Recently we had a chance to analyse some malware injected in the database. Malware injected into the database is tricky to catch for several reasons firstly because most malware scanners skip the database scan or only support a partial scan of the database. Secondly, it’s not just possible to know if a piece of code in the database is actually malware unless you can decode it or match it against known malware signatures.
The following piece of malware code was found infected in the database custom_CSS settings of Bold Builder — A WordPress page builder.
The code would render as is on the front-end in the source-code of the page. However as you can see, it has two distinct lines.
Here’s what the first line decodes to:
adsnet dot work.
Here’s what the second line decodes to:
yourservice dot live.
One of these scripts also ends up redirecting search-bots like Google etc. This eventually results in reindexing the site and a loss of search engine ranks thus website traffic.