MalwareGone Threat Analysis – WSO FilesMan Backdoor

Note: This is the first post in a series of in-depth investigations into threats that have been detected by the CodeGuard MalwareGone tool. In each post, we will pick a specific kind of malware, trojan, virus, backdoor, rootkit, etc. to dissect and discuss. We will also provide manual removal instructions at the end, just in case you’re not yet using CodeGuard.

For this inaugural post, we will be looking at a modified version of the WSO FilesMan backdoor, which is a PHP webshell designed to control the whole system. Here is just a piece of the PHP file that was named prbnts.php and located in the /wp-includes/js/jquery/ui/ folder, which usually only holds JavaScript files (.js):

<?php
eval(gzinflate(base64_decode("5b37W9tG0zD8c+7r6v8gVLeyG2NsQ9IUsBNCICEHSDkkaSCv
(...)
?>

As you can see, the file is encoded in base64 and compressed with the PHP core gzdeflate function. When we decode and decompress the file we get something more readable:

$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';

if(!empty($_SERVER['HTTP_USER_AGENT'])) {
  $userAgents = array("nouseragenthere");
  if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
    header('HTTP/1.0 404 Not Found');
    exit;
  }
}

 

This gives us some clues that file is malicious and shouldn’t be there. Even if you aren’t tech savvy, just searching for the first four lines on Google will show you some hints that this file is a backdoor and the first findings date back to the end of 2010. More specifically, the malicious file is a PHP Web Shell, or just PHP Shell, which is a shell wrapped in a PHP script and it uses built-in PHP functions to execute commands on the system. With it, we can do basically anything on the server where it is located like upload or download files, install, run or delete programs and sometimes even create or delete users, depending on the web server’s user permissions. It is a bit similar to having an SSH (Secure SHell) connection to the server. Can you imagine the damage this could do? If you have your web shell on a server you literally “own” it. Now you know why people say someone got owned when their site gets hacked!

Read More “MalwareGone Threat Analysis – WSO FilesMan Backdoor”

CodeGuard Launches Sandbox Staging™: Staging Servers for WordPress Developers

ATLANTA, GA. (September 13, 2016) – CodeGuard, Inc. (www.codeguard.com), the global leader in cloud website backup services announced today a new feature, Sandbox Staging™, which instantly creates test environments for customers with WordPress websites.

Sandbox Staging

“Developers and designers know that they should be using a staging environment for the websites and applications they manage, update, or otherwise contribute to. It’s a widely accepted best practice”, says CTO Jonathan Manuzak. “The reason that many do not is that it’s a time-consuming and technically complex process to set up and maintain one of these environments. We saw an opportunity to simplify this for customers by leveraging our technical expertise and unique position in the market.”

CodeGuard manages a dynamic fleet of servers that perform more than 11 million backups per month and process 450 million API requests over the same time period. 260 Terabytes (TB) are transferred daily, and nearly 100 Petabytes (PB) are transferred annually. Operating at this scale in a reliable, performant and cost-effective way has forced the company to develop industry-leading practices for infrastructure container management and automation. “Combining our world-class infrastructure expertise with the foundational CodeGuard backup product to create a feature that allows our customers to work faster, reduce risk and adhere to best practices? That’s a winning proposition for everyone involved”, says Manuzak.

Sandbox Staging™ will allow customers to test work on a staging site and utilize CodeGuard’s backups to create the staging environment almost instantly. With the click of a button, a new server will be provisioned to host the content stored in the backup repository. Now customers can experiment away from production, test new versions of WordPress safely, explore new plugins, and do all of this without downtime or risk to the production site.

CodeGuard Launches Automated Plugin Updates for WordPress

New Solution for Leading Cause of WordPress Site Hacks

ATLANTA, GA. (September 8, 2016) – CodeGuard, Inc. (www.codeguard.com), the global leader in cloud website backup services announced today a new feature, SiteUpdator™, which provides automated plugin updates for customers with WordPress websites.

siteupdator

“Customers have been asking us for years to update their plugins for them – so that when vulnerabilities are found in a plugin, and if they don’t have time to manually update their plugins, or if their hosting provider doesn’t do it for them, they won’t be victimized due to outdated plugins and end up with a site hosting malware or compromised for use by miscreants”, says CTO Jonathan Manuzak.

