The Latest in IT Security

How to Check if Your Website is Part of the Stealrat Botnet

06
Aug
2013

For a few months now, we have been actively monitoring a spambot named Stealrat, which primarily uses compromised websites and systems in its operations. We have continuously monitored its operations and identified about 195,000 thousand domains and IPs that have been compromised. The common denominator among these compromised sites is that they are running vulnerable CMS software such as WordPress, Joomla and Drupal.

In this entry, we will discuss how website administrators can check if their website is compromised and part of the Stealrat botnet.

The first step is to check for the spammer scripts that are commonly found namely sm13e.php or sm14e.php. But note that these scripts may change in terms of file name, so it would be better to check for any unfamiliar PHP file.

screenshot-phpfile-stealrat
Spamming scripts inside a compromised website

Another way to check for the presence of the malicious PHP file is to search for any of the following strings in the codes:

  • die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)
  • die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321)

For those running on Linux, you can search for the string using the grep command grep “die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321″ /path/to/www/folder/, while for Windows it’s content:”die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321″.

script-Stealrat-howto
The mentioned strings in the PHP file

These strings are part of the “die” code of the PHP file (e.g. when certain parameters are not met). Our colleagues at DeepEnd Research have already posted a copy of sm14e.php. As far as we know, this is the latest version of the script in the wild and compared to sm13e.php, sm14e.php now supports multiple email addresses to send spam to. Other than that, it is still the same PHP file that accepts the following parameters:

  • l ? email address (to send spam to)
  • e ? nine randomly generated characters
  • m ? mail server (ie. googlemail)
  • d ? mail template

Its response varies depending on the parameters supplied, as well as the result of the spamming routine:

parameters
Script responses based on results

For website admins, we recommend the deletion of the files resembling those described above, and the updating of their content management systems – especially WordPress, Joomla or Drupal. More information on this threat, as well as the other components that need to be taken note of are available in our paper, Stealrat: An In-Depth Look at an Emerging Spambot.

Related posts:
  1. Compromised Sites Conceal StealRat Botnet Operations
  2. Hundreds of Phishing Scripts Hosted on A Single Compromised Website
  3. Mt. Gox updates website, allows customers to check bitcoin balances
  4. Mt. Gox updates website, allows customers to check bitcoin balances
  5. Various money-related spams serve as versatile attack vector to spread ZeuS – The emails and the linked website attack the victim in various ways to spread the dangerous banking Trojan

Tags:  
Written by TrendLabs Security Intelligence Blog
0 Comments

Leave a reply


Categories

SATURDAY, APRIL 20, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments