Malicious PHP-script called Brain Food, is able to add a headache to web developers: it promotes questionable pharmaceutical products through pages hosted on legitimate sites.
The new spam campaign is still quite successful, as it uses a PHP-script, implemented on the sites, well protected from detection.
Over the past four months, Proofpoint specialists found 5,000 compromised sites infected by Malicious PHP-script “Brain Food”. In a blog posted on Friday, the Proofpoint company said that over the past week 2,400 such sites have shown malicious activity.
The Malicious PHP scripts installed on them redirect website visitors to pages advertising diet pills and stimulants.
“This botnet have very compact code , its size is enough to allow operators to easily reconfigure redirects,” says Kevin Epstein, vice president of Proofpoint’s in email-comments for Threatpost.
Experts found that 40% of the hacked sites are hosted by GoDaddy, although there are a lot of them in UnitedLayer, CyrusOne, OVH and DreamHost networks. “Attackers can leave a lot of copies of the PHP script on the site,” researchers warn in the blog. “We also found this script on sites that use different content management systems, including WordPress and Joomla.”
The polymorphic Malicious PHP code injected into the sites, according to Proofpoint, is encoded in base64 and contains many layers of obfuscation, which makes detection and analysis difficult. “The code, recently loaded into the repository of malware, none of the antiviruses has recognized malicious,” – the specialists write.
The algorithm of the malicious code is built so that for the search engines bot and analysts system bot don’t do redirect , while ordinary visitors to the website will be redirected.
Epstein explains in the letter. “In many cases, the delays in the code are enough to ensure that the waiting time for the automated analysis system expires before a potentially malicious redirect is detected.”