More on Dnsden[.]biz Swipers and Radix Obfuscation

More on Dnsden[.]biz Swipers and Radix ObfuscationAfter recent publication of the Uncommon Radixes Used in Malware Obfuscation article, we found an interesting Twitter thread involving @EKFiddle and @Ledtech3

#EKFiddle [Regex update]: Added Radix Web Skimmer identified by @unmaskparasites (
Additional domain seen in campaigns: checkip[.]biz

— EKFiddle (@EKFiddle) March 17, 2019

Just a brief round up of the Twitter discussion.

Neither the credit card swiper malware campaign from “dnsden[.]biz” nor the “radix obfuscation” trick is new.

Continue reading More on Dnsden[.]biz Swipers and Radix Obfuscation at Sucuri Blog.

Source: Scuri check

Arbitrary Directory Deletion in WP-Fastest-Cache

Arbitrary Directory Deletion in WP-Fastest-CacheThe WP-Fastest-Cache plugin authors released a new update, version, fixing a vulnerability (CVE-2019-6726) present during its install alongside the WP-PostRatings plugin. According to

“A successful attack allows an unauthenticated attacker to specify a path to a directory from which files and
directories will be deleted recursively. The vulnerable code path extracts the path portion of the referrer header and
then uses string concatenation to build an absolute path.

Continue reading Arbitrary Directory Deletion in WP-Fastest-Cache at Sucuri Blog.

Source: Scuri check

Uncommon Radixes Used in Malware Obfuscation

Uncommon Radixes Used in Malware ObfuscationSome JavaScript features allow for pretty interesting obfuscation techniques. For example, did you know that virtually any English word can be used as a valid number?

I recently decoded a credit card stealing script injected at the bottom of a js/varien/js.js file:

There were several layers of obfuscation. During the final stage of decoding, I identified that this code writes something to web pages with URLs containing one of the following keywords onepage|checkout|onestep|firecheckout, typically used on checkout pages.

Continue reading Uncommon Radixes Used in Malware Obfuscation at Sucuri Blog.

Source: Scuri check

Insufficient Privilege Validation in SiteGround Optimizer & Caldera Forms Pro

Insufficient Privilege Validation in SiteGround Optimizer & Caldera Forms ProWhile investigating the SiteGround Optimizer and Caldera Forms Pro plugins we have discovered a critical privilege escalation vulnerability.

It was not being abused externally and impacts over 500,000 sites. It’s urgency is defined by the associated DREAD score that looks at damage, reproducibility, exploitability, affected users, and discoverability.

A key contributor to the criticality of these vulnerabilities is that it’s exploitable by any user (it’s not restricted to privileged users – e.g., admins) and is easy to exploit remotely.

Continue reading Insufficient Privilege Validation in SiteGround Optimizer & Caldera Forms Pro at Sucuri Blog.

Source: Scuri check

PCI for SMB: Requirement 10 & 11 – Regularly Monitor and Test Networks

PCI for SMB: Requirement 10 & 11 – Regularly Monitor and Test NetworksWelcome to the seventh post of a series on understanding the Payment Card Industry Data Security Standard–PCI DSS. We want to show how PCI DSS affects anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires).

In the previous articles written about PCI, we covered the following:

  • Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Build and Maintain a Secure Network – Do not use vendor-supplied defaults for system passwords or other security parameters
  • Requirement 3 & 4: Secure Cardholder Data
  • Requirement 5 & 6: Maintain a Vulnerability Management Program
  • Requirement 7 & 8: Implement Strong Access Control Measures
  • Requirement 9: Implement Strong Access Control Measures

Having recapped this so far, we’re going to focus on the requirements under the Regularly Monitor and Test Networks section.

Continue reading PCI for SMB: Requirement 10 & 11 – Regularly Monitor and Test Networks at Sucuri Blog.

Source: Scuri check

Spotlight on Women in Cybersecurity

Spotlight on Women in CybersecuritySucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into working in cybersecurity.

Spotlight on Sucuri Women in Cybersecurity

We have asked some of the women who work at Sucuri 3 questions:

  1. What do you do at Sucuri?
  2. How did you decide to work with technology?
  3. What do you think the future looks like for women in cybersecurity?

