PHP.net potentially compromised and redirecting to an exploit kit

October 24, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

This morning we woke up with news indicating that Google was flagging the php.net website as potentialy harmful. 

 

You can read more information on:

http://news.netcraft.com/archives/2013/10/24/php-net-blocked-by-google-false-positive-or-not.html

http://barracudalabs.com/2013/10/php-net-compromise/

We couldn't replicate the behavior as it seem the webmaster modified the files that were producing the malicious redirection. 

Anyway the guys from Barracuda have shared a PCAP file  that shows the malicious behavior.

Based on that information we have determined that somehow the attackers were able to inject a malicious iframe in the PHP.net website that was redirecting to an Exploit Kit.

It seems that as reported by Google the Javascript file www.php.net/userprefs.js had some injected obfuscated content at the end of the file:

If you deofuscate the content it leads to:

The content of the file stat.htm is:

The Javascript code use a publicly available Javascript library to collect information about browser plugins. Once it has collected the information it makes a POST request to the server indicating if the victim has Java and Adobe Acrobat Reader installed in the system:

 

The server redirects the browser to a server that makes another redirection very likely depending on the plugins detected on the victim:

 

In the case of the PCAP provided by Barracuda the server is returning HTML code that is embedding some Flash content in the browser as well as a new IFRAME:

 

We have determined that the exploit code present there matches with the Exploit Kit known as Magnitude/Popads. In fact out OTX system flagged that IP address a few days ago as a harmul server due to the serving of Exploit Code.

http://www.alienvault.com/apps/rep_monitor/ip/144.76.192.102/

As we can see in our systems using Passive DNS we have found several domain names that are pointing to the same IP address and are being use to host versions of the Magnitude Exploit Kit:

 

The payload delivered by the Exploit Kit if it is successfull is this one that as we see it has a low detection ratio by AV engines:

 

This behavior also matches with a report from other user that was seeing similar redirections in this case the content injected in the PHP.net website was hosted in other domain but the infection chain was the same:

 

We will update this blog post as soon as we have more information about this compromise.

Stay safe!

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS