MalwareGone Threat Analysis – PHP Ransomware

Today we’re going to explore a newer type of threat: Ransomware or, more precisely, PHP Ransomware. Ransomware attacks have increased greatly over the last few years and many variations have been made and are still being used in the wild. First, we should define what we mean when we talk about Ransomware. We’re specifically talking about a piece of code or software that encrypts your files in place and demands a ransom payment to receive the key that decrypts your files. So, if you are the victim of a ransomware attack and do not have recent, verified backups you could be in trouble! You have no other way to retrieve your files besides paying the ransom unless the ransomware is an old one and security companies have already created the software that decrypts it. If you are curious, here is a list of Ransomware Decryptor Tools: (use at your own risk!)

How does a ransomware infect a computer?

Traditional Ransomware usually affects personal computers and is delivered by email or infected websites. Whether in an email attachment or served from a hacked website, possibly using drive-by download techniques, the payload may disguise itself as a PDF, Flash, Adobe or Java update or some other type of executable. According to this PhishMe Q1 2016 Malware Review report, 9 out of 10 phishing emails sent in March 2016 carried a ransomware payload. Read the full report here:


Read More “MalwareGone Threat Analysis – PHP Ransomware”

MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part II

This is the second part of our exploration MulCiShell Backdoor and File Uploader, a malicious PHP Web Shell that was detected on a customer’s website using CodeGuard’s MalwareGone tool. If you haven’t already, take a look at Part I before continuing. In this post, we’ll wrap things up by discussing the vulnerabilities that were found on this site, which may have allowed the MulCiShell Backdoor and File Uploader to be inserted. To pick up where we left off before, here is a list of installed WordPress plugins installed on the hijacked site:



A search on the WPScan Vulnerability Database reveals a number of public vulnerabilities for some of these plugins. Here are a few examples:

  1. WordPress Plugin: Akismet

Version installed: 3.0.4

Vulnerability:  Unauthenticated Stored Cross-Site Scripting (XSS)

Versions affected: Akismet 2.5.0-3.1.4


2. WordPress Plugin: iThemes Security (formerly Better WP Security)

Version installed:  5.6.1

Vulnerability: Unauthenticated Stored Cross-Site Scripting

Versions affected: <= 5.6.1


Read More “MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part II”

MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part I

For this installment, we’ll talk about a webshell called “MulCiShell”, more specifically the “MulCiShell v0.2” backdoor file, which is a PHP Web Shell that we found in another client’s website using CodeGuard’s MalwareGone tool. Here is a snippet of code for this webshell:


If you’d like the full version of the file you can find a copy on GitHub.

Doing a little bit of research we found that the first versions of this webshell dates back to 2009, which is really old for malware like this, but it seems that the developer of this backdoor has been maintaining it as it keeps getting updated with new capabilities and enhancements. As we can see this webshell has many functions and there’s even a changelog in the comment at the top of the file. This specific version was last updated by someone nicknamed KingDefacer.

Read More “MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part I”

CodeGuard Launches Patented Malware Monitoring and Remediation Service: MalwareGone™

ATLANTA, GA. (August 18, 2016) – CodeGuard, Inc. (, the global leader in cloud website backup services announced today the release of patented technology which utilizes website backups for automated site remediation in the event of malware.

Coupled with CodeGuard’s ChangeAlert™ monitoring, which provides insight into new zero-day attacks, MalwareGone™ has the potential to transform website protection. Until now, companies have struggled in fixing sites infected with malware, with many relying on humans to provide fixes, while others with clunky automated technology end up causing more damage to sites than help.

“MalwareGone™ has been a long time coming – we have been waiting for years to release this product”, says David Moeller, CEO of CodeGuard. “The reason there isn’t a product like this on the market is that its foundation is our patented backup technology, which obviously no one else possesses.”


This isn’t your average malware cleanup tool. Instead of relying on just signatures, MalwareGone™ utilizes actionable intelligence from ChangeAlerts™ and examines the collected information. This approach allows the scanner to discover which files act and look like malware.

It’s designed to discover viruses, trojans, rootkits, spyware and other malware on any websites. It searches for early-life and next-generation malware; the kind of malware that doesn’t yet have a detection signature.

MalwareGone™ removes persistent threats from within the operating system by utilizing prior backups stored in CodeGuard’s cloud. This ensures that remediation happens as quickly, efficiently, and accurately as possible – no more destroyed websites from a “fixing” service.

CodeGuard uses a virtual version control system and stores site data in the cloud. Backups are stored as the differential between each daily scan of the site, providing visibility for users into what has changed along with the ability to undo any changes. Restoring a previous version is as easy as pressing a button.

For additional information regarding this new product, you visit

An Ultimate Black Hat Script

Yesterday I received this spam. If you’ve ever wondered who bothers to hack websites and why they do it, here’s a premium explanation straight from the hackers.