Continue reading Spotlight on Women in Cybersecurity at Sucuri Blog.

Source: Scuri check

How to Add SSL & Move WordPress from HTTP to HTTPS

How to Add SSL & Move WordPress from HTTP to HTTPSMoving a WordPress website from HTTP to HTTPS should be a priority for any webmaster. Recent statistics show that over 33% of website administrators across the web use WordPress and many of these websites have still not added an SSL certificate.

Why is Important to Have a WordPress SSL Certificate?

SSL has become increasingly important in the past couple of years, not only for securely transmitting information to and from your website, but also to increase visibility and lower the chances of being penalized by website authorities.

Continue reading How to Add SSL & Move WordPress from HTTP to HTTPS at Sucuri Blog.

Source: Scuri check

Time for VT Enterprise to step up

Late last year we announced the release of VT Enterprise for existing VT Intelligence subscribers. Since the launch, we have iterated on and improved upon VT Enterprise and it is time to begin a full deprecation of the old VT Intelligence interface. Today, we are announcing a 1 month deprecation timeline. Note that this does not affect APIv2, Graph or any other VirusTotal functionality. Similarly, this comes at no extra cost and existing users of VT Intelligence will be able to continue to use the solution within the new VT Enterprise interface.

Let us shed some light into what is new, what you are getting for free with this change and why you want to be moving to the new platform right now!

Improved Intelligence modifier-based searching

When searching for files by hash you are searching across the entire history of VirusTotal going back to 2006. This was never the case when combining many advanced search modifiers, for example:

type:doc p:10+ tag:macros tag:run-file metadata:Cyrillic

As many of you have correctly observed over the years, this kind of faceted search was limited to 2 months worth of submissions. The technical cost of being able to mix together more than 40 modifiers when seeking through tens of millions of files forced this limitation upon us. Often this was even more confusing as certain file types (e.g. images without detections) were discarded from indexing.

With VT Enterprise we are increasing your look back period for free from 2 months to 3 months and we are making the index complete, in other words, no more discarding of certain non-interesting file types without detections and some other filtering logic to circumvent index size limitations.

At the same time we are making available even more modifiers. Many of you always wanted more granularity when searching over behavior reports, you felt that searches like behavior:”gate.php” were too broad and wanted to restrict this to just the network communications, this is now possible:

Other new modifiers include:

behavior_files – changes related to the filesystem
behavior_processes – observations related to execution of processes
behavior_registry – modifications related to the Windows registry
behavior_services – observations related to services and daemons
main_icon_dhash – file icon similarity search, more on this later

No more experimental content searching, welcome VTGREP

File content searching has been in VT Intelligence since 2012, however, it was an experimental project based on suffix arrays, running on just two machines and spanning just 2 weeks worth of data.

With VT Enterprise we have completely rebuilt the content search service with a 5 Petabyte n-gram index, this is akin to Google planet scale in the field of malware; we are calling this new functionality, VTGREP. We are also seamlessly upgrading your subscription to cover 3 months worth of data instead of 2 weeks.

Moreover, unlike the former suffix array based content searching, this new service allows you to combine multiple content conditions in one single query. This is an example to locate VTFlooder samples:
content:”filename=” AND content:”Content-Transfer-Encoding: binary” AND content:”——–%015d–“
OR conditions are also allowed:
You can even search over content found in certain decodings/transformations of files, e.g. in macro VBA code streams:
content:”Call z5bP7″
This starts to look more and more like a lightening fast retrohunt, doesn’t it? More on this in future updates.

Greater Retrospection

If you have ever used retrohunt, you have probably asked yourself why a given file that you know is in VirusTotal does not match against your rule. Retrohunt used to operate on a limited pool of machines, meaning that it was only hunting over approximately the last 45-60 days of submissions, depending on the amount of files submitted during that period. We have noticeably improved the setup and are increasing your retrohunt limit deterministically to 3 months; this makes it consistent with the other two timespan improvements.

