Annual Website Malware Report | 2016
insights on online threats in websites as detected by Quttera automated tools and analysed by malware research team
Introduction
Internet technology is rapidly evolving making it much easier for both individuals and organizations to create websites and to upload their unique content in a blaze. Content Management Systems (CMS), Website in a Click services, shared hosting, and other services allow to get online almost with no effort and with minimum budget. And with the Internet of things (IoT) in the doorway, nearly every aspect of the business and personal life gets connected to the web to communicate, merchandise, exchange, provide service, etc.
On the other hand, the more data is there, - the more profit can online criminals potentially gain if they can access it illegally. Malware industry is building powerful back-end infrastructure to launch sophisticated malicious campaigns and by-pass the detection mechanisms. Online security and malware protection are the essential components of the reputable and safe business. Hence, to keep up with the pace, malware research and forensics platforms are required to process an enormous amount of data non-stop to prepare tools and methods capable of identifying and removing every new infection types and variants.
CVE Per CMS Platform
In 2016 the following vulnerabilities have been filed against top 6 Content Management Systems (CMS):
The 2016 Year Website Malware in Details | Q1 – Q4
The table below is the overall detection statistics per the threat type.
TOP 10 Online Threats
Website Severity Report
Currently, we assign severity status to a scanned domain / URL based on the detected components and their level of maliciousness to a website visitor. Ranging from Potentially Suspicious to Malicious these groups allow to estimate the immediate danger that the detected code imposes and the possibility of the False Positive. The data in this report applies to the defined/limited sample and it has been checked and verified both manually and using automated tools.
Blacklisting Report
Almost each search engine provider and security vendor manage blacklisting mechanisms. It is used to protect the customer and block the dangerous content from being accessed. In this section, we compared the blacklisting coverage against the active threat on the processed website.
Hacking Report
The data in this section is based on the malware investigation and removal from the customers’ websites during the year 2016.
CMS Analysis
Leading platforms among the infected websites that use Content Management System (CMS) were WordPress (WP), Joomla! and Magento.
One of the common reasons of the hacking and, especially, the re-infection is the exploitation of the vulnerable and outdated version of the software and components such as plugins, themes, templates modules and other third-party components. The same applies to the CMS installations. Below are insights on the versions of the CMS as detected by our researchers at the time the website was already compromised.
Malware Incidents Insight
In this section, we outline some of the various exploitation vectors and malware types that were detected by our tools and removed by the incident response team during 2016.
SUPEE-5344
Magento based websites compromised due to the vulnerability in the installed version of the CMS.A remote code execution (RCE) vulnerability known as the “shoplift bug” that allowed hackers to obtain Admin access to a store.
More info: https://magento.com/security/patches/supee-5344---shoplift-bug-patch
SUPEE-5994
Magento based websites compromised due to one or more vulnerabilities in the installed version of the CMS.
More info: https://magento.com/security/patches/supee-5994
SUPEE-6285
Magento based websites compromised due to one or more vulnerabilities in the installed version of the CMS.
More info: https://magento.com/security/patches/supee-6285
SUPEE-6482
Magento based websites compromised due to one or more vulnerabilities in the installed version of the CMS.
More info: https://magento.com/security/patches/supee-6482
SUPEE-6788
Magento based websites compromised due to one or more vulnerabilities in the installed version of the CMS.
More info: https://magento.com/security/patches/supee-6788
Culprit bot network
Website was a part of the Culprit bot network.
FilesMan infectionWebsite infected with the FilesMan backdoor malware that allows hacker to access and modify compromised site.
More info:- https://blog.quttera.com/post/filesman-backdoor-malware-on-your-computer/
- https://blog.quttera.com/post/deobfuscation-made-easy-with-malware-decoder/
Infection planted into the plugin files (Trojan and others) allowed hackers to send Spam and distribute infection.
SPAM
Among the other Spam campaigns occurred in 2016 these two stand out for their scale and ability to survive the standard security measures:
- Self-Recovering Spam Bot (more info: https://blog.quttera.com/post/self-recovering-spam- bot-launched-exploitation-from-entire-ip-sub-network/)
- Self-Recovering Black SEO & Spam Targeting WordPress (more info: https://blog.quttera.com/post/self-recovering-black-seo-spam-infection-hits-wordpress-setups/)
CVE-2015-8526
Joomla! vulnerability that allowed remote attackers to conduct PHP object injection and execute arbitrary PHP code via the HTTP.
More info: https://www.cvedetails.com/cve/CVE-2015-8562/#metasploit
RansomwareWebsite infected with the Win32/Wadhrama.A ransoware infection
More info: https://blog.quttera.com/post/instant-ransomware-for-unpatched-websites/
Summary
The data in this report has been carefully checked and verified to give you the numerical insights on the scale of the infection being spread through the websites. We are working closely with hosting companies, security vendors and website management companies to help webmasters running safe and malware-free sites.
Download your copy of the report (PDF, 723 KB)
Report incorrect detection or false positive on helpdesk.quttera.com or send an email to support@quttera.com
