Php.net compromised to serve malware

Posted by   Virus Bulletin on   Oct 25, 2013

Researchers initially believed Google warning was a false positive.

For a few days this week, the popular php.net website was serving malware to some of its visitors and was doing so in a stealthy way that initially confused researchers.

There may be thousands and possibly millions of malicious websites on the Internet, but when you want to, it isn't always trivial to get infected by a compromised site that is spreading malware.

Attackers apply a number of methods to avoid their drive-by downloads being detected by security researchers and bots scanning the web for vulnerabilities. They also tend to avoid serving the malware twice to the same IP address: because a lot of malware authors get paid through affiliate schemes for the number of machines they infect, there is little point in them trying to serve the malware to the same address more than once.

We saw yesterday that this actually matters in practice, after Google had started flagging php.net as malicious. The official website for the web programming language PHP not only hosts a vast amount of documentation, it also serves the PHP source code.

Many researchers were not able to replicate the issue and it was believed that it was a false positive at first. However, someone posting on the Hacker News website did claim that they had been served a malicious JavaScript file - and they posted the contents. When Barracuda helpfully posted a pcap file that recorded another visit to php.net on its blog, it turned out that Google had been right all along.

Interestingly, the JavaScript from the two sources is different: both are heavily obfuscated pieces of the same code that injects an iframe into the website. By not using the same piece of code, the attackers made it harder for the compromise to be blocked through a signature.

It also shows that the attackers didn't simply modify the contents of a static file, as php.net initially thought, but managed to compromise the web server itself. This confusion is understandable though: web-based malware can be rather stealthy.

The injected iframe served what, according to Kaspersky's Fabio Assolini, was the 'Magnitude' exploit kit. The exploit kit was being served through subdomains of a number of related UK websites that probably had their DNS compromised; the domains all pointed to servers in Moldova.

It is unclear how many users have been infected, but in an updated statement, php.net says that the site had been serving malware for several days. One might expect that most of those who visit a site about a programming language would have their browser running the latest security patches - but given its top 250 place in Alexa's ranking, there will undoubtedly have been many visitors who did not, and who got themselves infected through the visit.

The site says it has now found two servers that were compromised and has solved the issue, although it is still not clear how the initial compromise took place. We hope that once the php.net team find out, they will share this information with the community. Thankfully, the attackers did not make any changes to the actual PHP source code.

A full write-up of the story, including some quotes by me, can be found at Ars Technica here. Trustwave's Ryan Barnett wrote a detailed analysis of the infection on the SpiderLabs blog here.

Posted on 25 October 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Red Eyes threat group targets North Korean defectors

A research paper by AhnLab researcher Minseok Cha looks at the activities of the Red Eyes threat group (also known as Group 123 and APT 37), whose targets include North Korean defectors, as well as journalists and human rights defenders focused on…

VB announces Threat Intelligence Summit to take place during VB2018

We are very excited to announce a special summit, as part of VB2018, that will be dedicated to all aspects of threat intelligence.

VB2018 Small Talk: An industry approach for unwanted software criteria and clean requirements

An industry approach for defining and detecting unwanted software to be presented and discussed at the Virus Bulletin conference.

VB2018 call for last-minute papers opened

The call for last-minute papers for VB2018 is now open. Submit before 2 September to have your abstract considered for one of the nine slots reserved for 'hot' research.

VB2017 paper and update: Browser attack points still abused by banking trojans

At VB2017, ESET researchers Peter Kálnai and Michal Poslušný looked at how banking malware interacts with browsers. Today we publish their paper, share the video of their presentation, and also publish a guest blog post from Peter, in which he…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.