A newly discovered piece of malware targeting Magento stores has a self-healing routine to restore itself after deletion, security researchers have discovered.The recently spotted Magento-targeting malware is using a database trigger to restore itself in the event it has been deleted: every time a new order is made, injected SQL code searches the compromised Magento installation and, if it doesn’t find the malware, it re-adds it. The malware leverages SQL stored procedures for this operation.
Malware’s behavior renders previous cleaning routines useless, because removing the malicious code from the infected records will no longer ensure that the infection is gone. This would only work for regular Javascript-based malware, which normally gets injected in the static header or footer HTML definitions in the database.The newly observed malware ensures that the self-healing trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.Malware detection should now include database analysis as well, because file scanning is no longer efficient. This discovery shows we have entered a new phase of malware evolution
http://www.securityweek.com/self-healing-malware-hits-magento-stores
Leave a Reply
You must be logged in to post a comment.