In recent times, online stores running the Magento platform have had to deal with a new and improved threat – Visbot malware. The first documented case of Visbot goes back to March 2015. And now roughly 7000 Magento stores worldwide have been identified as running the malware.
Unlike most Magento malware that collects credit card data, Visbot doesn’t work on the site’s frontend. It only works with server-side code, never exposing itself. Webmasters are likely to discover it – but only if they look for it.
The malware waits for users to submit credit card data, and intercepts it on the server-side. Visbot takes this data, and encrypts it with a public encryption key, hardcoded in the malware’s source code.
This encrypted data is packed in an image file, using steganography, which hides text-based data inside image files.
Visbot leaves this image in one of the site’s public folders, and the malware author retrieves it at fixed intervals. If sites are running firewalls, all they see is a user downloading an image, something that happens all the time on e-commerce stores.
Here are some filenames where Visbot usually hides stolen credit card information.
The Visbot author holds a private encryption key, which in combination with the public key, can decrypt the data, meaning no other crook can download the images extract credit card details, and steal the data.
In order for Visbot’s creator to keep track of sites he infected, and see if they’re still infected, he uses a special user agent.
Other webmasters can check if their sites are infected with Visbot by running the following SSH command:
grep -r Visbot --include='*.php' /my/document/root
This is the path where the infected file is located:
MageReport is a website that provides security audits for Magento sites. Store owners can use it to detect if their store is infected with Visbot.
And here is what the maleware’s source code looks like.
To stay on the safe side, keep your Magento patches updated and always use strong passwords.