Sucuri Research Labs

Sucuri on Twitter Sucuri on Facebook Sucuri on LinkedIn

Notes from the LabHome  |  Notes  |  Malware data  |  Signatures  |  Tools  |  About

Chinese Doorway Spam - P2

Published: 2014-10-21  by  Denis Sinegubko

We are seeing an increasing number of hacked sited with Chinese doorways promoting various fake merchandises (from Louis Vuitton handbags to NFL jerseys and Canada goose jackets).

Those doorways target both Western web searches and the Chinese. Here's how they make sure the doorway correctly preserves search queries in Chinese (converting from UTF-8 to gb2312) when they work with Google search referrer string:



Since Google uses "ie=ut-8" by default for most languages, queries using non-ASCII and non-Chinese Simplified characters will be garbled. Apparently the they are only interested in English and Chinese queries.




Chinese Doorway Spam

Published: 2014-05-27  by  Denis Sinegubko

One of the common tactics used by spammers and black hat "SEO" is to use Doorway pages for their spam content. These pages get indexed by search engines and when visited by a real user (not a bot), redirect them to a different URL that they want to promote.

Most times, this is done using various automatic redirects. The redirect mechanism can be quite simple or very sophisticated, client-side (e.g. JavaScript) or server-side (PHP or/and .htaccess). What all of them have in common is they need to properly tell unneeded traffic from target traffic. To do it, the redirect scripts normally check a referrer, visitor's IP and User-Agent and then act accordingly.

However, these Chinese doorways for fake popular and luxury goods stores use a much simpler approach - they check visitors' time zone.

All the doorways include the same external JavaScript with the following code:



Which when deobfuscated looks like this:

This code checks if a visitor comes not from China (timezone is not GMT +8) and then redirects eligible visitors to the beneficiary (spam) site. Visitors from China and some neighboring countries (unneeded traffic) and bots without JavaScript stay on those gibberish keyword-staffed doorways pages.




Double hidden style - Hiding spam

Published: 2014-04-17  by  Denis Sinegubko

We see many tricks that hackers use to make search engine bots think that the injected spam is not hidden. One of the common approaches is to place a spam block inside a "div" with some particular "id" or "class" and then add a JavaScript call to make that div invisible.

And the newest form of the "unlocked iphone" spam injection, tried something new (that also made us smile). It uses elementary school level math to make spammy a "div" id and the id in JavaScript to look different.

Here's the typical code:



The idea is simple: malware generates a random number (e.g. n) and then doubles that number and uses the result as the spam div id. And in the JavaScript code, they use the same multiplication operation verbatim as the getElementById(n*2) function parameter, which works because JavaScript implicitly converts numbers to strings.




Fake botsvsbrowsers domain

Published: 2014-03-07  by  Daniel Cid

The domain botsvsbrowsers.com is quite popular and used for comparing user agents (browsers) and seeing if a specific request is from a valid user or a bot.

And piggy backing on their popularity, the bad guys created a domain botsvsbrowsers.biz (.biz versus .com) to be used as a command and control server on spam SEO campaigns.

This is the code we are seeing on compromised sites:



Which basically contacts botsvsbrowsers.biz/Statistic/Stat.php on every page load, giving the client IP address, and URL and it decides what to inject to that user. Most of the time we are seeing just plain SPAM, but they are probably serving other malicious code as well.

So if you see any content being loaded from botsvsbrowsers.BIZ (or the IP address 46.165.222.93), you know it is malicious.




One way of hidding an iframe

Published: 2014-01-16  by  Daniel Cid

There are multiple ways to inject an iframe on a web site, and every day we found a new evasion technique to make it harder to detect it. This is a new one found by Fio:



It uses many encondings to just load this iframe:



Which redirects the user visitng a compromised site to a porn page.




PHP str_replace to hide malware

Published: 2014-01-03  by  Ante Kresic

We found another interesting piece of PHP-based malware on a client site a few days ago:

Can you decode and see what it is doing? ..

