One of my friends blogs that I host was recently infected by one of the drive by infections called “Blackhole” which is completely useless description to disinfect it. Even more disappointingly, NO AV scanner was helpful in figuring out which page had hit it. Google’s malware tools/safebrowsing don’t see it because it very specifically hides from those User-Agents. AVG LinkScanner sees it but is completely totally useless because it doesn’t tell you where it came in at, it just stops IE. Similar issues in other AV software. Microsoft Security Essentials was/is blind to the exploit despite IE being apparently one of the targeted User-Agents for the infection to get installed on.
In the end very careful inspection revealed index.php files where they shouldn’t be, and they contained the infection code, which actually fetches payload from a remote server, the key was to look for base64_decode where it didn’t belong, and each of those had a common encoded string — “aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw” which decodes to a link to (please do not visit this unless you’re willing to accept getting infected) adveconfirm.com/stat/stat.php — a domain owned by some Russian entity according to Whois but could be owned by anyone. This string is obviously pretty specific to this variant from this C&C server. It may be self updating, I didn’t try to follow it any further than to see the site give me more encoded malware when my wget User-Agent was set to something that would look “Juicy” (MSIE 9)
This Malware apparently got in via a vulnerable thumb.php AKA timthumb.php and inserted itself into every header.php, footer.php and index.php file it could. It would fetch the actual malware from adveconfirm.com/stat/stat.php (which I mention but will NOT link to) — that URL was Base64 encoded as — so there’s something other Systems Admins can actually search for. It will create extra index.php files where they don’t exist. It hides itself from anything that might possibly be a web crawler. Both on the adveconfirm.com C&C server, and on the infected sites. It only inserts the code when it’s pretty sure you’re not a bot, otherwise it generates a 404 (in the case of the C&C) or doesn’t output any code. I also saw mentions of “Silence is golden” in a PHP comment in the created index.php files.
Easiest way to disenfect is to:
- Copy your users WordPress config files, check them for infections
- Wipe out all PHP files in the WordPress instance — this step breaks all custom themes and plugins and cannot be restored except from a clean .zip, or by manually cleaning the theme/plugin — in my case I found index.php, header.php and footer.php were all infected in themes, but plugins were apparently clean but a simple removal of the infectious code fixed the problem, but it’s time consuming doing it manually. You could automate it since the code itself doesn’t vary and is wrapped in <?php ?> tags.
- Extract/reinstall all files from the clean tarball on wordpress.org
Again this will break custom themes and installed plugins, so be prepared to reinstall them, quite possibly manually. You could go less or more scorched earth. If you just look for files with the base64_decode string you’ll probably find all cases of the (current) infection.
Too bad there’s no way to let MS know about the missed exploit, and there’s also no way of doing anything about adveconfirm.com.