Malware Defense Part 2: 5 Ways to Wipe out Malware

Five Ways to Wipe out Malware is a part of the THiNC.technology blog series. THiNC.technology is located in East Lansing, MI and develops custom software including mobile apps and websites. Today’s topic specifically covers Malicious Software and how to defeat it.

 

In our last blog, we discussed the different types of hacks that can make life a living hell for any webmaster, developer, or CTO. In this guide, we’ll work through some of the tips for finding malicious code, and some possible ways for resolving it. It’s an arms race, and it’s an ongoing process. This list is not exhaustive, but should give you a pretty good guide as to what is hacking the web world today.

 

 

Some things can’t be found with analytic tools. Some days you have to roll up your sleeves and dive right into the files. Sometimes you have to even dive into the code. We’ll use a WordPress website as an example for this exercise, but the methods will work for other website types particularly Joomla, Drupal and other .php based websites.

 

 

 

Review Last Modified Date

 

This is the easiest to spot, but the modified date is often overlooked by hackers who are looking for a few cheap clicks. The first way that you can recognize a suspicious file is when one file within a bunch of files has a different modified date. The second way is when a suspicious file pre-dates the problem or is at the exact time the problem showed up. Chances are, those files are modified. You should check those files for any type of irregular code, for example like BASE 64 encrypted code, calling strange Javascript files or html directly hard-coded into the view.  We would recommend you download this file and view it in a script editor, instead of opening it on the browser.

 

This should not be relied on as the only reference for tracking down scripts since clever hackers can mask the modified date to match its neighboring files (hiding a tree in the forest so to speak). They can also set a modified date way in the past to anytime within the website’s lifetime. So they’re adept at trying to hide this because it is a dead giveaway.

 

Be aware of false-positives on the modified date like updates to the core, framework, plugins or anything that may have an automated update. In some cases, FTP files and CRON jobs can change file and folder dates.

 

And your logs are your best friends when trying to correlate an attack. Pay attention to who comes to the site, and what they did and when.

 

Strange File Names

 

“Just Plain Wrong.” All files need to be named, so there are a few tactics that the hackers will use to mask what they are doing. Some malicious files will have wrong names…for example numbers for file names which is not a normal convention for developers to name content folders numbers. (Like 395083.php). Misspelled names of files are also a dead giveaway. I’ve seen some using the Imperial “Theatre.php” instead of the more American “Theater.php” and broken English file names are suspect.

 

One of the hardest to find is what we call the “Slightly Off” file names. These will be filenames that include characters or other things that would trick the eye on first glance. It is just another tactic that hackers use to hide scripts in your website. For example, the file “wp-cron_.php” looks normal but has an additional _ between the cron and the .php. It’s hard to spot these, and it’ll make you tear your hair out trying to find them!

 

Sneaky Tricky. Some file name changes are so devious, they make it past not only tools, but tired eyes of the poor soul who has to hunt down the files. Sneaky hackers get even get sneakier. We call these the “sneaky tricky” names that look like legitimate files.

 

"wp-user-theme-widget.php"

 

On first glance, it would appear to be a legitimate file. It may even have correct headers and code within the file upon inspection. More times than not, these files have a few lines of code that perform some function of the hack. Maybe they check core files and make sure you didn’t delete them. Maybe they perform a revision once a file is closed.  Sometimes, they may even have a link to an external website or script. Each hack is a little bit different than the last one. The harder the infected file is to find, the more sophisticated the hack is likely to be.

 

Name changes and strange file names are meant to deceive you, and you may only know something is out of place if you are familiar with the back end of your website and how the software works.

 

Review Permissions

 

Hackers will often try to change the permission levels of your files. They’ll also try to change the .htaccess file. And, they’ll also try to change your configuration files that host your database connection information, like config.php for example.

 

Change any files back to the original setting that may have been changed to be publicly editable. In some instances, they demote you as a user and set themselves up as a higher level admin and lock you out of changing permissions on your files. Unfortunately if this happens, the only way to defeat this is to re-install a backup.

 

Review the File Content

 

Nothing beats an experienced eye when it comes to hunting down hacks. There are a few things to look for. You’ll want to look for any php referencing Base64, which is an encrypted string within a file. Almost always this is a hack that is trying to hide what the code actually is.

 

If you see a closing "eval( )" statement in a file that you are concerned with, then it may actually be a function that that replaces the code if deleted or altered…including commenting it out. We’ve seen this recently in a very sophisticated hacking scheme that will be the subject of another blog.

If there are links to external websites, or calls to unexpected files, then it could be a problem file. Sometimes they’ll put it on the nose for you and send a user to an adult site or sell a pharmaceutical.

You should be so lucky.

 Most of the time, it’s not that easy. You may have to see what the website is before you go changing or deleting anything. You may want to check the websites in secure, quarantined environments instead of clicking on the links however since...well...whatever you land on just might infect your computer too. If you don’t know how to do any of that, try to google the domain name. And, you can check out WhoIs.net and see who owns the domain.

It’s hard to spot, but there are other ways in which they try to hide malicious code within your otherwise healthy code. For instance if you see strange arrays, or if you see it has variable names that are a combination of letters and numbers like the following:

 

Then this is likely the problematic code.