Worst “trojan” ever

While idly browsing pastebin (yes, sometimes I do that), I found something interesting. It’s some mildly obfuscated PHP scripted malware. Curious what it might do, I started reverse engineering it and found what must be the worst coded trojan ever.

Before I get into that abomination some might actually call code, a summary:

It “features” a file uploading facility and attempts to hijack Google search results for the infected host. Prerequisite: the infected site has to run some kind of CMS that features “clean URLs” as the malware script solely hooks itself to non-existent URLs (i.e.: not present on the host’s FS). In order for it to work the visiting client needs to transmit the Referer HTTP-header.

Once the “trojan” has been uploaded, it needs to be called with the query parameter q=alcobro to initialize upon which it creates or appends an .htaccess file in the script’s directory adding a rewrite rule that routes all non-existent URLs to itself. Calling these URLs then results in a page made up of words of Google search results for keywords contained in the URLs sprinkled with images from Google Images.

Given the aforementioned query parameter, the script also connects to a website and reports itself. The site to connect to is stored Base64 encoded in a file called xml.cgi. The pastebin snippet reports back to mydiaryusa.net (URI: /other/logdomain.php?q=<infected.tld>).

Using HTTP POST, with the POST variable name set to an apparent “admin” user (whose MD5-hash is 42a3f0678d1bbb517272142f5b3df3cd) the site to connect to can be altered and the upload facility triggered. The latter two want GET parameters, though…

Now our trojan is sitting there snug and tug waiting for incoming requests referred by Google Search. It will now transmit the URL referred from, the client’s IP address, User-Agent and search keyword(s) to its control server upon which it may or may not obtain a URL to redirect the client to. I’d bet vital parts of my reproductive system, that this URL contains pr0n or penile elongation advertisements.

Teh codez

Only someone with profound determination to avoid any commonly known programming technique (like e.g. DRY) could have devised this monstrosity. There’s useless assignments and unconclusive logic all over the place. Take this for example:

$hostname = preg_replace('/^www\./', '', $_SERVER['HTTP_HOST']);
@chmod('.log/', 0777);
@mkdir('.log/' . $hostname);
@chmod('.log/' . $hostname, 0777);
$fileName = '.log/' . $hostname . '/xml.cgi';

if (@fopen($fileName, 'r'))
    $fp = fopen('.log/' . $hostname . '/xml.cgi', 'w+');
    fwrite($fp, 'bXlkaWFyeXVzYS5uZXQ=');    // mydiaryusa.net

Magic. $fileName is assigned a value and not used in line 56. It’s only used in line 51 where it should have been passed to file_exists() rather than fopen(). And worst of it all: it uses HTTP_HOST. Not only here, though. All over the script. The genius creator must have missed my previous post.

Also, I like the function generatePage() which takes an argument carefully constructed in function servePage() only to discard and ignore it. Speaking of servePage(). Here it is:

function servePage($pageName)
    $hostname = preg_replace('/^www\./', '', $_SERVER['HTTP_HOST']);
    $cacheFile = ".log/$hostname/$pageName.html$_GET[page]";

    if (@file_exists($cacheFile))
        return @file_get_contents($cacheFile);

    $unusedParameter = str_replace('-', ' ', $pageName);
    $unusedParameter = str_replace('+', ' ', $pageName);
    $generatedPage = generatePage($unusedParameter);

    $fp = @fopen($cacheFile, 'w');
    @fwrite($fp, $generatedPage);

    // sic!
    return $generatedPage;
    $_87 = file_get_contents($cacheFile);

Here’s HTTP_HOST again. But this time at least, we’re using file_exists(). Go figure. Also, to deviate the reader and throw him/her totally off guard, the hax0r devised lines 377 and 378. This is pure genius at its best.

It’s obvious that variable, function and class names are my creations to make the code more readable. Enjoy the rest if you dare.