This piece of code tries to obfuscate all the functions that could be flagged by a scanner using a benign php function called str_replace. This function replaces all instances of a string with a replacement in the subject. So, for example, the next line:

----- $ts = str_replace("b","","bsbtr_brbepblabcbe"); -----

Replaces all instances of character 'b' with nothing. So from bsbtr_brbepblabcbe we get str_replace. Using the same technique, we have some more functions:

----- $dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere"); //base64_decode $mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn"); //create_function -----

All this for creating a function and running it in this line:

----- $tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha(); -----

Function code is contained in the next expression:

----- $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy)); -----

And the final code is:



What it does? It uses some simple tricks to edit the contents of the cookie, decode it from base64 and eval (execute) that malicious code.




How to eval() without eval() in PHP

Published: 2013-12-11  by  Peter Gramantik

According to our daily malware analysis experience, we've noticed that the bad guys are using obfuscation more and more to hide what they are doing. Take for example this piece of code we found injected on a website:



No sign of any "eval()" and no sign of "preg_replace()" with the eval switch like in the majority of malware files.

When I looked at it for the first time, I thought that that’s just some corrupted/incomplete malware which can’t work. But one of the prerequisites for my job is "being curious" - And I am, so I checked it more deeply and... the result was interesting!

First, I decided to beautify the code to see it more clearly…



Those commented lines at the bottom are my own – they helped me to understand what’s under each variable and how it works.. As you can see, it has a getenv, preg_replace, base64_decode and when you put it all together, you get the readable code:



And that’s it – yes, there actually ARE eval() and even base64_decode() functions, but hidden behind variables. Otherwise, it's really just malicious backdoor component which reads some custom environment variable where the actual payload should be stored. Curious about other ways of running the code in PHP without using eval() at all?

There are.

Most common is preg_replace with that “/e” switch (directly evaluates the expression after replacing), one of less common, but very interesting is the PHP assert() function. As mentioned in the PHP official documentation: If the assertion is given as a string it will be evaluated as PHP code by assert(). And there are others surprises in PHP...




WordPress password stealer

Published: 2013-11-27  by  Peter Gramantik

Following Fio's recent post on the Joomla password stealer, here's another beautiful example of password stealer. This time from WordPress environment.

It's easy to understand, but what's interesting - it looks like legitimate code so you can easily overlook it. It stores its data in "png" files within ./wp-includes/images/ path and sends them to a non-obfuscated email address.

This is the bad part that was injected on the file user.php on wp-admin:



Anyway, keep your eyes open, guys :)




Joomla password stealer

Published: 2013-11-21  by  Fioravante Souza

As we know, one of the main payloads of a successful attack is to maintain access to the compromised server for as long as possible. Today we found this simple but effective password stealer for Joomla.



It was injected in /administrator/components/com_login/models/login.php, and the code just captures the $credentials array, username and password to be more specific, and writes to a login.txt file, which was accessible through the internet.

To make things even easier for the attacker, it writes the date and time of the capture on Chicago Timezone (so is the attacker in Chicago?).




PHP://input Backdoor

Published: 2013-11-08  by  Denis Sinegubko

Just came across this backdoor (decoded):



It looks like a normal backdoor, but the interesting part and the one I didn't understand completely was this one:

What is it doing?

Why is it reading from php://input? From the PHP manual it explains:

That explains.




PHP.net blacklisted by Google

Published: 2013-10-24  by  Daniel B. Cid

We woke up this morning to many reports and people asking why the PHP.net site is being blacklisted. We did not get a chance to analyze it while it was compromised, but it seems that one of their javascript files (static.php.net/www.php.net/userprefs.js) was modified to inject a malicious iframe from "http://lnkhere.reviewhdtv.co.uk/stat.htm".

That's the supposed bad code: http://pastebin.com/raw.php?i=nAess4xL

It seems the PHP team fixed it already and requested Google to clear it. If anyone has more info, we would love to hear it.






Do you still look for base64_decode?

Published: 2013-10-09  by  Daniel B. Cid

A common keyword that people use to find hidden injections on web sites is "base64_decode". You often see injections that look like "eval ( base64_decode" or eval ( gzinflate ( base64_decode" being used by the attackers.

So most web security tools have some signatures to look for it (specially on WordPress).

Well, the attackers do know about it as well and we are starting to see some interesting variations for it. For example, instead of injecting base64_decode, they are injecting as a variable:



And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allows then to bypass many security filters.






