Pop Culture In Malware

October 13, 2015 in Malware, SiteLock Research

Hacks are bad. A website compromise is serious, and at SiteLock we see a lot of compromised sites and malicious code. Malicious code is constantly evolving to avoid detection. Adversaries use a large number of strategies to avoid detection, and comedy happens to be one of them.

Since hackers try everything they can think of – pop culture references, internet memes, irony – to disguise malicious code, we’ll dive into the strange and weird to show you how far adversaries will go…

Unorthodox Ways Of Evading Detection

Adversaries may use real-life resources to try and evade detection, be it by human or machine. While a machine could be confused by human-looking text, trying to stop human analysis can involve taking absurd measures. We step into this world of evasion with a character named Bloodninja.

Bloodninja’s origins go all the way back to 2002 when the lewd-turned-absurd cybersex chat logs were posted to Bash.org, the famous line being “I put on my robe and wizard hat.” The comedy continued for years and lives on today in the form of less than tasteful malware evasion. The below excerpt was taken from a shell we recently detected and includes reference to baseball and bananas.

Bloodninja references in malware excerpt

Bloodninja strikes out with Sarah19fca

Harry Potter And Web Shells

Let’s be sure, adversaries are smart. They constantly obfuscate malware and attempt to evade detection to profit from compromised sites. Smart and well read, apparently, as evidenced by the use of Harry Potter quotes in web shells.

Harry Potter quote in malware excerpt

Hackers read, too.

In the next example, we see Harry Potter rearing his behatted head again, this time in the success message of ‘v0ld3m0rt’ in another shell. The malware authors even go so far as naming a POST array element ‘joke’ with variables $lul and $z0r, as in “I did it for the lulz.”

Voldemort did it for the lulz - malware excerpt

Voldemort did it for the lulz

LULZ And The WSO Shell

The lulz and lolz continue with the venerable WSO shell. We detect so many variations of WSO that we can’t help but share a version that makes us smile. Like the below version which replaces the ubiquitous ‘FilesMan,’ short for FilesManager, with ‘FilesGirl,’ and replaces instances of WSO_* with LOL_*, converting it to a humorous, equal opportunity shell.

Humorous version of WSO shell

WSO in Sheep’s Clothing

The mysticism of magic must be irresistible to adversaries as the next malware example is called the Magic Include Shell, which welcomes users and researchers into the ‘world of dorkness.’

Magic include shell malware code

Dorkness indeed.

No Malware In This Code

Finally, we have adversaries calling on the mysticism of the Jedi with the next shell, the ‘b374k’ shell. Here, right up top in the comments, the malware writer assures us there’s nothing malicious to see here, move along. Remind you of anything?

Obi-Wan Kenobi: These aren’t the droids you’re looking for.
Stormtrooper: These aren’t the droids we’re looking for.
Obi-Wan Kenobi: He can go about his business.
Stormtrooper: You can go about your business.
Obi-Wan Kenobi: Move along.
Stormtrooper: Move along… move along.


Hacker message in malware code

We did.

Malware has a surprisingly diverse field of humor. Some have their own stories, ramblings about pop culture references and favorite shows, or impressive ASCII art. We’ve even seen a hacker write their own resume including full name, college, major, and past experience, all into malware. Poetry isn’t common, but it’s a unique, almost welcome, evasion technique waiting to be discovered.

Song found in malware

Song of Malware


We had a little fun this week, with malicious software of all things, but the consequences of a compromised website are not funny. Loss of business and customer trust, disruption of online services, and even leaked customer information are the real costs of a compromise.

SiteLock helps businesses face these security issues with services like our SMART scanner and the TrueShield web application firewall to make securing your website easier. Call 855.378.6200 to speak with one of our website security consultants today.

Latest Articles
Follow SiteLock