The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Incidents|New 64-bit Linux Rootkit Doing iFrame Injections

Marta Janus
Kaspersky Lab Expert
Posted November 19, 20:15  GMT
Tags: Linux, Rootkits, x64

A few days ago, an interesting piece of Linux malware came up on the Full Disclosure mailing-list. It's an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario.


Recently, we came across web malware that – instead of injecting an iframe pointing to a fixed existing address – generates a pseudo-random domain name, depending on the current date. This approach is not new and is widely used by botnets in C&C domain name generation, yet it's not very common for the web malware we’ve seen so far.

After deobfuscation, we can see that the iframe redirecting to the malicious URL with generated domain name is appended to the HTML file. All URLs consist of 16 pseudo-random letters, belonging to the ru domain and execute PHP script on the server side with the sid=botnet2 as argument:

Incidents|Dangerous whitespaces

Marta Janus
Kaspersky Lab Expert
Posted June 09, 09:38  GMT
Tags: Website Hacks, PHP

A few days ago, I blogged about a PHP/JS malware targeting the osCommerce platform, which used an interesting new technique to obfuscate the malicious code. It so happens, that today I came across even more advanced sample of a PHP infector, also in the context of a vulnerable e-commerce solution.

When I came to work today, my colleague from our Polish office asked me to help him with finding malware which was affecting his friend's online store. The HTML page, viewed with the browser, contained a link to a jquery.js script in some randomly generated cx.cc domain, although there was no sign of this link in the source files on the server. Reaching a verdict was simple - this piece of code was being added dynamically, by some infected PHP script.

We looked into all of PHP files stored on the server and got a bit confused - there was nothing really suspicious at first glance. But having in mind the div_colors malware, I started to study the code line by line. What at last attracted my attention was a small function at the beginning of one of the core PHP files.

Incidents|Dangerous colours

Marta Janus
Kaspersky Lab Expert
Posted June 03, 09:22  GMT
Tags: Website Hacks

New techniques for obfuscating malicious code on websites are a good way to mislead both users and protection software alike. Recently, I came across an interesting attack against the osCommerce online shopping platform in which malicious script was injected into PHP files by exploiting a Remote File Inclusion vulnerability in osCommerce software.

This PHP script works as an infector and is used to add the following code just after specified tags in HTML files and at the top of JavaScript files:

At first glance, this code doesn't look as suspicious as it usually does - there is nothing that stands out: no <iframe> tag, no unescape() function, nor is there an eval(). Instead, we just have a function which seems somehow related to colours displayed on the web page and an array filled with values pretending to be a hex representation of these colours. Unwary users could overlook this code assuming that it's legitimate and belongs to the page, but if we follow it, we can see what it really does. The code takes the values from the array, converts them in some way and builds an ASCII string, so it can then use either the document.write or document.createElement method to append text to the web page source code. It the latter case, the created element has a type of text/javascript.

Now does it look suspicious enough to you? :)

If the second parameter of the div_pick_colours() function is specified, the function returns:

in which the last value always differs and depends on the current date and time. Otherwise, it returns the same URL but without <script> tags. The given address is not active anymore, so we couldn't tell what kind of threat it used to lead to.

Kaspersky Lab detects this malware as Trojan-Downloader.PHP.JScript.a and Trojan.JS.Redirector.px. According to Virus Total, at the time of writing only one other AV vendor was able to detect the PHP part of this malware. For script injected into JS and HTML the ratio was as low as 20%.

How to secure your website from being infected with such malware and what to do in case of infection?

Two most important things are backup copies and regular scanning of all the files on the server. If you are using osCommerce or any other e-Commerce solution, you should always check for the software updates and install them as soon as they're being released. Sometimes the time between disclosing a vulnerability and publishing patch can be shamefully long, so maybe it's worth considering to reject some buggy features and delete vulnerable files from the server. Setting up password on the root directory is also a very good idea, as it prevent malware from modifying core files.

Comment      Link