We recently discovered this malware with a list of IP ranges belonging to search engines that are serving them SEO spam. It even takes a snapshot of the website it’s on and uses that as a template so the pages look like they are a part of the website.
You can see some of the IP addresses the malware is looking for:
Here are some of the types of content being injected into the template page:
The left-side.php file contains the template taken from the main site where the malware is on:
As you can see, the malware uses special strings found in the template to know which parts to insert the spam into. The last part is a base64 encoded URL that leads to this spam(Viagra) website: hxxp://getbrowserssl[dot]xyz/tds/index.php?pl=aldactone
hxxp://thewebsite[dot]com/right-side.php?qid=2395&qcall=aldactone+mtf
This type of malware has the potential to do some lasting damage to any website, as spam pages are indexed by search engines, which can take weeks or months to drop. Page ranking and keywords might take even longer to fix, if at all.