In the world of cybersecurity, malware reinfection is a pressing concern. Recently, our threat management team discovered a malware variant responsible for a significant portion of these reinfections. This article focuses on a particular type of malware, breaks down how it operates and sheds light on its connection to other malicious files, such as blue.php.
The Malware Mechanism
At its core, this malware relies on three files: index.php, stylec.php, and styleu.php. However, the presence of styleu.php is exceptional and rare. Taking a closer look at the role of each file, their respective functions are the following:
index.php:
This file is continuously injected with malicious code by the malware, which are detected and removed every time.
stylec.php:
This file is used to copy its contents to the index.php file, facilitating the continuous injection of malicious code.
styleu.php:
This file is used in exceptional cases when the malware needs to stop the current script. In other words, it serves as the malware's "RED BUTTON."
The malware operates in an endless loop. As long as styleu.php does not exist or is not detected, the malware will continue to inject malicious code into index.php every second. It achieves this by keeping two files alive: stylec.php and index.php, both containing the same malicious content. This makes it difficult for many malware scanners to quarantine the files, as while one file is being quarantined, the malware creates a new one and injects malicious code into it. This results in a vicious cycle.
Connection to Blue.php
At BitNinja, we suspect a correlation between this malware and blue.php. It is possible that blue.php is responsible for uploading this "File infector" malware. In 99% of cases, blue.php is also found on the affected servers.
Blue.php typically receives two requests:
A POST request to inject a WebShell into a specific file:
From our analysis, it is evident that this malware is responsible for continuous infections on some servers.
Solution
Since we added the signature of stylec.php to the global blacklist, the number of incidents per day decreased significantly. This shows that monitoring and blacklisting malicious files are crucial.
To recap, they are taking action against:
Blue.php, which uploads the malware: Blue.php
The reinfector malware itself: sytel.php
The malware was injected into the system by sytel.php: index.php/style.php
Conclusion
Malware is a severe threat to computer systems, and its reinfection cycle can be frustrating. This particular malware uses a vicious cycle that makes it challenging to remove permanently. However, by understanding the mechanisms behind this malware, we can better protect our systems and prevent further reinfections.
Proactive server protection from a centralized, easy-to-use console. Secure your web servers and customers’ websites against all kinds of cyber threats with our multi-layered security tool
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.