19 Dec Malware in metadata Vicente Diaz
09 Jun Dangerous whitespaces Marta Janus
08 Sep A Web Defacer Turns to $$ Spam Fraud Dmitry Bestuzhev
09 May Safe PHP - a contradiction in terms? Costin Raiu
01 Mar Critical vulnerability found in phpBB software Roel
27 Dec Santy updates - worm renamed Aleks
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.
There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how some websites just get abandoned and become a hive of malware.
However one of the things that drew my attention was the detection of many PHP Backdoors with not-so-common extensions, such as JPG or MP3. Maybe a false positive? Worth taking a look!
A few days ago, I blogged about a PHP/JS malware targeting the osCommerce platform, which used an interesting new technique to obfuscate the malicious code. It so happens, that today I came across even more advanced sample of a PHP infector, also in the context of a vulnerable e-commerce solution.
When I came to work today, my colleague from our Polish office asked me to help him with finding malware which was affecting his friend's online store. The HTML page, viewed with the browser, contained a link to a jquery.js script in some randomly generated cx.cc domain, although there was no sign of this link in the source files on the server. Reaching a verdict was simple - this piece of code was being added dynamically, by some infected PHP script.
We looked into all of PHP files stored on the server and got a bit confused - there was nothing really suspicious at first glance. But having in mind the div_colors malware, I started to study the code line by line. What at last attracted my attention was a small function at the beginning of one of the core PHP files.
By editing the original PHP code, the criminal can fake the “original headers” of the messages they send. Very interesting.
Now let’s check the original IP address of the mentioned domain:
As you see in this case, the criminals are sending fake e-mails using the identity of IG (www.ig.com.br) a very popular Internet resource in Brazil. They fake the mailer, the original IP address and even the Spam scoring. So, there is a big probability this e-mail will be delivered usefully to the victim, bypassing anti-spam filters. Even the most experienced IT people can be tricked into believing that the message came from IG.