Download your copy of the report (PDF, 723 KB)

Introduction

---

Internet technology is rapidly evolving making it much easier for both individuals and organizations to create websites and to upload their unique content in a blaze. Content Management Systems (CMS), Website in a Click services, shared hosting, and other services allow to get online almost with no effort and with minimum budget. And with the Internet of things (IoT) in the doorway, nearly every aspect of the business and personal life gets connected to the web to communicate, merchandise, exchange, provide service, etc.

On the other hand, the more data is there, - the more profit can online criminals potentially gain if they can access it illegally. Malware industry is building powerful back-end infrastructure to launch sophisticated malicious campaigns and by-pass the detection mechanisms. Online security and malware protection are the essential components of the reputable and safe business. Hence, to keep up with the pace, malware research and forensics platforms are required to process an enormous amount of data non-stop to prepare tools and methods capable of identifying and removing every new infection types and variants.

CVE Per CMS Platform

---

In 2016 the following vulnerabilities have been filed against top 6 Content Management Systems (CMS):

The 2016 Year Website Malware in Details | Q1 – Q4

---

The table below is the overall detection statistics per the threat type.

TOP 10 Online Threats

Website Severity Report

---

Currently, we assign severity status to a scanned domain / URL based on the detected components and their level of maliciousness to a website visitor. Ranging from Potentially Suspicious to Malicious these groups allow to estimate the immediate danger that the detected code imposes and the possibility of the False Positive. The data in this report applies to the defined/limited sample and it has been checked and verified both manually and using automated tools.

Blacklisting Report

---

Almost each search engine provider and security vendor manage blacklisting mechanisms. It is used to protect the customer and block the dangerous content from being accessed. In this section, we compared the blacklisting coverage against the active threat on the processed website.

Hacking Report

---

The data in this section is based on the malware investigation and removal from the customers’ websites during the year 2016.

CMS Analysis

Leading platforms among the infected websites that use Content Management System (CMS) were WordPress (WP), Joomla! and Magento.

One of the common reasons of the hacking and, especially, the re-infection is the exploitation of the vulnerable and outdated version of the software and components such as plugins, themes, templates modules and other third-party components. The same applies to the CMS installations. Below are insights on the versions of the CMS as detected by our researchers at the time the website was already compromised.

Malware Incidents Insight

In this section, we outline some of the various exploitation vectors and malware types that were detected by our tools and removed by the incident response team during 2016.

SUPEE-5344

Magento based websites compromised due to the vulnerability in the installed version of the CMS.A remote code execution (RCE) vulnerability known as the “shoplift bug” that allowed hackers to obtain Admin access to a store.

More info: https://magento.com/security/patches/supee-5344---shoplift-bug-patch

SUPEE-5994

Magento based websites compromised due to one or more vulnerabilities in the installed version of the CMS.

More info: https://magento.com/security/patches/supee-5994

SUPEE-6285

Magento based websites compromised due to one or more vulnerabilities in the installed version of the CMS.

More info: https://magento.com/security/patches/supee-6285

SUPEE-6482

Magento based websites compromised due to one or more vulnerabilities in the installed version of the CMS.

More info: https://magento.com/security/patches/supee-6482

SUPEE-6788

Magento based websites compromised due to one or more vulnerabilities in the installed version of the CMS.

More info: https://magento.com/security/patches/supee-6788

Culprit bot network

Website was a part of the Culprit bot network.

FilesMan infection

Website infected with the FilesMan backdoor malware that allows hacker to access and modify compromised site.

More info:

• https://blog.quttera.com/post/filesman-backdoor-malware-on-your-computer/
• https://blog.quttera.com/post/deobfuscation-made-easy-with-malware-decoder/

Ultimate VC Add-ons

Infection planted into the plugin files (Trojan and others) allowed hackers to send Spam and distribute infection.

SPAM

Among the other Spam campaigns occurred in 2016 these two stand out for their scale and ability to survive the standard security measures:

• Self-Recovering Spam Bot (more info: https://blog.quttera.com/post/self-recovering-spam- bot-launched-exploitation-from-entire-ip-sub-network/)
• Self-Recovering Black SEO & Spam Targeting WordPress (more info: https://blog.quttera.com/post/self-recovering-black-seo-spam-infection-hits-wordpress-setups/)

CVE-2015-8526

Joomla! vulnerability that allowed remote attackers to conduct PHP object injection and execute arbitrary PHP code via the HTTP.

More info: https://www.cvedetails.com/cve/CVE-2015-8562/#metasploit

Ransomware

Website infected with the Win32/Wadhrama.A ransoware infection

More info: https://blog.quttera.com/post/instant-ransomware-for-unpatched-websites/

Summary

The data in this report has been carefully checked and verified to give you the numerical insights on the scale of the infection being spread through the websites. We are working closely with hosting companies, security vendors and website management companies to help webmasters running safe and malware-free sites.

Download your copy of the report (PDF, 723 KB)

Report incorrect detection or false positive on helpdesk.quttera.com or send an email to support@quttera.com

Malware cleanup and black list removal