Colores peligrosos

New techniques for obfuscating malicious code on websites are a good way to mislead both users and protection software alike. Recently, I came across an interesting attack against the osCommerce online shopping platform in which malicious script was injected into PHP files by exploiting a Remote File Inclusion vulnerability in osCommerce software.

This PHP script works as an infector and is used to add the following code just after specified tags in HTML files and at the top of JavaScript files:

At first glance, this code doesn’t look as suspicious as it usually does – there is nothing that stands out: no <iframe> tag, no unescape() function, nor is there an eval(). Instead, we just have a function which seems somehow related to colours displayed on the web page and an array filled with values pretending to be a hex representation of these colours. Unwary users could overlook this code assuming that it’s legitimate and belongs to the page, but if we follow it, we can see what it really does. The code takes the values from the array, converts them in some way and builds an ASCII string, so it can then use either the document.write or document.createElement method to append text to the web page source code. It the latter case, the created element has a type of text/javascript.

Now does it look suspicious enough to you? 🙂

If the second parameter of the div_pick_colours() function is specified, the function returns:

in which the last value always differs and depends on the current date and time. Otherwise, it returns the same URL but without <script> tags.
The given address is not active anymore, so we couldn’t tell what kind of threat it used to lead to.

Kaspersky Lab detects this malware as Trojan-Downloader.PHP.JScript.a and Trojan.JS.Redirector.px. According to Virus Total, at the time of writing only one other AV vendor was able to detect the PHP part of this malware. For script injected into JS and HTML the ratio was as low as 20%.

How to secure your website from being infected with such malware and what to do in case of infection?

Two most important things are backup copies and regular scanning of all the files on the server. If you are using osCommerce or any other e-Commerce solution, you should always check for the software updates and install them as soon as they’re being released. Sometimes the time between disclosing a vulnerability and publishing patch can be shamefully long, so maybe it’s worth considering to reject some buggy features and delete vulnerable files from the server. Setting up password on the root directory is also a very good idea, as it prevent malware from modifying core files.

Colores peligrosos

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *



MosaicRegressor: acechando en las sombras de UEFI

Encontramos una imagen de firmware de la UEFI infectada con un implante malicioso, es el objeto de esta investigación. Hasta donde sabemos, este es el segundo caso conocido en que se ha detectado un firmware malicioso de la UEFI usado por un actor de amenazas.

Dark Tequila Añejo

Dark Tequila es una compleja campaña maliciosa que tiene por objetivo a los usuarios ubicados en México, con el propósito principal de robar información financiera, así como credenciales de acceso a sitios populares que van desde versionado de código fuente a cuentas de almacenamiento de archivos en línea y de registro de dominios web.

De Shamoon a StoneDrill

A partir de noviembre de 2016, Kaspersky Lab observó una nueva ola de ataques de wipers dirigidos a múltiples objetivos en el Medio Oriente. El programa malicioso utilizado en los nuevos ataques era una variante del conocido Shamoon, un gusano que tenía como objetivo a Saudi Aramco y Rasgas en 2012.

Suscríbete a nuestros correos electrónicos semanales

Las investigaciones más recientes en tu bandeja de entrada