A new Magento malware has been discovered, it possesses a self-healing function which remedies deletion attempts, continue reading our article to learn more.
A New Magento Malware Has Been Discovered
Security researches uncovered a dangerous and hard-hitting Magento malware. The virus has already been spotted in several dangerous attack campaigns, having compromised running sites. The discovery was made by Jeroen Boersma and he reported that the virus uses SQL procedures that restores the dangerous virus if it is deleted. This means that while security experts can detect the code change, they may not be able to remove it entirely.
An in-depth analysis was performed by the expert Willem de Groot which gives further details about it. The infection is performed after a successful intrusion attempt via a brute force attack on /rss/catalog/notifystock. The malware gets injected into the running instances SQL code. This virus uses a clever database trigger which runs every time a new order time. The query performs a check for the malware in several of the most important components – the header, footer, copyright message and every installed CMS block. If the code is not found the trigger automatically adds it once again.
As a consequence the Magento store can be infected in a very efficient manner using this malware strain. The threat has been rated as very dangerous as it is written entirely in SQL code and it includes legitimate triggers that affects all Magento instances which have not been patched. Site owners can detect the virus by looking for any suspicious SQL code that includes HTML tags or strings such as admin or js.
We remind our readers that Magento is one of the most popular e-commerce solutions on the Internet. Many famous companies operate their online shops based on this platform and thus this virus has been labeled as extremely dangerous by all security experts.
The Magento Malware Takes Inspiration From The Past
The first reported instance of a similar virus was reported in September 1989 when the first memory-residing Trojan virus called Yankee Doodle was detected. The threat was able to infect EXE and COM binary files and it was called this way because it plays the tune of “Yankee Doodle” every day at 17:00. The virus originates from Bulgaria and was created by a malicious developer known as TP, who is also the creator of Vacsina (Ваксина, meaning vaccine).