SiteUpdator™ will update all of the customer’s WordPress plugins on a daily basis that CodeGuard has access to and that need updating. The updates will take occur after the daily file scans take place. CodeGuard hopes to prevent many of the malware infections from taking place with SiteUpdator™, since the primary reason for site infection is unpatched plugin vulnerabilities. And for zero-day attacks, CodeGuard’s ChangeAlert™ monitoring coupled with the newly released MalwareGone™ have the potential to transform website protection by immediately identifying new threats and then remediating them automatically.

Briefly, the plugin works by backing up the plugins, checking the WP catalog for available updates, and applying the updates one by one. It analyzes the website after each update, and if anything looks broken, it will roll back to a known good state. Only plugins in the WordPress catalog are updated.

CodeGuard Launches Patented Malware Monitoring and Remediation Service: MalwareGone™

ATLANTA, GA. (August 18, 2016) – CodeGuard, Inc. (http://www.codeguard.com), the global leader in cloud website backup services announced today the release of patented technology which utilizes website backups for automated site remediation in the event of malware.

Coupled with CodeGuard’s ChangeAlert™ monitoring, which provides insight into new zero-day attacks, MalwareGone™ has the potential to transform website protection. Until now, companies have struggled in fixing sites infected with malware, with many relying on humans to provide fixes, while others with clunky automated technology end up causing more damage to sites than help.

“MalwareGone™ has been a long time coming – we have been waiting for years to release this product”, says David Moeller, CEO of CodeGuard. “The reason there isn’t a product like this on the market is that its foundation is our patented backup technology, which obviously no one else possesses.”

MalwareGone

This isn’t your average malware cleanup tool. Instead of relying on just signatures, MalwareGone™ utilizes actionable intelligence from ChangeAlerts™ and examines the collected information. This approach allows the scanner to discover which files act and look like malware.

It’s designed to discover viruses, trojans, rootkits, spyware and other malware on any websites. It searches for early-life and next-generation malware; the kind of malware that doesn’t yet have a detection signature.

MalwareGone™ removes persistent threats from within the operating system by utilizing prior backups stored in CodeGuard’s cloud. This ensures that remediation happens as quickly, efficiently, and accurately as possible – no more destroyed websites from a “fixing” service.

CodeGuard uses a virtual version control system and stores site data in the cloud. Backups are stored as the differential between each daily scan of the site, providing visibility for users into what has changed along with the ability to undo any changes. Restoring a previous version is as easy as pressing a button.

For additional information regarding this new product, you visit http://www.codeguard.com/pages/malware

CodeGuard Website Backup and Web.com Group Announce New Partnership

ATLANTA, GA. (August 8, 2016) – CodeGuard, Inc. (www.codeguard.com), the global leader in cloud website backup services announced today a partnership with Web.com (NASDAQ: WEB) who will now offer CodeGuard’s suite of website backup services to customers who sign up for their hosting plans.

Hosting customers will be offered options for bundled packages of CodeGuard’s backup services – which include daily website monitoring for changes with ChangeAlert™ email notifications, differential backup to the cloud, 1-click restore, automated plugin updates for WordPress, and newly released malware monitoring and remediation.

Read More “CodeGuard Website Backup and Web.com Group Announce New Partnership”

Backing up Databases Just Got Easier

For websites using a content management system (CMS), backing up the database is crucial. In fact, database content such as posts, comments, and users is often more important to website owners than the file content (e.g. themes and plugins). That’s why CodeGuard now automatically detects and adds databases for websites built with WordPress, Drupal, and Joomla.

header_image-2

Read More “Backing up Databases Just Got Easier”