Caching SEO tool. Does different things for "humans" and for "bots".
Bots get some kind of spammy template filled out with text from a hard-coded server, or failing that, from ask.com and yahoo.com. Humans get redirected to a spammy website.
I've captured two versions:
nptzow downloaded 2017-11-23T16:20:58-07:00
nowir downloaded 2018-05-04T16:51:53-06:00
Update, 2018-08-22: more instances, this time just .zip files.
Something called vlomaw seems to be a superset of the code I caught. "vlomaw" looks like it caches HTML ad files in yet another directory, maybe handles its own DNS, and includes an instance of WSO.
Another report of "vlomaw". This one is dated 2018-01-09. Have the author(s) trimmed their earlier code down?
This report
details some code almost exactly like nptzow, or nowir.
PHP "dropper" code passed to a fake WSO (Web Shell by oRb)
via the Php action. WSO has a way to evaluate arbitrary PHP source
code via the eval() builtin. The "action" string and the PHP source
to eval arrive via POST parameters.
The fake WSO is part of a WordPress honeypot I've operated off and on for the last 4 years. Everything assumed to happen in a WordPress installation.
The downloader seems to believe that the WSO instance is hidden in a "revslider" plugin. Revslider had an exploit in the December, 2014 timeframe, and a lot of bottom feeders tried to exploit it at the time.
The nptzow code got downloaded from 194.165.16.79, which is 194.165.16.0/23AS48721,
a European IP address in Monaco, of all places. Reverse DNS lookup says it
has the host name hostby.adm-service.org.
whois adm-service.org yields some Monaco names, addresses and telephone numbers.
whois 194.165.16.79 gives me some information about the AS, which is
registered to "ADM Service Ltd.", head office in Moscow.
The nowir variant got downloaded from 31.184.234.175, "hostby.gto-projects.biz". 31.184.234.175 is in 31.184.234.0/24AS44050, GTO LTD. in Podgorica, Montenegro.
The dropper code contains a blob of Base64-encoded bytes.
It creates a file name 4048ad7bdb2.php somewhere in a WordPress
file tree. If a file named 4048ad7bdb2.php already resides in
the WordPress file tree, it gets moved to 4048ad7bdb2.php_backup.
The dropper decodes the PHP source, then writes it to 4048ad7bdb2.php.
It echoes "OK file saved", which presumably lets the process
transferring the dropper code know that the file creation and
source decoding worked.
Like a lot of PHP malware, the dropper makes more than one attempt
to create 4048ad7bdb2.php. The file_write() function returns
a boolean that isn't checked by the caller, and it has some
commented out code that appears to set a file's time stamp to
between 10 and 70 days in the past.
Stylistically, the dropper is only a little uneven. I hypothesize that it hasn't evolved via feature addition yet.
The following notes are for nptzow, but the nowir process is very similar.
I got to level 1 code by hand-editing file 194.165.16.79WhdX2hdZm0Z2rcNQ09X9ZgAAAAA.php.file
into file dc1.php. This is just the Base64-encoded string, and two
PHP function calls to create file 4048ad7bdb2.php with the
Base64-decoded string in it.
Executing dc1.php yields file 4048ad7bdb2.php which contains
yet another Based64-encoded block of bytes,
and a native PHP implementation of Gzip,
class PclZip.
The level 2 code Base64-decodes a long string, and puts the results
in a file nptzow.zip or nowir.zip. It proceeds to unzip nptzow.zip. If that
succeeds, it echoes the string "1425756856". If unzipping fails,
it echoes PclZip error information. Presumably this lets the
accessor of 4048ad7bdb2.php tell if the de-coding procedure worked or not.
nptzow.zip expands into a directory full of goodies, one PHP
file and two subdirectories full of apparently template files.
Pretty print flvoaw.php using revphp
revphp flvoaw.php > pp1.php
Based on my reading of pp1.php, the de-obfuscated PHP source,
flvoaw.php does different things for "bots" versus non-bots.
