A newly discovered malware attack manages to restore itself in its ongoing campaign against Magento-powered online stores.
Discovered by Magento/PHP developer Jeroen Boersma, the malware lies in wait until a user places an order on an infected website. It then executes itself before Magento, which is written in PHP, has a chance to assemble the webpage.
But this malware is something different.
Willem de Groot, co-founder at Byte BV, told Bleeping Computer as much:
"Malware was stored in [databases] before, but only as text. You could scan a dump of your database and know whether it contains malicious stuff. But now, the actual malware is executed inside the DB. This is the first time I see malware written in SQL. Previously, malware was written in JS or PHP."
Infection occurs when attackers brute force a shop's /rss/catalog/notifystock/ URL. Once the malware has successfully installed itself, it executes a SQL query to check for its code in the header, footer, copyright, and Magento CMS blocks. If it doesn't find anything, the malware reasserts itself by re-inserting its code.
At that point, the malware makes off with a customer's credit card information.
De Groot is troubled by this development. He feels there's only one solution. As he explains in a blog post:
"This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis."
To protect against this malware, site administrators should search their Magento shop for triggers that contain suspicious SQL code like admin, js, script, or the <> HTML tags. If they find anything suspicious, they can delete it using this code:
echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console