Malware researchers can often easily spot the problem as most authors of malware use the same tricks to try and mess with code, with obfuscation, random files and lines injected at the top of a file. This isn’t always the case though; sometimes the malware is buried deep inside the code of a normal file.
An attacker wants access to an infected site so may spend hours trying to hide their back door into a site. If they can keep gaining access, they can keep infecting the site.
Recently, a site found malware deep inside a file, hidden away inside the CForms plugin in a legitimate function.
The code flagged was not obviously malicious, but on close inspection it turned out that the original had been commented out and replaced with a function with the same name but malicious code.
This meant the original function code was there but the malware added. This wouldn’t break the plugin but increased its lifespan as the malware wouldn’t be spotted by the webmaster and take action to fix it. It appears as if the code was commented out as the malware author could have been testing it to see if it would break the function.
This is a more sophisticated piece of malware than we usually see, but it is becoming more common. As it isn’t obfuscated, it is harder to spot. Further research found the same type of malware in two more pieces of code on gitHub.
As this was well-planned, it would be remiss to think that this sort of malware isn’t going to become much more common as authors of malware try to find ways of keeping backdoors open. You need to be sure that you are doing integrity check on known goods to be safe.