This morning we woke up with news indicating that Google was flagging the php.net website as potentialy harmful.
_11.13.01.png)
You can read more information on:
- http://news.netcraft.com/archives/2013/10/24/php-net-blocked-by-google-false-positive-or-not.html
We couldn't replicate the behavior as it seem the webmaster modified the files that were producing the malicious redirection.
Anyway the guys from Barracuda have shared a PCAP file that shows the malicious behavior.
Based on that information we have determined that somehow the attackers were able to inject a malicious iframe in the PHP.net website that was redirecting to an Exploit Kit.
It seems that as reported by Google the Javascript file www.php.net/userprefs.js had some injected obfuscated content at the end of the file:
_11.19.57.png)
If you deofuscate the content it leads to:
_11.24.12.png)
The content of the file stat.htm is:
_11.27.25.png)
The Javascript code use a publicly available Javascript library to collect information about browser plugins. Once it has collected the information it makes a POST request to the server indicating if the victim has Java and Adobe Acrobat Reader installed in the system:
_11.35.10.png)
The server redirects the browser to a server that makes another redirection very likely depending on the plugins detected on the victim:
_11.36.54.png)
In the case of the PCAP provided by Barracuda the server is returning HTML code that is embedding some Flash content in the browser as well as a new IFRAME:
_11.39.14.png)
_11.44.27.png)
We have determined that the exploit code present there matches with the Exploit Kit known as Magnitude/Popads. In fact out OTX system flagged that IP address a few days ago as a harmul server due to the serving of Exploit Code.
As we can see in our systems using Passive DNS we have found several domain names that are pointing to the same IP address and are being use to host versions of the Magnitude Exploit Kit:
_11.51.55.png)
The payload delivered by the Exploit Kit if it is successfull is this one that as we see it has a low detection ratio by AV engines:
_11.55.53.png)
This behavior also matches with a report from other user that was seeing similar redirections in this case the content injected in the PHP.net website was hosted in other domain but the infection chain was the same:
_11.46.55.png)
We will update this blog post as soon as we have more information about this compromise.
Stay safe!