Fake piwik domain - piwik-stat

Published: 2013-07-14  by  Daniel B. Cid

Piwik is an open source web analytics software that is used by many web masters. And the bad guys are using their popularity to try to make their malware injection harder to detect. They do that by injecting malicious javascript calls from a domain that looks like came from the Piwik project: www.piwik-stat.com/piwik.js. This is what is being injected:



It is not an uncommon tactic (we see if often with jquery), but as a web master if you see anything from pwiki-stat or similar variations, it is likely fake. The official (and trusted one) is http://piwik.org/.






New juquery.com injection

Published: 2013-07-08  by  Fioravante Souza

Today we found a malicious iframe that was being loaded from juquery.com (another fake jquery site). It consisted of the following code hidden inside one of the plugins:



It forces the site to contact juquery.com/jquery-1.6.3.min.js on every page load and display whatever content is provides. It is currently displaying the following malicious payload (triggered by sitecheck):



Which creates another iframe based on the payload hosted at: httx://www.juquery.com/compability.php?0.09432658250443637:



Which also decodes to the iframe loading script:



It seems that fake jquery sites are becoming more and more popular and only jquery.com and jquery.org should be trusted.




Continuing injections from *.no-ip.biz

Published: 2013-07-03  by  Daniel B. Cid

I don't think we have logged about it lately, but an old infection (that started early this year) is still going strong. The result is this code being injected to the site when visited by certain browsers:



And the hidden code that generates it is tricky to find and generlly hidden inside one of the theme files or wp-includes (on WordPress sites). It looks like this:



All that to the end goal: Inject an iframe from *no-ip.biz (and other free domains) that will redirect the browser of the victim to Fake AV.






Backdoor Injector code

Published: 2013-05-16  by  Daniel B. Cid

A backdoor injector code we found on a compromised site:

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.






Large scale TDS redirections

Published: 2013-02-15  by  Daniel B. Cid

Lots of compromised sites redirecting to TDS:

And that's just a small sample. We have detected just in February over 500 sites compromised exactly like that.






ChangeIP (dynamic DNS) malware

Published: 2012-12-10  by  Daniel B. Cid

If you look at the top domains distributing malware for the last days (and months), what do you see in common?

Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com, mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, we identified more than 15,000 different sub domains from them being used to distribute malware.

Don't get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklisting and some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with the thousands of malicious domains that they host.

*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.






More Fake jQuery sites - jqueryc.com

Published: 2012-11-22  by  Daniel B. Cid

We keep seeing fake jQuery sites popping up and being used to distribute malware. One was jquerys.org, other was jquery-framework.com and the new one is jqueryc.com (199.59.241.179).

And this new one seems to be affecting many web sites in the last few days. All of them have the following on their header or index.php files:



Which redirects any visitor to the web site to jqueryc.com where it is then sent to other random spammy domains (seems like a TDS is in place).

Update:We are also seeing some sites with this javascript file being included: http://www.jqueryc.com/jquery-1.6.3.min.js, which just redirects back to jqueryc.com via the same window.top.location.href in javascript.

*Note that the domain was just registered (20-nov-2012), so it is not being flagged anywhere.
**The official jquery sites are jquery.org or jquery.com. Other variations are likely fake.




co.cc seems to be gone

Published: 2012-11-20  by  Daniel B. Cid

It seems that the .co.cc (sub TLD) that used to be mass used by spammers and malware is now gone. Their registration page is offline:



And we hope it stays that way.




Iframes generator: http://wordpresstest2.info/1.txt

Published: 2012-10-25  by  Daniel B. Cid

If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curl or file_get_contents call to http://wordpresstest2.info/1.txt. When you visit this site, it generates random iframes:



That are displayed on the compromised sites.




Mass infections from fenwaywest.com/media/index.php

Published: 2012-10-11  by  Daniel B. Cid

We are seeing a large number of sites compromised with an iframe pointing to http://fenwaywest.com/media/index.php . Just in the last 3 days, we identified almost 10,000 sites with it:



On all the compromised sites have the iframes similar to this one:



The domain is hosted at 50.28.53.157, but currently offline (redirecting to Google), so we can't really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.




badgeplz.com Compromised

Published: 2012-10-04  by  Daniel B. Cid

Update 2012/Oct/12: Their site was fixed and is not loading malware anymore.

