Page 1 of 2 [ 20 posts ]  Go to page 1, 2  Next

Soliloquist
Toucan
Toucan

User avatar

Joined: 13 Oct 2011
Age: 50
Gender: Male
Posts: 253

30 Mar 2018, 8:35 pm

An analysis of malware infecting Wrongplanet.net

The malware that was found is a Wordpress malicious plugin
that would have been installed after the site was hacked.

Once the plugin has been installed it hides itself
from the list of active plugins and opens a back door
into WordPress creating admin user accounts.

The plugin then injects packed and obfuscated code
into the core Wordpress files and a second script into the web pages.
This second script sets up an onclick event handler
that waits for a users click anywhere on the infected page.
When this happens a pop-up opens, creating a chain of
redirects.
Once this is complete a cookie is dropped
onto the users pc and is set for one hour.
The code then removes the onclick event handler.

All the front facing pages are infected with the second
injected malicious script. This includes

http://wrongplanet.net

and all the pages behind the buttons on the banner at the top of
the webpages:

http://wrongplanet.net/videos/
http://wrongplanet.net/category/friends-relationships/
http://wrongplanet.net/category/community-newsmakers/
http://wrongplanet.net/category/school-jobs/
http://wrongplanet.net/category/parenting/
http://wrongplanet.net/category/autism-news/
http://wrongplanet.net/category/therapies/

All the forum pages i've looked at are clean.

Logging in on the front page will cause the script
to execute, but logging in at:

https://wrongplanet.net/forums/
or
https://wrongplanet.net/forums/search.p ... d=newposts

will not as they are within the forums section and are unaffected.

The malware code is packed, hex encoded then jjencrypted.
I've posted the code in it's various stages here for
educational purposes.

http://pagebin.com/xSJLsZNP

Here are some resources to help the site Admin with
removal:

https://blog.sucuri.net/2018/02/unwante ... ugins.html

https://blog.cyberbyte.org/blog/wordpre ... op-unders/

https://fixmywp.com/blog/detect-clean-w ... direct.php

https://wordpress.org/support/topic/inj ... njectbody/

https://www.scmagazine.com/pair-of-word ... le/744142/

Finally after looking at the code it can be seen that the
code won't set up the onclick event handler if it finds
a new clickund_expert cookie.
This means a tampermonkey script can create the cookie
before the malware runs.
For educational purposes I created one today and it
has proved to be successful in stopping the pop-ups on the
infected parts of the site.

Code:
  // ==UserScript==
// @name           Wrongplanet.net_malware_suppressor
// @description    Suppress malware popups on Wrongplanet.net
// @match          *://*.wrongplanet.net/*
// @version        1.0.0
// @author         Soliloquist
// @namespace      http://soliloquist.droppages.com/
// @run-at         document-start
// ==/UserScript==

  (function() {

  'use strict';

   var now = new Date();
   var time = now.getTime();

     time += 3600 * 1000;
     now.setTime(time);
     document.cookie = "clickund_expert=1; " + now.toUTCString() + ";path=/";

    })();



Trogluddite
Veteran
Veteran

User avatar

Joined: 2 Feb 2016
Age: 48
Gender: Male
Posts: 2,871
Location: Yorkshire, UK

31 Mar 2018, 6:14 am

Thanks Soliloquist, it's good of you to invest so much effort on this on our behalf; much appreciated. :D

I understand now why I haven't been seeing these problems; completely unintentionally, my WP bookmark enters the site via the forums page, as you have noted above.

It's just a shame that the deafening silence from the admins makes it necessary for forum users to do the detective work!


_________________
When you are fighting an invisible monster, first throw a bucket of paint over it.


ToughDiamond
Veteran
Veteran

User avatar

Joined: 15 Sep 2008
Age: 66
Gender: Male
Posts: 7,387

31 Mar 2018, 10:30 am

Awesome :-)



Aristophanes
Veteran
Veteran

User avatar

Joined: 10 Apr 2014
Age: 38
Gender: Male
Posts: 3,545
Location: USA

31 Mar 2018, 2:24 pm

Thanks I'm sure many of our users will appreciate it. On a side note, and for your own personal growth as a JS programmer going forward I offer you this one critique: get used to using const (for variables that won't be reassigned) and let for those that will, as opposed to using var, which can overwrite global variables. Obviously the statement is in an IIFE so it doesn't matter, it's just a good habit to get used to with modern JS.



Kiprobalhato
Forum Moderator
Forum Moderator

Joined: 25 Mar 2014
Age: 21
Gender: Female
Posts: 27,668
Location: vwohie harzaie

31 Mar 2018, 3:11 pm

thanks.



8)


_________________
❄join my discord pls❄

JE SUIS UN HOMME

not currently a moderator.


Soliloquist
Toucan
Toucan

User avatar

Joined: 13 Oct 2011
Age: 50
Gender: Male
Posts: 253

31 Mar 2018, 6:32 pm

Aristophanes wrote:
Thanks I'm sure many of our users will appreciate it. On a side note, and for your own personal growth as a JS programmer going forward I offer you this one critique: get used to using const (for variables that won't be reassigned) and let for those that will, as opposed to using var, which can overwrite global variables. Obviously the statement is in an IIFE so it doesn't matter, it's just a good habit to get used to with modern JS.



