In today’s post we’re going to be going over the top ten most cumbersome website infections to remove, based on the sheer number of files or database entries that they infected on compromised client sites during 2021.
Some website malware infections are quite surgical and affect only a small number of files. This is particularly true of credit card skimming malware, which are often designed to stay hidden for as long as possible and contain clever features to evade detection. However, other types of infections do exactly the opposite: They infect as many files as they possibly can get their hands on within the victim’s website environment.
If you have automated cleanup tools to assist you like we do at Sucuri, the number of files themselves isn’t really an issue. However, if you’re a website administrator and find yourself having to remove an infection yourself without any working backups, that’s another story altogether.
In this post we’ll be analysing some of the largest malware infections seen in 2021 whose total infected file count made its way into our top ten list.
Disclaimer: To better represent the data we have grouped our signatures into families, so that very similar and related malware are grouped together and treated as one “type” of malware.
Topping our logs with over two million confirmed cleaned files were the many variations of .htaccess “nuisance” malware. While it doesn’t do anything explicitly malicious it does interfere with the normal operations of the website and populates itself into thousands of directories within the website structure. It is placed by the attackers during a website compromise.
This nuisance malware renders the wp-admin panel totally inaccessible, resulting in many 403 Forbidden responses when trying to interact with the website.
These infections can be particularly troublesome to remediate given the sheer number of files involved and the fact that it prevents any PHP scripts from running on the site other than the ones that it specifies.
This was the second most commonly identified malware, and was also responsible for over two million confirmed cleaned files over the course of 2021.
The attackers often swap out domains every few weeks or months as they become blocklisted. We can see the top most commonly identified malicious redirect domains from our 2021 Threat Report here:
Notice the high prevalence of .ga and .tw domains, which we’ve written about on our blog.
It’s not uncommon for the spam to display only to search engines but remain invisible to regular website visitors. This is called cloaking.
Some of the most common spam terms found on compromised client sites include:
- Essay writing services
- Knockoff jerseys and other brand name products
- Escort services
- Adult websites
- Online casinos
- Replica watches
- Pirated software
This malware family had over 1.1 million cleared malicious detections in 2021 alone.
In 2021 there were half a million cleaned instances of this malware injection.
SEO spam is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. Spammers use this technique to hijack the search engine rankings of legitimate websites and use it to promote their spammy website.
The payload is based on .htaccess rules, thus intended for server-side use and the payload is executed directly on the server before the site is rendered. In a normal .htaccess file it would instruct the website to reference the normal index.php file, but in this case the attackers replace that with a spammy PHP script that manipulates the website content instead.
Typically the spammy content is tailored to be visible only to search engines and visitors who enter the website through search engine page results. This allows it to remain hidden for longer and better prop up the attackers blackhat SEO campaign.
Over 300,000 instances of malware related to this signature were cleaned from compromised client sites in 2021.
Over 200,000 infected files for this malware were cleaned in 2021.
PHP- based malware redirects tend to be standalone files that, when visited, send the victim to a destination of the attackers’ choosing. These can be spam sites, tech support scams, or malicious domains with drive-by-downloads such as trojans.
A similar number of files were cleaned for this malware at roughly 200,000 instances.
Generic malware, as the name suggests, is not a category which serves any single function. This is a miscellaneous category which includes malicious scripts that employ fairly basic obfuscation. They are often backdoors, malicious redirects, or component files used in a broader infection on the victim’s website.
Over 200,000 instances of these generic malicious scripts were cleared up over the course of the year.
Another very common infection we see is spammy content injected into post content. These are changes to websites made by hackers with a goal to improve search engine ranking of third-party websites or to drive search traffic to third-party websites via doorway pages on compromised sites. Spam-seo malware may include
- Invisible links
- Spammy posts
- Unwanted redirects of search traffic
Over 200,000 instances of this malware was cleaned over the course of the year.
So my site was hacked, now what?
Let’s say that you’re a website owner and your website was hit with one of these very cumbersome infections. What do you do?
The path of least resistance is to restore a recent, functional backup of your website. This will overwrite any malicious modifications to the files and database. This may not be an ideal option if you operate a blog or news site which is updated daily, but might still save you a big headache.
If that’s not an option, you can try removing it yourself. You can check our guide on how to fix a hacked WordPress website for reference.
Database entries are easy enough to remove using a search/replace query, but files are another story altogether. You can try using the command line sed tool if your webserver is running Linux, but be careful as you don’t want to remove any legitimate content.
If you’re not comfortable with that, you can manually replace all your plugin, theme, and core CMS files with fresh copies. Just make sure to query your file system for the malicious code when you’re done to make sure you didn’t miss anything.
Cleaning up an extensive malware infection can be a daunting task, especially if you’re new to all of this. Malware can do extensive damage to a website environment and putting the pieces back together is often a headache.
Of course, you can always sign up for our website remediation service and have our experts clean up your environment and give you some tips on how to keep it more secure!
We had a lot of content that couldn’t make it into the final cut for our 2021 Website Threat Report. In the spirit of sharing our knowledge and research, we’ll be publishing a lot more content about emerging malware on our blog in the coming weeks. Stay tuned!