If you are using any widget/code from http://badgeplz.com/, remove it asap from your site. It has been compromised and is serving malicious code. So if you have any widget from there, it will be loaded from your site as well (blackhole exploit kit).

Example:



Note only that, but their main site is compromised as well.




Iframes to redkit exploit kit

Published: 2012-09-12  by  Daniel B. Cid

A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added: :



Once that is loaded into the browser, it redirects anyone visiting the site to:



Where it tries to make the browser load some malicious PDFs or Jar files:



And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.




Fake jquery site

Published: 2012-09-07  by  Daniel B. Cid

Seeing many sites with a fake jquery links on them from jquery-framework.com (just registered on 2012/08/05): :



If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting users to http://browser-31.com/s/3013.




Rebots.php on WordPress

Published: 2012-09-04  by  Daniel B. Cid

We are seeing a new batch of the "rebots.php" infections on WordPress and one thing is intriguing us. On many sites we are analysing, WordPress is updated and no suspicious backdoors or plugins were found. All in order, except for the javascript injected inside the theme.

The only thing in common on them is a single login to wp-admin, followed by a visit to wp-admin/theme-editor.php to modify the theme:



So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.

Another intereting issue is that on some of these sites, we didn't identify any brute force attack trying to guess the passwords. Just this single login.

Since we don't know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).




Server-wide iframe injections

Published: 2012-08-14  by  Daniel B. Cid

Dennis (from unmask) posted about some iframe injections that he has been seeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variations of this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:



Note that all (or most) of these sites are compromised and being used by the attackers to spread malware "botnet" style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can't know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).




Fake AV redirections .ru -> .pl

Published: 2012-08-02  by  Daniel B. Cid

We posted yesterday about the Blackmuscats .htaccess redirection that was affecting thousands of web sites.

They are still happening (and growing), but the attackers decided to switch names to "nonalco", "mimosa" and other random keywords for their files:



The redirection is still the same, going from those .ru domains, to additional second level .ru domains and them to a .pl:



So far we have identified more than 17,000 sites with this type of malware. More details as we track them.




Strange Malware from cdnexit.com

Published: 2012-07-27  by  Daniel B. Cid

We are seeing thousands of sites compromised with an iframe from cndexit.com:

This is the iframe that we detected:



Google has already flagged this domain and found it to be responsible for the infection of more than 1.5k sites:



We can't say for sure how sites got hacked, but we will post more details when we have them. If your site is compromised, our team can clean it for you: http://sucuri.net/signup




Yahoo Leak

Published: 2012-07-12  by  Daniel B. Cid

You can check if your email is part of the yahoo leak here: http://labs.sucuri.net/?yahooleak.




Your know there is a vulnerability in Plesk when..

Published: 2012-07-09  by  Daniel B. Cid

This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:



When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in the number of queries for port 8443 (used by Plesk).




Top malware entry stats.php

Published: 2012-07-08  by  Daniel B. Cid

Top malware entry for the day: poseyhumane.org/stats.php



It seems to be the stats.php "malware" of the day. Related to our post here: Distributed Malware Network Outbreak Using Stats.php.

We also identified a CC (command and control server) for these infections: http://botstatisticupdate.com/stat/stat.php. More info to come soon.




Strange .htaccess redirections to google.com

Published: 2012-07-02  by  Daniel B. Cid

A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com. Now we are seeing a few sites with the same redirection but to google.com.

This is what we are seeing on some hacked sites (.htaccess file):



We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can't say for sure. We will post more details when we find out what is going on.




PHP Spam tool (UnixStats Mass MaiLer)

Published: 2012-06-28  by  Daniel B. Cid

While looking at a compromised site, we found an interesting mass mailer in there. The content was encoded using eval/gzinflate and base64_decode:



But when switching the "eval" for "print" we could see the mass mailer hidden and what it was doing:



What I found interesting is that this spam tool stored all the emails in the database and the script supported options to update the email list, change content and many things like that. And every few hours the attackers would access it, update the emails and spam everyone in there.




Flagging google.com as malware

Published: 2012-06-21  by  Daniel B. Cid

Yesterday we listed www.google.com as being used for .htaccess conditional redirections on hacked sites. Google does no evil, so what happened?

