Today we found a few websites that loaded strange code from tag-cloud-generator[.]com.
Sites tried load several image and font files from this site, but they all returned 404 Not Found. The only live file that they loaded was hxxp://www.tag-cloud-generator[.]com/js/fx2.js or it's pseudo-localized copies like hxxp://www.tag-cloud-generator[.]com/NL/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/EN/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/FR/js/fx2.js, etc.
The fx2.js files has an encrypted script that loads (randomly) one of the following scripts:
And those scripts in turn, redirect visitors to one of the following parked domains with ads:
using code like this
All these domains, including tag-cloud-generator[.]com are registered in China. If you ever used tag-cloud-generator, make sure to remove it from your site. We will share more information if we find anything new.
We found infected sites where malware created a fake WordPress plugin that generated pharma spam doorways.
This file creates wp-content/plugins/social-share/share.php that calls itself WP Social Include File. It downloads doorway generator from hxxp://api-linux . net/json/json_01.txt, writes it into wp-content/mu-plugins/mu-plugin.png and then includes this file at the bottom of wp-includes/load.php
The doorway generator uses the following URLs:
Some of the above URLs should only be accessed using a special User Agent
If you are a hosting provider, we recommend blocking HTTP requests to these external sites, to stop the spam doorways from being distributed. We will share more details as we learn more about it.
2014-12-28 by Daniel Cid
The RevSlider SoakSoak malware campaign started with the soaksoak.ru domain (hence the name). However, since the
last 2 weeks, it has mutated and used different domains as the initial malware intermediary.
This is the full list so far:
- soaksoak.ru: First one in the list. We identified more than 100,000 sites redirecting to it.
- 220.127.116.11: Started just after soaksoak, leveraging the /collect.js redirection. Almost 10,000 were blacklisted and compromised with it.
- wpcache-blogger.com: Second biggest campaign after soaksoak. More than 50,000 sites compromised and still going.
- phoenix-credit.com: Current one active. Also leverages the /collect.js redirection and has compromised more than 11,000 different sites.
We will keep updating this list as the domains change and the attacks mutate.
We are seeing an increasing number of hacked sited with Chinese doorways promoting various fake merchandises (from Louis Vuitton handbags to NFL jerseys and Canada goose jackets).
Those doorways target both Western web searches and the Chinese. Here's how they make sure the doorway correctly preserves search queries in Chinese (converting from UTF-8 to gb2312) when they work with Google search referrer string:
Since Google uses "ie=ut-8" by default for most languages, queries using non-ASCII and non-Chinese Simplified characters will be garbled. Apparently the they are only interested in English and Chinese queries.
One of the common tactics used by spammers and black hat "SEO" is to use Doorway pages for their spam content. These pages
get indexed by search engines and when visited by a real user (not a bot), redirect them to a different URL that they
want to promote.
However, these Chinese doorways for fake popular and luxury goods stores use a much simpler approach - they check visitors' time zone.
Which when deobfuscated looks like this:
Here's the typical code:
2014-03-07 by Daniel Cid
The domain botsvsbrowsers.com is quite popular and used for comparing user agents (browsers) and seeing
if a specific request is from a valid user or a bot.
And piggy backing on their popularity, the bad guys created a domain botsvsbrowsers.biz (.biz versus .com) to
be used as a command and control server on spam SEO campaigns.
This is the code we are seeing on compromised sites:
Which basically contacts botsvsbrowsers.biz/Statistic/Stat.php on every page load, giving the client IP address, and URL
and it decides what to inject to that user. Most of the time we are seeing just plain SPAM, but they are probably serving
other malicious code as well.
So if you see any content being loaded from botsvsbrowsers.BIZ (or the IP address 18.104.22.168), you know it is malicious.
2014-01-16 by Daniel Cid
There are multiple ways to inject an iframe on a web site, and every day we found a new evasion technique
to make it harder to detect it. This is a new one found by Fio:
It uses many encondings to just load this iframe:
Which redirects the user visitng a compromised site to a porn page.
2014-01-03 by Ante Kresic
We found another interesting piece of PHP-based malware on a client site a few days ago:
Can you decode and see what it is doing? ..
This piece of code tries to obfuscate all the functions that could be
flagged by a scanner using a benign php function called str_replace. This function replaces all instances of a string with a replacement in the subject. So, for example, the next line:
$ts = str_replace("b","","bsbtr_brbepblabcbe");
Replaces all instances of character 'b' with nothing. So from bsbtr_brbepblabcbe we get str_replace. Using the same technique, we have some more functions:
$dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere"); //base64_decode
$mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn"); //create_function
All this for creating a function and running it in this line:
$tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha();
Function code is contained in the next expression:
$dzy($ts("nd", "", $exg.$sjb.$iyo.$fy));
And the final code is:
What it does? It uses some simple tricks to edit the contents of the cookie, decode it from base64 and eval (execute) that malicious code.
According to our daily malware analysis experience, we've noticed that the bad guys are using obfuscation more and more
to hide what they are doing. Take for example this piece of code we found injected on a website:
No sign of any "eval()" and no sign of "preg_replace()" with the eval switch like in the majority of malware files.
When I looked at it for the first time, I thought that that’s just some corrupted/incomplete malware which can’t work. But one of the prerequisites for my job is "being curious" - And I am, so I checked it more deeply and... the result was interesting!
First, I decided to beautify the code to see it more clearly…
Those commented lines at the bottom are my own – they helped me to understand what’s under each variable and how it works.. As you can see, it has a getenv, preg_replace, base64_decode and when you put it all together, you get the readable code:
And that’s it – yes, there actually ARE eval() and even base64_decode() functions, but hidden behind variables. Otherwise, it's really just malicious backdoor component which reads some custom environment variable where the actual payload should be stored.
Curious about other ways of running the code in PHP without using eval() at all?
Most common is preg_replace with that “/e” switch (directly evaluates the expression after replacing), one of less common, but very interesting is the PHP assert() function. As mentioned in the PHP official documentation: If the assertion is given as a string it will be evaluated as PHP code by assert(). And there are others surprises in PHP...