Visbot malware found on 6691 stores [analysis]
by Sansec Forensics Team
Published in Threat Research − December 01, 2016
Visbot is one of the oldest Magecart payment skimmers: it steals customer data and credit cards. The first case was documented as early as March 2015. But being publicly discussed did not stop it from spreading. We conducted a global research into 300.000 Magento stores and found active Visbot infections on 6691 stores.
How is that possible? Contrary to other skimming malware, Visbot inject itself in code running on the server. This makes it harder to detect from the outside, as the malware operates completely invisible for anyone but the store owner. And many store owners are not equiped to detect these kind of compromises.
How Visbot works
For devs, here's a beautified copy
Visbot injects itself into existing PHP code. It stays dormant until data is entered by store visitors (an order or a password). Submitted data is then encrypted and saved to a fake image file. This "image" is then later retrieved by the perpetrator and sold on the black market.
- Stores usually have a thousands of images, so fetching an odd one is not suspicious.
- Encryption ensures competing thieves cannot hijack the payload.
And how did Sansec establish the presence of Visbot on all these stores? If it is so well hidden? The Visbot author made a crucial mistake: s/he added a feature to remotely detect whether the malware is still active. If you send a specific code (a "password") to an infected store, it will display:
Pong
This can be simulated with this command:
curl -LH 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;[email protected])' \
http://your-site.com
Recent activity
In the last week, we observed Visbot controller activity from servers in Sweden (62.102.148.187
), Ukraine (95.211.197.194
) and Germany (81.169.144.135
).
Private data is stored in somewhat random image files. So far we observed these filenames being used:
bkg_btn-close2_bg.gif
btn_back_bg_bg.gif
btn_cancel_bg_bg.gif
left_button_back.gif
mage.jpg
nav1_off_bg.gif
notice-msg_bg.png
section_menu_link_bg_bg.gif
sort-arrow-down_bg.png
The public key used to encrypt the stole data is included in the malware, but the private key is not. Until it surfaces, it is not possible to decrypt the contents.
Solution
We have shared the list of compromised stores with the authorities and major providers, so they can reach out to owners and agencies in order to resolve the situation.
We strongly recommend merchants to implement server-side malware & vulnerability scanning, so they can detect and prevent these attacks.
People reporting Visbot cases:
- http://stackoverflow.com/questions/37296200/is-this-magento-code-a-virus
- http://magento.stackexchange.com/questions/86943/can-anybody-explain-me-about-following-code
- https://gist.github.com/litzinger/e43ef80b7678ebcd933c
- https://gist.github.com/Angelicaust/bbf183789893d0c8b3b8
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more