The code was a direct copy and paste from the malware.
The global nature of the variable wasn't going to cause any problems
within this simple script.

Nonetheless your advice is all good.



B19
Forum Moderator
Forum Moderator

User avatar

Joined: 11 Jan 2013
Gender: Female
Posts: 9,273
Location: New Zealand

31 Mar 2018, 7:33 pm

Trogluddite wrote:
Thanks Soliloquist, it's good of you to invest so much effort on this on our behalf; much appreciated. :D

I understand now why I haven't been seeing these problems; completely unintentionally, my WP bookmark enters the site via the forums page, as you have noted above.

It's just a shame that the deafening silence from the admins makes it necessary for forum users to do the detective work!


I am moderator, Alex is the only admin. Mods have not been silent on this issue. I have posted threads in both the WP forum and the GAD forum, and continue to warn members (I will post this thread as a link in the General forum thread). I will also post a link to this thread in a thread that Alex has posted in, so that he gets a notification of it directly (hopefully) as my attempts to alert him by other methods haven't received a response as yet.

Thank you from me also Soliloquist - and others who have provided feedback in all of the threads so far.



kraftiekortie
Veteran
Veteran

User avatar

Joined: 4 Feb 2014
Gender: Male
Posts: 61,671
Location: Queens, NYC

31 Mar 2018, 8:17 pm

Thanks for all your efforts, Soliloquist.



bunnyb
Veteran
Veteran

User avatar

Joined: 3 Mar 2016
Gender: Female
Posts: 589
Location: Australia

31 Mar 2018, 9:00 pm

Thank-you Soliloquist. I had wondered why people were talking about pop-ups and now I know. I'm like Trogluddite and use a forum bookmark. Hopefully something will now be done to remove the malware. If Alex doesn't want to, perhaps he could find someone who does. I know this is his site and the revenue isn't likely to be much so it may feel onerous to maintain it. :(


_________________
I have a piece of paper that says ASD Level 2 so it must be true.


SabbraCadabra
Veteran
Veteran

User avatar

Joined: 21 Apr 2008
Age: 35
Gender: Male
Posts: 6,913
Location: Michigan

01 Apr 2018, 3:32 am

How long has the site been infected for?

My bookmarks are set to "view your posts", so I haven't noticed much, and I usually have NoScript running as well.


_________________
he had a lot to say, he had a lot of nothing to say
we'll miss him


smudge
Veteran
Veteran

User avatar

Joined: 6 Sep 2006
Age: 31
Gender: Female
Posts: 6,427
Location: London

01 Apr 2018, 8:30 am

It’s not nice to put his users at risk though.



Thanks Soliloquist, will bear those links in mind.



Trogluddite
Veteran
Veteran

User avatar

Joined: 2 Feb 2016
Age: 48
Gender: Male
Posts: 2,871
Location: Yorkshire, UK

01 Apr 2018, 10:07 am

B19 wrote:
I am moderator, Alex is the only admin. Mods have not been silent on this issue.

My sincere apologies for the ambiguous comment. It was not my intent to criticize the moderators at all, only those who have the power to actually fix this problem. All of the moderators here do a very good job IMHO (thankyou all! :D ), and I can see that you have all done your very best to help members to work around these issues and are as frustrated with them as any of us.


_________________
When you are fighting an invisible monster, first throw a bucket of paint over it.


Ichinin
Veteran
Veteran

User avatar

Joined: 3 Apr 2009
Gender: Male
Posts: 3,653
Location: A cold place with lots of blondes.

01 Apr 2018, 10:58 am

SabbraCadabra wrote:
How long has the site been infected for?

My bookmarks are set to "view your posts", so I haven't noticed much, and I usually have NoScript running as well.


Same, i only visit the main site like once a year... mostly by mistake.


_________________
"It is far better to grasp the Universe as it really is than to persist in delusion, however satisfying and reassuring" (Carl Sagan)


B19
Forum Moderator
Forum Moderator

User avatar

Joined: 11 Jan 2013
Gender: Female
Posts: 9,273
Location: New Zealand

01 Apr 2018, 9:32 pm

Trogluddite wrote:
B19 wrote:
I am moderator, Alex is the only admin. Mods have not been silent on this issue.

My sincere apologies for the ambiguous comment. It was not my intent to criticize the moderators at all, only those who have the power to actually fix this problem. All of the moderators here do a very good job IMHO (thankyou all! :D ), and I can see that you have all done your very best to help members to work around these issues and are as frustrated with them as any of us.



Thanks for the clarification.



Eurythmic
Sea Gull
Sea Gull

User avatar

Joined: 1 Jan 2013
Age: 43
Gender: Male
Posts: 227
Location: Australia

07 Apr 2018, 7:19 am

Thanks for your work Soliloquist, the malware stopped me from being able to access the site for some time.