33

Recently my php-based website got infected with malware (probably by a stolen ftp password).
Basically, every 30 minutes a file frame_cleaner_php.php was uploaded, a HTTP-GET was done on it to execute it and it was removed. I was able to intercept a copy of the file and analyze it.

It was not obfuscated in any way and was quite easy to read.
In essence it recursively scanned all php-files, looked for 20 signatures of infections by common other malware (like <?php eval(base64_decode(" or <?PHP # Web Shell by oRb) and crudely removed the lines with that infection.

Because of a false positive some lines in my own php files where removed causing the site the go down. This was probably just an unintended side effect of the malware.

The big question: why would malware do this, what is there to gain?

Jeff
  • 3,599
  • 4
  • 17
  • 23

6 Answers6

36

There is two explanations as I see it.

Fight over the box

The different malware types want to single-handedly own the box and not share it with others. It will therefore try to patch the system and remove other malware and leave a backdoor for the creator.

Ethical worms

Malware that spreads only to patch and remove other malware is often referred to as "white worms" or "ethical worms". These types of worms have very many liability issues so they are rarely seen.

2022.04.17 edit:

Anti-Forensics, Anti Reverse-Engineering

Malware could also be misplaced on a system. Infected by accident, the attackers would want to remove it to prevent analysis.

Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • 13
    `Ethical Worms`, interesting, never heard bout them. +1 – Marek Sebera Mar 11 '12 at 10:07
  • 8
    It is sometimes suggested that having your PC owned by the "Cybermaffia" gives you the best antivirus there is, as they know the playing field and, indeed, do not want to share the box with others. Of course, this probably also means that you are a node in a botnet or something equally unfavorable. – Legolas Mar 11 '12 at 12:30
  • 9
    Another reason is that malware that spreads via remote exploits (e.g. a BoF in a protocol such as SMB) would just continually infect the target machine over and over. Repeated infections may cause problems and alert the user. Some malware gets around this by advertising that the box is infected, but it's a sure-fire way to get detected, so patching the machine is often the best choice for malware writers. – Polynomial Mar 11 '12 at 12:43
  • 1
    @MarekSebera Nachi (aka Welchia) was one example. – kinokijuf Mar 11 '12 at 13:42
  • 8
    Ethical worms eh? Sort of the Dark Knight of hackers? :) Someone should make a movie about it. – Qw4z1 Mar 11 '12 at 14:43
  • @Legolas, [Didn't heard of it.](https://www.google.com/search?q=Cybermaffia) Who is cybermaffia? – Pacerier Mar 28 '15 at 17:13
28

Extending Karrax's answer:

Because the more infections a box has, the higher the chanches (at least one of) the infection gets caught are, and if the box is wiped / cleaned up, it's game over for the malware.

So, by cleaning up other infections and/or patching the system the malware is trying to preserve its own existence.

Albireo
  • 381
  • 2
  • 4
  • 4
    Funny thing is that because of the (badly executed) cleaning I discovered the infection in the first place. – Jeff Mar 14 '12 at 18:47
  • @Jeff, Why does it use GET to execute the script instead of simply executing it directly on the server? – Pacerier Mar 28 '15 at 17:14
12

Some malware authors are part of groups that don't like other malware authors. It's kind of like one football team which doesn't like another football team; they both want to see furtherance of football, but they don't want that other team to be there when it happens.

Billy ONeal
  • 2,688
  • 4
  • 15
  • 15
  • 6
    This is more true than it might seem at first. See Brian Krebs' [Pharma Wars series](http://krebsonsecurity.com/category/pharma-wars/). Botnets are mostly chosen and rented based on their size. Anything you can do to lower your competitor's botnet's size helps make you richer. – Ladadadada Mar 11 '12 at 21:23
11

Some good answers here, I hope I can add to them.

To understand why, you have to realise that your infected web server has a monetary value to the person that infected it. It may be rented out for all manner of activity from routing traffic, hosting other sites, distributing spam, DDoS, etc.

If the server has multiple infections it means it is being shared, it could be being used by one person to host malware but another may be using it to carry out distributed denial of service attacks (DDoS) attacks. If one of these guys gets the IP blacklisted then it is useless for the other.

Further to this, removing vulnerabilities and other malware from the box happens so you either remove others or they remove you and you lose control of the box.

airloom
  • 366
  • 1
  • 5
8

Criminal hacker groups just don't like sharing the wealth with each other. If it's interfering with your income stream, you want it out of the running, so you disable it. Plus, security-wise, if you're running a botnet, do you want another botnet having access to gleaning information on your tactics?

Operational security, it's not just for honest people only...

Fiasco Labs
  • 1,557
  • 10
  • 12
-1

For the same reason that gangs are fighting with members of other gangs in order to remove them from the street. It is about securing the exclusive control of the valuable resources, whether it is the businesses on the street, or the CPU/GPU power.

user276955
  • 17
  • 6
  • 2
    That answer doesn't add any information to already existing answers. –  Apr 15 '22 at 00:04