Let’s recap, in addition to offering more modifiers and better condition combinations, we are seamlessly and freely increasing your retrospection powers across the 3 advanced searching and hunting capabilities. So can we do any better? Yes. We have poured many more resources into all of these features, and we are announcing a Threat Hunter PRO add-on that allows you to go back in time one year, many of you will have already become aware of this in your retrohunt listings:

For some use cases 3 months retrospection is more than enough, however, if you are tracking advanced actors and truly immersed in the threat intel space you will probably be interested in the extended retrospection add-on. Contact us to learn more about how to get access to it.

(free upgrade)
With Threat Hunter PRO 
Advanced search
60 days
90 days
1 year
45-60 days
90 days
1 year
Content search (VTGREP)
14 days
90 days
1 year

With all that, you may think we’re done with this announcement. Let’s explore some additional benefits of the new interface that further expand the malware hunters’ arsenal.

File icon/thumbnail similarity search

If you have launched a VT Enterprise search you will have probably noticed that we now extract and display file icons for Windows Executables, Android APKs and DMGs. We also create thumbnails for PDFs and MS Office files.

You can click on these icons and search for files with a visually similar icon or thumbnail. This is obviously very useful for locating malware that tries to impersonate certain brands (e.g. banks), for spotting evil at a glance (e.g. executables with a PDF icon) and to immediately see that a similarity search is indeed grouping things that truly have things in common. Moreover, it is a great way to cluster together malware variants belonging to similiar campaigns:

This is especially useful if you combine it with other modifiers in order to locate variants of a same campaign which still have low antivirus coverage:
main_icon_dhash:47474b4b4b4b4b4b positives:7-

Direct pivoting within reports

When looking at reports you may spot interesting static properties, having to type a search to locate other files with the same characteristic was slow and tedious. Now you can simply click on the property value and immediately launch the search.

Multisandbox behavior reports and behavior searching

Are you stuck in the old VT Intelligence interface? Then you are probably seeing very little execution behavior information. The old templates do not include the data contributed by the multisandbox project, which already integrates nearly ten sandboxes. Example:

Moreover, you want to be able to search across these reports, and that is something you can only do in the new VT Enterprise:
type:apk behavior:http behavior:”Sign in to your account”

One-click away commonalities

Have you launched a multihash search in the new VT Enterprise platform? Then you have probably spotted a weird and distortedly big electric blue icon:

It is time to spot metadata patterns that are common to all your files instantaneously, with just one click. Those of you generating IoCs during your investigations will probably find this nifty little feature very useful.

Click on any of the displayed commonalities and pivot to other files exhibiting the same property.

File, URL, domain and IP address lookups all in one place

Many of you have suffered the pain of having to have two open tabs when working with VirusTotal, one pointing to the public website and one pointing to VT Intelligence. The first one used to perform network location lookups and and the second one to perform your file related searches. It was a broken world, it is now time to unify everything in one place and leave the door open for a future inclusion of network location (URLs, domains, IPs) advanced faceted searching.

Richer relationships

If you are stuck in the old Intelligence interface you will not be enjoying some of the new relationships being generated for items in the dataset, for instance, embedded domains and IP addresses. These are domain and IP address patterns found within the binary content of files in the dataset, network location information that often does not surface in behavior reports because of different execution paths, delays, etc.

Not only can you see this data in the fully fledged file reports when navigating to your matches, but also as handy popovers within the search result matches.

Multiple VT Hunting goodies

You may notice far richer and more comprehensive VT Hunting notification listings, improved ruleset searching and retrohunt matches in-app visualizations instead of having to download a plain list of hashes.

As you can see, you no longer have to download the list of matching hashes and then launch a multihash search. Even better, you can now do all of the above via new API endpoints that not only allow you to automate retrohunts and livehunts, but also rule management:

This said, the most attractive new feature of VT Hunting is the fact that you no longer have to wait for the next “train departure” when enqueuing a retrohunt, your jobs are kicked off immediately and results start to come in without delay. This also means that you can launch several retrohunt jobs without waiting for previous tasks to conclude.

Enter VT Graph Premium

If you have a zillion open tabs with multiple file reports and searches related to an investigation, it is time to get smarter. Your subscription now incorporates VT Graph and its premium features for free. You can share graphs with other users, granting them viewer or editor roles. You can also make graphs private so that they do not appear in VirusTotal Community and you don’t disclose your most sensitive investigations. Note that graphs generated by free users become publicly available and linked in reports for items contained in those graphs.