It decides bot-or-not based on user agent string, but it has
a problem. It sets a variable $user_agent_to_filter to
an array full of strings that seem to represent the vast majority
of web spiders/search engines that come around these days.
It does not use $user_agent_to_filter anywhere. Instead it
checks a much smallar array, containing only some of the strings
in $user_agent_to_filter.
As an added bonus, it checks if the DNS name of $_SERVER['REMOTE_ADDR']
has "google" in it. If so, it's a bot.
If it decides you're not a bot, it sends you to a different URL, via:
Location: http://caforyn.pw/for/77?d=$d&mykeys=$mykeys
The $d will be a string naming the host on which floavw.php
executes. $mykeys is a string derived from a GET paramenter
named do for nptzow, and kfd for nowir.
If it decides you are a bot, it looks in the wtuds/ directory,
the cache folder, to find a file named by a GET parameter, itself
named do. If that file exists in the cache directory, it serves
up the HTML in the cached file.
If it doesn't find the file named by $_GET['do'] in wtuds/,
it picks a file in the template directory (sotpie/).
It rather strangely uses $_GET['do'] as a series of keywords,
then sends the keywords via URL
http://boriskq.pw/story.php (nptzow) or http://solfinesew.pw/story2.php (nowir).
I think this is for analytics or billing.
The SEO campaigner can see which keywords come from what compromised hosts.
If floavw.php doesn't get at least 1000 bytes from boriskq.pw,
it asks ask.com, google.com and yahoo.com for the same keywords
that it used on story.php.
It writes a file in the cache directory, then sends the HTML it got from ask.com, google.com or yahoo.com
It looks like this is a simple caching SEO tool. It redirects "humans" to some weird web site, and it makes, and then caches, special spam HTML for "bots".
Unfortunately, nobody has invoked nptzow/floavw.php, so I can't
tell what keywords they send its way.
Both boriskq.pw and caforyn.pw are registered to:
Admin Name: John
Admin Organization: N/A
Admin Street: North Road 35
Admin City: Pirr
Admin State/Province: South Dakota
Admin Postal Code: 57501
Admin Country: US
Admin Phone: +1.208241712
Admin Fax:
Admin Email: [email protected]
Is "Pirr" some kind of joke? The state capitol of South Dakota is Pierre, but apparently it's pronounced "Pirr" by locals.
According to the de-obfuscated source code of flvoaw.php,
sotpie/ is a template folder.
According to the de-obfuscated source code of flvoaw.php,
wtuds/ is a cache folder. wtuds/ contains two files,
sdsdg and grtjtyul.
sdsdg contains some HTML, which identifies itself as having
been generated by "JohnCMS". The interesting HTML tags are:
<meta name="keywords" content="Sdsdg">
<meta name="description" content="Sdsdg">
grtjtyul also contains some HTML, with "Grtjtyul" appearing
in several locations throughout.
These files look like someone did some testing. The cached HTML did not get deleted, but it did end up in the production code. The nptzow variant had these files, while the nowir variant did not.
nowir.zip unpacks similarly to nptzow.zip, but it has 3 PHP files, sotpie/ and wtuds/
directories.
The 3 PHP files:
ghkhjew.phpohirjwe.phplerbim.php
ghkhjew.php and ohirjwe.php are nearly identical.
Only one line of code differs in indentation.
They're both similar to nptzow/flvoaw.php,
differing mainly in the URL that keywords from incoming requests get forwarded to,
and the URL that requests from not-a-bot get redirected to.
lerbim.php is a little more interesting.
It appears to rename files in or under the current directory
whose names have a ".php.suspected" suffix to a ".php" suffix.
This reverses the changes made by Vigilante Malware Cleaner
when it disarms PHP malware.
I find this odd, as Vigilante Malware Cleaner does not appear to detect nowir or nptzow.
ghkhjew.php uses solfinesew.pw instead of boriskq.pw to send keywords queried.
As of 2018-06-08, boriskq.pw no longer has an IP address,
and GDPR prevents anyone from seeing who registered solfinesew.pw, but friggin yahoo.com
can leave my name, address, email and phone number hanging out in the breeze. Dickweeds.