The Endless Loop of Malware Reinfection

In the world of cybersecurity, malware reinfection is a pressing concern. Recently, our threat management team discovered a malware variant responsible for a significant portion of these reinfections. This article focuses on a particular type of malware, breaks down how it operates and sheds light on its connection to other malicious files, such as blue.php.

The Malware Mechanism

At its core, this malware relies on three files: index.php, stylec.php, and styleu.php. However, the presence of styleu.php is exceptional and rare. Taking a closer look at the role of each file, their respective functions are the following:

index.php: 

This file is continuously injected with malicious code by the malware, which are detected and removed every time.

stylec.php: 

This file is used to copy its contents to the index.php file, facilitating the continuous injection of malicious code.

styleu.php:

This file is used in exceptional cases when the malware needs to stop the current script. In other words, it serves as the malware's "RED BUTTON."

The malware operates in an endless loop. As long as styleu.php does not exist or is not detected, the malware will continue to inject malicious code into index.php every second. It achieves this by keeping two files alive: stylec.php and index.php, both containing the same malicious content. This makes it difficult for many malware scanners to quarantine the files, as while one file is being quarantined, the malware creates a new one and injects malicious code into it. This results in a vicious cycle.

Connection to Blue.php

At BitNinja, we suspect a correlation between this malware and blue.php. It is possible that blue.php is responsible for uploading this "File infector" malware. In 99% of cases, blue.php is also found on the affected servers.

Blue.php typically receives two requests:

A POST request to inject a WebShell into a specific file:

From our analysis, it is evident that this malware is responsible for continuous infections on some servers. 

Solution

Since we added the signature of stylec.php to the global blacklist, the number of incidents per day decreased significantly. This shows that monitoring and blacklisting malicious files are crucial.

To recap, they are taking action against:

  • Blue.php, which uploads the malware: Blue.php
  • The reinfector malware itself: sytel.php
  • The malware was injected into the system by sytel.php: index.php/style.php

Conclusion


Malware is a severe threat to computer systems, and its reinfection cycle can be frustrating. This particular malware uses a vicious cycle that makes it challenging to remove permanently. However, by understanding the mechanisms behind this malware, we can better protect our systems and prevent further reinfections.

trial
If you have no more queries, 
take the next step and sign up!
Don’t worry, the installation process is quick and straightforward!
AICPA SOC BitNinja Server Security
Privacy Shield BitNinja Server Security
GDPR BitNinja Server Security
CCPA BitNinja Server Security
2024 BitNinja. All Rights reserved.
Hexa BitNinja Server SecurityHexa BitNinja Server Security
magnifiercross