Last but not least, you can create custom nodes such as “attacker”, “victim”, “email”, etc. and draw the full picture of a campaign. This is enriched via the privileged relationship information that is newly available (e.g. embedded domains, embedded ips, etc.) and via the commonality generation that was discussed earlier.

If all of this were not enough, you will discover other little new nifty features along the way such as two factor authentication, improved group management for administrators and further quota consumption insights.

Have we managed to convince you to move over to the new platform? If not, please contact us, we will address your pain points in order to make the migration as seamless as possible.

Similarly, get in touch if you want access to the new Threat Hunter PRO add-on, for many advanced investigations greater retrospection is a must. Why? These are just three clear-cut reasons:

  • When investigating a malware family you want to be able to go back in time to its very first variant. Often in the very first campaigns attackers are careless and leave behind debug artifacts, network infrastructure trails and other hints that enable you to perform attribution and know more about your adversary. Think of a serial killer, police always tries to find other related crimes as these often reveal other clues.
  • Advanced threats are not like commodity malware (adware, banking trojans, etc.), there are no massive campaigns with thousands of variants but rather just a handful of spearheaded attacks sparse over a very long period of time. In order to understand the tactics, techniques and procedures used by attackers you need to see the full picture, you need enough sampling, only extended retrospection capabilities will allow that.
  • A 5 petabyte n-gram index is not something you can do in-house, only a handful of organizations can scale into these numbers. You should be focusing on your investigations and not on maintaining complex hunting infrastructure.

Source: VirusTotal

Hacked Website Trend Report – 2018

Hacked Website Trend Report – 2018We are proud to be releasing our latest Hacked Website Trend Report for 2018.

This report is based on data collected and analyzed by the GoDaddy Security / Sucuri team, which includes the Incident Response Team (IRT) and the Malware Research Team (MRT).

The data presented is based on the analysis of 25,168 cleanup requests and summarizes the latest trends by bad actors. We’ve built this analysis from prior reports to identify the latest tactics, techniques, and procedures (TTPs) detected by our Remediation Group.

Continue reading Hacked Website Trend Report – 2018 at Sucuri Blog.

Source: Scuri check

Fake Browser Updates Push Ransomware and Bank Malware

Fake Browser Updates Push Ransomware and Bank MalwareRecently we came across a malicious campaign injecting scripts that push fake browser updates onto site visitors.

This is what a typical fake update request looks like:

Users see a message box that says it’s an “Update Center” for your browser type (in my case it’s Firefox, but they also have such messages for Chrome, Internet Explorer and Edge browsers).

The message reads: “A critical error has occurred due to the outdated version of the browser.

Continue reading Fake Browser Updates Push Ransomware and Bank Malware at Sucuri Blog.

Source: Scuri check

Google Analytics and Angular in Magento Credit Card Stealing Scripts

Google Analytics and Angular in Magento Credit Card Stealing ScriptsOver the last few months, we’ve noticed several credit card-stealing scripts that use variations of the Google Analytics name to make them look less suspicious and evade detection by website owners.

The malicious code is obfuscated and injected into legitimate JS files, such as skin/frontend/default/theme122k/js/jquery.jscrollpane.min.js, js/meigee/jquery.min.js, and js/varien/js.js.

The obfuscated code loads another script from[.]cm/analytics.js.

Continue reading Google Analytics and Angular in Magento Credit Card Stealing Scripts at Sucuri Blog.

Source: Scuri check

Multisandbox update to Dr.Web vxCube 1.2 brings Android analysis

The multi-sandbox project is under continual improvement. In June 2018, we announced our integration with Dr.Web vxCube. Today we are happy to announce an update to Dr.Web vxCube that adds support for Android. With more than 2 billion active android devices, having visibility into android is a very welcome feature. Note that this adds to other multi-sandbox Android setups such as Tencent HABO for Android and VirusTotal Droidy.

In their own words:

We are proud to introduce our newest malware analyzer that now supports Android platform – Dr.Web vxCube 1.2. It maintains the same fast and versatile functionality when working with the Android files. Dr.Web vxCube 1.2 conducts a thorough analysis of APK files and provides in-depth reports on their behavior in the sandbox environment, including information about SMS and calls they could try to make. Moreover, each report includes manifest information with a full list of app’s permissions, activities, broadcast receivers and services.