Hey guys,

A true bl4ckhat system for Internet Marketers

Do you want to control other site’s traffic? Ever wanted to insert your ads, well paid CPA offers and adsense code on other site’s high traffic pages? Every wanted to place your backlinks on other’s high page ranked pages without them knowing? Ever wanted to redirect the other site’s visitors to any link you desire? Well you have finally found the secret souce, Presenting…

An Ultimate Black Hat Script

What is it exactly ?

Mass control millions of servers at a given moment with Affiliate Ad’s, Adsense, Clickjacking, Content-Locking, Redirection -The sky is the limit! These black hat methods are being utilized by the pharmas and now its your time to get hold of their secrect way of money laundering.

Control Millions of people’s servers from all over the internet.

– Redirect the traffic of the other website
– Contron their ads or inster your own ad in their website
– Initate the pop-unders
– Put backlinks on the high page rank sites
– Place any code on their sites

How to gain access to people’s servers ?

You insert a simple code within scripts, themes, or plugins…or whatever…get creative! Then distribute it.
Once they put it on their server, all sites within their IP are now under your control It’s really quite simple. the coder was able to gain over 100,000 IP’s in about 3 months. That’s not website…that’s IP. Right now, it over 8 million pages that he has full control over to redirect, post ads on, place popups, popunders, or just insert his backlink on.

Check it out:-

Click Here!!

Only few copies will be given out and than this product will be taken off the market forever! Act now!

Don’t let cybercriminals pwn your site. No matter how good your security, it will break sooner or later. When that happens, you’ll want to be informed promptly and have an easy way to put things right.

Law Firms Need Website Backup More Than Ever

If you work for a law firm, it is unlikely that the idea of protecting your firm’s website has entered and lingered in your mind. Attorneys and paralegals are focused on clients, not websites. Most firm’s sites contain service descriptions, company history, and contact information, so if they were hacked it wouldn’t be that big of a deal, right?

Wrong. Just ask Matt Passen.

Passen Law Firm Becomes Victim of Malware Cyber Attack

Passen Law Group is a two-man personal injury firm in Chicago. As told by USA Today, in June of 2011 Matt Passen went to his site and says he was confronted with “a series of letters and numbers that made no sense to me.”  Passen soon learned that he had been targeted in a slew of malware-based cyber attacks.

Being infected means lost traffic, not just an ugly webpage- Google actively blacklists websites that are known to be infected with malware (currently 700,000+), rendering the sites invisible to searches, or marked with a warning not to visit it. The idea of not having a searchable web presence is unacceptable.

Passen needed to remediate immediately, and after a few weeks and three separate attempts by hired professionals to remove the malicious script, Passen’s site was finally back to an uninfected state. But what did he lose by not preparing for a situation like this? He put it best himself by saying: “It will easily cost us a couple thousand dollars to remedy, and I can’t tell you what the costs are in terms of lost business opportunity.”

What Could Passen Have Done?

Matt Passen could have dedicated a considerable amount of time each day to manually checking his site for unsolicited changes. He could have downloaded his site’s source code and compared it line-by-line to a prior version in order to detect discrepancies between the two. If he found something that didn’t look right, he could rollback to an earlier rendition of his site by finding that version’s source code and pushing it onto his server. If he had done this each day, he would have caught and eradicated the malware in a shorter timeframe, and with less damage.

Unsurprisingly, Passen didn’t do any of that. Shifting focus away from day-to-day professional responsibilities in order to manually monitor a website isn’t a feasible option for most. Luckily, it isn’t the only option.

CodeGuard, a cloud-based website backup, monitoring, and restore service could have easily lessened Passen’s burden. After a simple initial backup, CodeGuard monitors each site for malware every hour and completes daily scans for file changes. Should a site become compromised, the user receives an email notification from CodeGuard. But it doesn’t stop there: we store every backup taken of your site, so someone in a situation similar to Passen’s can choose a prior version and quickly restore their site back to an uninfected, fully functional state.

Law Firms Need CodeGuard

Law firms are prime targets for hackers because website security is not currently a priority in the legal industry; regulation, competition, and client-servicing dominates mindshare. Here are two things law firms stand to lose by not focusing on properly protecting their websites:

1. Losing potential clients- without a searchable web presence, site traffic will plummet. In today’s search dominated lifestyle, you will lose industry traction by not appearing to potential clients looking to utilize your services.

2. Losing credibility- current and prospective clients may perceive your firm as unprepared and insecure, and choose to take their business to a competitor whose site and content hasn’t been tampered with.

CodeGuard is part of a solution that helps protect against real struggles that law firms face, and should firms encounter difficulties with their website, can help to quickly remediate the problems. Law firms have enough things to worry about – the website shouldn’t be one of them. Talk with your IT department or webmaster about giving CodeGuard a try before it’s too late, and gain peace of mind that you never knew you could have!