We identified the source of the malware, which looks for certain user agents and IP addresses and redirects to www.google.com if it comes from them or to the real malware if not.

This is the code:



So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests are coming from them, they ignore the connection and redirect to www.google.com.

That's why we were seeing www.google.com and listed it on our malware dump (already fixed).

For all the other users (the victims), the malware was contacting http://88.198.28.38/api.php?action=link to get the URL to redirect (generally in the .tk domain). Any questions, let us know.




Strange .htaccess redirections to msn.com

Published: 2012-06-18  by  Daniel B. Cid

We are seeing something very strange on a few compromised sites lately. Instead of doing .htaccess redirections to malware sites, the attackers added the "malware" to redirect users to msn.com.

This is what we are seeing on some hacked sites (.htaccess file):



If you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from search engines (Google, Bing, Yahoo and even Twitter/Facebook) to msn.com instead of going to the real site.

Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can't say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). :)




Malware from thesea.org/media.php

Published: 2012-06-11  by  Daniel B. Cid

We are seeing many sites compromised with malware from thesea.org/media.php. All sites had the following added to the .htaccess file:



So far we detected more than 500 sites with this type of redirection in the last few days.




Malware from paysafecard.name

Published: 2012-06-07  by  Daniel B. Cid

Seeing many sites compromised with malware from paysafecard.name/analitics.js. This is the js inserted on the hacked pages:






Malicious redirections to exploit kits

Published: 2012-06-06  by  Daniel B. Cid

We talk a lot about sites that get hacked to redirect their users to malicious exploit kits (blackhole, etc). Very often we see encoded javascript and our users ask what they do... Those are some of the URLs we saw just this last week being used by the attackers.






Encoded javascript

Published: 2012-06-05  by  Daniel B. Cid

Interesting redirection from lolotrololo.1dumb.com:



Which redirects to http://indefw.bee.pl/info.php?n=40&p=n.


Blackhole exploit kits

Published: 2012-06-04  by  Daniel B. Cid

Seeing some variations on how sites are getting hacked to link to the blackhole exploit kit. This is the type of encoded javascript we are seeing inserted into sites now:



Which are pointing to multiple URLs on the .gg.biz and .rr.nu TLD ( ex: http://dmujkkz.igg.biz/d/404.php?go=1, odzyzjyyi.rr.nu, mqvtrt.got-game.org, etc). More details to come.


List of IP addresses scanning for vulnerable timthumb.

Published: 2012-05-31  by  Daniel B. Cid

A few days ago, we posted a list of domains hosting webshells for timthumb related attacks. We identified more than 420 different URLs hosting those backdoors.

What is interesting is that during the same period, we identified almost 1,000 ip addresses scanning sites for vulnerable thimthumb scripts on WordPress themes and plugins. Those are all the ips and the number of hits we detected:



And we will keep monitoring them.


List of domains hosting webshells for Timthumb attacks

Published: 2012-05-28  by  Daniel B. Cid

We have been tracking timthumb.php related attacks for a little while. And they are still at full force. Just for the month of May, tohse are the domains we identified hosting backdoors that were used by the attackers (420 different urls).



And most of them are still live. If you download them you will see many backdoor variations:



And we will keep monitoring them.


Iframes from lowresolutionit.in

Published: 2012-05-25  by  Daniel B. Cid

Seeing many sites compromised with an iframe pointing to http://lowresolutionit.in/in.cgi?6, mostly on outdated WordPress. That domain is currently redirecting to http://hewjzkgvkhwec.tk/27973751.html and then to fake AV.


Backdoor: Contact1

Published: 2012-05-24  by  Daniel B. Cid

Magno (from our support team ) found this pretty backdoor on a compromised site. As we keep saying, just searching for evals + base64_decode wouldn't cut anymore.

*If you enjoy decoding backdoors and are looking for a job, please try this one and send the results to dcid@sucuri.net :)
Yes, that's all for the backdoor.


Backdoor: preg_replace

Published: 2012-05-21  by  Daniel B. Cid

Another interesting backdoor:


You may not be aware, but the preg_replace function with the "e" parameter, allows full code execution (eval). When you transform the hex chars, you get "eval ( gzinflate ( base64_decode ( " which runs all the code in the long block of characters inside the preg_replace.