To view the details generated by Dr.Web vxCube make sure to click on the behavior tab:

To demonstrate some of the features, lets take a look at a few malware samples:

Detection summary

At the top of the detailed report we can clearly see a detection summary for this APK file. Note that it display a verdict based on execution behavior, this verdict may complement  Doctor Web’s antivirus engine running in VirusTotal.


Malicious functions

We can see the app is sending SMS spam with malicious URLs:


Network activity

The network activity map, visually shows where the traffic goes, along with protocol and address information.


Connect the dots

With VT Graph you can see all the relationships above in a single nodes and arcs graph enriched with the historical knowledge of the VirusTotal dataset. Forget about having dozens of open tabs to investigate a single incident, one canvas is all you need.

Moreover, as you can see above, you can easily generate an embeddable graph object in order to display your investigation in sites other than VT Graph.


Digging deeper

VT Enterprise users can try some more advanced searches using search modifiers in order to identify interesting samples based on behavioral observations and other structural and in-the-wild metadata.

For example you can search for filenames within the behavior data:

Similarly, the behavior-scoped modifiers can be combined with any other facets in order to pinpoint not only malware families but also their command and command-and-control servers, drop-zones, additional infrastructure, etc.

type:apk androguard:”android.permission.READ_PHONE_STATE” behavior_network:http positives:10+


More insights and giving back to Doctor Web and the community

If you are as grateful as we are for this new insights into Android apps, you can give back to Doctor  Web and the community by helping them receive more APKs so that they can continue to improve their defenses. The easiest way to do this is through a community-developed VirusTotal App that will make the task of uploading new APKs to VirusTotal a no-brainer:

We look forward to keep working close with Doctor Web, meanwhile we continue to encourage other sandbox setups to join the multisandbox project.
Source: VirusTotal

Hackers Use Fake Google reCAPTCHA to Cloak Banking Malware

Hackers Use Fake Google reCAPTCHA to Cloak Banking MalwareThe most effective phishing and malware campaigns usually employ one of the following two age-old social engineering techniques:


These online phishing campaigns impersonate a popular brand or product through specially crafted emails, SMS, or social media networks. These campaigns employ various methods including email spoofing, fake or real employee names, and recognized branding to trick users into believing they are from a legitimate source. Impersonation phishing campaigns may also contain a victim’s name, email address, account number, or some other personal detail.

Continue reading Hackers Use Fake Google reCAPTCHA to Cloak Banking Malware at Sucuri Blog.

Source: Scuri check

The Importance of Website Logs

The Importance of Website LogsAs a security company, we deal with a lot of compromised websites. Unfortunately, in most cases, we have limited access to customer logs, which is one of the reasons why we don’t offer forensic analysis.

Sucuri offers website monitoring, protection, and clean up, but sometimes we go that extra mile and investigate how websites become compromised in the first place. This usually happens when websites become reinfected after a cleanup.

The reinfection itself can be caused by something as simple as a compromised admin user.

Continue reading The Importance of Website Logs at Sucuri Blog.

Source: Scuri check

Add Security to Your Website Agency Portfolio

Add Security to Your Website Agency PortfolioAs a website industry professional, you are aware of the importance of website security. This is especially true when managing 10 or more sites. How can you convey this message to your customers?

Offering Website Security to Clients

Website security should be part of any web professional’s portfolio. How can you get started talking with your clients about website security?

Here are some ways to approach this topic and have customers onboard with a website security offering.

Continue reading Add Security to Your Website Agency Portfolio at Sucuri Blog.

Source: Scuri check

Googlebot or a DDoS Attack?

Googlebot or a DDoS Attack?A bot is a software application that uses automation to run scripts on the internet. Also called crawlers or spiders, these guys take on the simple yet repetitive tasks we do. There are legitimate bots and malicious ones. A Web Application Firewall (WAF) filters the web traffic and blocks any malicious bots, letting the good ones pass.

Googlebot is Google’s web crawling bot. Google uses it to discover new and updated pages to be added to the search engine index.

