an introductory post on malware. The site was compromised through an arbitrary file upload and malicious code was ultimately injected into the index of the site. Likely an automated process, the code was injected before the closing <body> tag.

This is an almost standard obfuscation (a type of encoding that transforms data in a way that can be reversed without a key) of PHP code using Base64 encoding, compression and error suppression. It wouldn’t decode at the excellent, but could not withstand the power of our internal tools.

Obfuscated PHP

This outputs the secondary obfuscated code which used the same techniques as the first iteration but in a different way. Eval was replaced with preg_replace() /e, which is equivalent to eval, and the conspicuous prepended hex was the Base64 decode, uncompress and eval as before.

Echo obfuscated PHP

This reveals the resultant PHP code which has, right at the top, the URL to the beginning of the end goal, injecting pharma, or pharmacy, spam links. The URL leads to a list file, 13.list, which is a short list of three URLs which are simply pages full of pharma links. This type of “pharma” hack allows pharmaceutical sales sites to appear higher in Google results than they otherwise would. The remainder of the injected code checks the freshness of the links and injects them into the page.

Pharma links
Decrypted PHP

This simple example shows how bad actors and their network of automated tools and compromised sites can inject pretty much whatever they want into a site with less than ideal security. With an outdated plugin and no firewall or malware scanner your site will be pushing the latest in pharmaceutical buzzwords before you know it, again, in this example, allowing pharmaceutical sales sites greater search rank.

The SiteLock® INFINITY scanner can find malware like this can remove it automatically while the SiteLock TrueShield Web Application Firewall (WAF) stops the exploits, blocking the entry points for injection, before the compromise can even occur.

Keep your site secure with the latest updates and appropriate security. It’s your livelihood, isn’t it worth a little security? Contact SiteLock today.

Latest Articles
Follow SiteLock