In the world of cybersecurity, malware reinfection is a pressing concern. Recently, BitNinja’s threat management team has discovered a malware variant responsible for a significant portion of these reinfections. This article focuses on a particular type of malware and breaks down how this malware operates and sheds light on its connection to other malicious files, such as blue.php.
The Malware Mechanism
At its core, this malware relies on three files: index.php, stylec.php, and styleu.php. However, the presence of styleu.php is exceptional and rare. Taking a closer look at the role of each file, their respective functions are the following:
index.php:
This file is continuously injected with malicious code by the malware, which are detected and removed every time.
stylec.php:
This file is used to copy its contents to the index.php file, facilitating the continuous injection of malicious code.
styleu.php:
This file is used in exceptional cases when the malware needs to stop the current script. In other words, it serves as the malware’s “RED BUTTON.”
The malware operates in an endless loop. As long as styleu.php does not exist or is not detected, the malware will continue to inject malicious code into index.php every second. It achieves this by keeping two files alive: stylec.php and index.php, both containing the same malicious content. This makes it difficult for many malware scanners to quarantine the files, as while one file is being quarantined, the malware creates a new one and injects malicious code into it. This results in a vicious cycle.
BitNinja suspects a correlation between this malware and blue.php. It is possible that blue.php is responsible for uploading this “File infector” malware. In 99% of cases, blue.php is also found on the affected servers.
Blue.php typically receives two requests:
- A GET request to verify the file’s existence (click image to enlarge in new window)
- A POST request to inject a WebShell into a specific file (click image to enlarge in new window)
From BitNinja’s analysis, it is evident that this malware is responsible for continuous infections on some servers.
Solution
Since BitNinja added the signature of stylec.php to the global blacklist, the number of incidents per day decreased significantly. This shows that monitoring and blacklisting malicious files are crucial.
To recap, they are taking action against:
- php, which uploads the malware: Blue.php
- The reinfector malware itself: sytel.php
- The malware injected into the system by sytel.php: index.php/style.php
Conclusion
Malware is a severe threat to computer systems, and its reinfection cycle can be frustrating. This particular malware uses a vicious cycle that makes it challenging to remove permanently. However, by understanding the mechanisms behind this malware, BitNinja can better protect our systems and prevent further reinfections.
