While idly browsing [pastebin][1] (yes, sometimes I do that), I found [something interesting][2]. It’s some mildly obfuscated PHP scripted malware. Curious what it might do, I started reverse engineering it and found what must be the *worst coded trojan **ever.***
[1]: http://pastebin.com/
[2]: http://pastebin.com/7HU17uqA
Before I get into that abomination some might actually call code, a summary:
It “features” a file uploading facility and attempts to hijack Google search results for the infected host. Prerequisite: the infected site has to run some kind of CMS that features “clean URLs” as the malware script solely hooks itself to non-existent URLs (i.e.: not present on the host’s FS). In order for it to work the visiting client needs to transmit the `Referer` HTTP-header.
Once the “trojan” has been uploaded, it needs to be called with the query parameter `q=alcobro` to initialize upon which it creates or appends an `.htaccess` file in the script’s directory adding a rewrite rule that routes all *non-existent* URLs to itself. Calling these URLs then results in a page made up of words of Google search results for keywords contained in the URLs sprinkled with images from Google Images.
Given the aforementioned query parameter, the script also connects to a website and reports itself. The site to connect to is stored Base64 encoded in a file called `xml.cgi`. The pastebin snippet reports back to `mydiaryusa.net` (URI: `/other/logdomain.php?q=
Using HTTP POST, with the POST variable `name` set to an apparent “admin” user (whose MD5-hash is `42a3f0678d1bbb517272142f5b3df3cd`) the site to connect to can be altered and the upload facility triggered. The latter two want GET parameters, though…
Now our trojan is sitting there snug and tug waiting for incoming requests referred by Google Search. It will now transmit the URL referred from, the client’s IP address, User-Agent and search keyword(s) to its control server upon which it may or may not obtain a URL to redirect the client to. I’d bet vital parts of my reproductive system, that this URL contains pr0n or penile elongation advertisements.
Teh codez
=====
Only someone with profound determination to avoid any commonly known programming technique (like e.g. DRY) could have devised this monstrosity. There’s useless assignments and unconclusive logic all over the place. Take this for example:
$hostname = preg_replace('/^www\./', '', $_SERVER['HTTP_HOST']);
@mkdir('.log/');
@chmod('.log/', 0777);
@mkdir('.log/' . $hostname);
@chmod('.log/' . $hostname, 0777);
$fileName = '.log/' . $hostname . '/xml.cgi';
if (@fopen($fileName, 'r'))
{
}
else
{
$fp = fopen('.log/' . $hostname . '/xml.cgi', 'w+');
fwrite($fp, 'bXlkaWFyeXVzYS5uZXQ='); // mydiaryusa.net
fclose($fp);
}
Magic. `$fileName` is assigned a value and not used in line 56. It’s only used in line 51 where it should have been passed to `file_exists()` rather than `fopen()`. And worst of it all: *it uses `HTTP_HOST`*. Not only here, though. All *over* the script. The genius creator must have missed [my previous post](http://perfect-co.de/2011/02/why-http_host-is-evil/).
Also, I like the function `generatePage()` which takes an argument carefully constructed in function `servePage()` only to discard and ignore it. Speaking of `servePage()`. Here it is:
function servePage($pageName)
{
$hostname = preg_replace('/^www\./', '', $_SERVER['HTTP_HOST']);
$cacheFile = ".log/$hostname/$pageName.html$_GET[page]";
if (@file_exists($cacheFile))
return @file_get_contents($cacheFile);
$unusedParameter = str_replace('-', ' ', $pageName);
$unusedParameter = str_replace('+', ' ', $pageName);
$generatedPage = generatePage($unusedParameter);
$fp = @fopen($cacheFile, 'w');
@fwrite($fp, $generatedPage);
@fclose($fp);
// sic!
return $generatedPage;
$_87 = file_get_contents($cacheFile);
}
Here’s `HTTP_HOST` again. But this time at least, we’re using `file_exists()`. Go figure. Also, to deviate the reader and throw him/her totally off guard, the hax0r devised lines 377 and 378. This is pure genius at its best.
It’s obvious that variable, function and class names are my creations to make the code more readable. Enjoy the rest if you dare.