Magento-based online shops hit with self-healing malware

Administrators of e-commerce sites running on the open source platform Magento would do well to check their database for triggers with suspicious SQL code, warns Willem de Groot.

Magento malware

De Groot is the co-founder of byte.nl, a webhosting provider for (among other things) Magento shops, and he was recently made aware of an interesting new attack pattern spotted by Magento/PHP developer Jeroen Boersma.

The latter discovered a suspicious database trigger on a compromised online shop.

The attacker brute forced his way in through the /rss/catalog/notifystock/ URL, dropped the malware in the database, and inserted the trigger code.

The trigger makes it so that each time a customer places a new order, it checks for the existence of the malware in the header, footer, copyright and every CMS block. If it doesn’t find it, it will re-introduce it in the site’s source code.

All this happens just before Magento assembles the page, and the result is that, unbeknownst to the buyer, the malware intercepts his or her credit card and personal data and forwards it to the attacker.

“Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware,” De Groot noted.

This is the first time he saw malware written in SQL, he said, and pointed out that because of this malware detection methods should now include database analysis, and not just file scanning.

He added detection for this particular trigger in his Magento Malware Scanner, a scanning tool for detecting Magento malware. Free scanning service MageReport should also spot it.

Deleting it should be easy – just follow De Groot’s instructions.

The nature of this malware made me think that the same technique can be used on other e-commerce platforms or CMSes. De Groot confirmed my suspicion.

“Hiding CMS malware in a database function/trigger is a novel technique that, as far as I know, hasn’t been seen before,” he told me. “This method is CMS- and platform-agnostic, so we will likely see it popping up in different systems.”