Continue reading Googlebot or a DDoS Attack? at Sucuri Blog.

Source: Scuri check

The Anatomy of Website Malware: An Introduction

The Anatomy of Website Malware: An IntroductionWe see a lot of files infected by website malware on a daily basis here at Sucuri Labs. What we don’t see is very many categories of infections. The purpose of this blog post series is to provide an overview of the most common infection categories and types of website malware.

Are you interested in how backdoors, injectors, hacktools, or spam redirectors look and operate on a website? I’ll be covering these topics (and many others) in my upcoming articles.

Continue reading The Anatomy of Website Malware: An Introduction at Sucuri Blog.

Source: Scuri check

Multisandbox project welcomes SecondWrite

We are excited to announce the integration of  SecondWrite into the multi-sandbox project. The multi-sandbox project’s goal is to aggregate many sandboxes in a similar fashion as the way we integrate Anti-Virus products. With this integration we are now up to X sandboxes including  ReaQta-Hive, Tencent HaboVirusTotal DroidyCyber adAPT ApkRecon and Dr. Web vxCube.  SecondWrite offers some cool features which we will detail below. 

In their own words:

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware. Its platform combines dynamic sandbox analysis with static analysis to leverage the best features of both. Its patented technology on forced code execution finds and executes hidden code paths that other sandboxes miss. It uses advanced neural networks that can auto-learn what suspicious code patterns to look for, without human-specified signatures. The neural networks are further enriched by its technology to detect evasive and anti-analysis features in malware.

To view the SecondWrite report make sure to check out the detailed report.

Within the detailed reports, for a quick summary, take a look at the detection scores and classifications.

Malware Score
Classification of different categories
Let’s dig a little deeper and see some more features:

Forced Code Execution (FCE)

See for example the file  fcd6c16a61b286bb6951e49869fcadbc9bf83bccf31dc2e3b3c8f7ad23d6054f.

Within the detailed report you can see the IOCs generated by the FCE feature, extracted by SecondWrite’s driver. In this example we see that the sample attempts to repeatedly call a a single API to avoid analysis. The FCE feature can rewrite one or more conditional statements to get the code sample to execute. Furthermore, some of the discovered events were characterized as Ransomware IOCs, Stealth IOCs, and Anti-Analysis IOCs.


Program-Level Indicators (PLI)


Typical hook-based approaches gather information about program behavior by capturing application to library function calls and application to kernel system calls. This approach is very effective at capturing how an application interacts with the underlying system through supported Application Program Interfaces (APIs), but it completely misses classes of evasion techniques intended to modify a program running in memory. SecondWrite’s Program-Level Indicators are patterns that can only be discovered by looking at the assembly instructions themselves. Frequently the instruction sequences chosen by malware have second-order effects that are beneficial only to malicious programs attempting to hide something. The following report contains two such examples: anti-binary translator code to defeat static analysis and an Import Address Table (IAT) bypass.

Machine learning can be very effective at finding subtle, multivariable associations that are impossible for a human to find. The most granular dataset to feed to a machine learner is sequences of assembly instructions. SecondWrite’s Automatic Sequence Detection technology is able to discern instruction sequences that are only found in malicious applications and give a confidence level. It is precise enough to limit false positives, but also broad enough to not be susceptible to artificial changes injected to malware strains such as is the case with polymorphic malware. The following report shows a sample that was determined to be malicious by Automatic Sequence Detection with a 93% confidence:

Next we can click on the relations tab, we can see how it’s related to other IP Addresses, Domains, and URLS.

In this graph we can see related files based on network communication, with common URLs, Domains and IP addresses:

Source: VirusTotal

Safer Internet Day: Security vs. Convenience

Safer Internet Day: Security vs. ConvenienceIt isn’t easy to be secure all the time — this is especially true if you are new to cybersecurity. A well-formed security plan takes deliberate effort at the very least, and constant vigilance at most. Even the top experts have room to improve because cybersecurity is a constantly moving target.

Unfortunately, most internet users aren’t using best practices.

The top two [passwords] have been left unchanged for the fifth year in a row.

Continue reading Safer Internet Day: Security vs. Convenience at Sucuri Blog.

Source: Scuri check