Occasionally, we at K7 Threat Control Lab receive reports from our clients that the website they visited is being blocked by our product, claiming it as a URL false detection. In a lot of such cases, our investigations have proved that the reported URL turns out to be injected with malicious scripts.
Recently, we came across one such incident from a client regarding an Indian government site being blocked.
When analyzed, many of the pages on that website were found to be injected with a JavaScript pointing to a randomly named PHP file “QwYygBKV.php” as shown in the image below.
It is likely that the web server has been compromised by remote hackers via exploitation of some vulnerability. Here is the code which writes the script tag in HTML files:
Inspite of the random name, the above said PHP file was found in many other domains as well. Even though the web page to which the URL redirects is not alive and gives “404” error, the reported website is still detected because its pages hold the link to malicious content. Interestingly, the malicious PHP was hosted on the reported domain itself, usually the link is a redirection to another malicious website.
In this case, the administrator possibly would have removed the aforementioned PHP file. Unfortunately the infection is not cleaned completely -the web pages still carry the link to the currently unavailable malicious content.
We have informed the concerned authority of the reported website about the scenario and the recommended course of action.
One would hope that such incidents would remind administrators that when weeding websites of infections, identifying the vulnerabilities that were exploited and patching them in the first place and ensuring the integrity of the website content, are as important as removing the malware component itself.
As for K7 users, this website shall remain blocked since the loophole that the attacker exploited to host this file on the site might still be at large.
V.Dhanalakshmi
Malware Analyst, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
https://labs.k7computing.com/feed/
