09 Jun Dangerous whitespaces Marta Janus
08 Sep A Web Defacer Turns to $$ Spam Fraud Dmitry Bestuzhev
09 May Safe PHP - a contradiction in terms? Costin Raiu
01 Mar Critical vulnerability found in phpBB software Roel
27 Dec Santy updates - worm renamed Aleks
26 Dec Update on Santy.e Roel
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A few days ago, I blogged about a PHP/JS malware targeting the osCommerce platform, which used an interesting new technique to obfuscate the malicious code. It so happens, that today I came across even more advanced sample of a PHP infector, also in the context of a vulnerable e-commerce solution.
When I came to work today, my colleague from our Polish office asked me to help him with finding malware which was affecting his friend's online store. The HTML page, viewed with the browser, contained a link to a jquery.js script in some randomly generated cx.cc domain, although there was no sign of this link in the source files on the server. Reaching a verdict was simple - this piece of code was being added dynamically, by some infected PHP script.
We looked into all of PHP files stored on the server and got a bit confused - there was nothing really suspicious at first glance. But having in mind the div_colors malware, I started to study the code line by line. What at last attracted my attention was a small function at the beginning of one of the core PHP files.
By editing the original PHP code, the criminal can fake the “original headers” of the messages they send. Very interesting.
Now let’s check the original IP address of the mentioned domain:
As you see in this case, the criminals are sending fake e-mails using the identity of IG (www.ig.com.br) a very popular Internet resource in Brazil. They fake the mailer, the original IP address and even the Spam scoring. So, there is a big probability this e-mail will be delivered usefully to the victim, bypassing anti-spam filters. Even the most experienced IT people can be tricked into believing that the message came from IG.