This morning I've read this in the AlientVault blog: "Google was flagging the php.net website as potentialy harmful".

It is really interesting because if you can spread malware from php.net which according to Alexa, php.net is the 228th most visited site in the world, you will be able to infect to millions of computers.

Currently we can't analyze the php.net website because the page which was hosting the malicious code  has been removed, but the guys from Barracuda have published a PCAP file taken from a computer which visited this website and was infected.

If we upload the PCAP file to VirusTotal we can see the URLs which were visited by the infected computer in the "File details" section. You can see the report of this PCAP file here:




We can see that the www.php.net website was visited. If we open the PCAP file with Wireshark and we look at the "Follow TCP Stream" of the petition  www.php.net/userprefs.js  we can see the script with the obfuscated code in the picture below. (This malicious code has been removed from the website)


The guys from Alienvault have decoded the script. Here they have published the picture below with the code de-ofuscated. We can see an IFRAME with a 10x10px size which redirects the connection to another website was able in the php.net site.


If we research with Wireshark the link contained in the IFRAME in the picture above, we can see how the code is trying to get the information about the computer. It wants to know if the browser has the Java or AdobeReader plugins installed and enabled.


The next URL where the computer is redirected is /PluginDetect_All.js. In the payload of this connection we can see that the hackers are using PluginDetect in order to detect the browser plugins.


In the PCAP file we can see how the computer send a POST connection telling to the website if it has the Java or AdobeReader plugin enabled. Then, the web browser is redirected again.


The connection is redirected again to other site...


...where there are another iframe...


... to this site...


..which is the last site visited before to detect a malicious executable.

The next URL which was visited is marked in bold in VirusTotal. This means that the files that were downloaded are categorized as malware by some antivirus engines.


If we click in the sha256 link...


...we can see that this executables are categorized as malicious.


Now, the computer is infected. The first network connection that the malware does is to visit a website where there are a javascript that detects the computer location.



If we check the next network connections, we can see a lot of them creating connections by 16471/UDP port. This port is usually used by the ZeroAccess Trojan. At the bottom of this post you will find the links which redirects you to other Post talking about some analysis of this Trojan.


If we look at the Snort alerts, we can see the security events detected by this IDS. We can see that it has detected the ZeroAcces Trojan and other interesting events.


CONCLUSION

If we trust in the PCAP file that Barracuda offers us, we can tell that www.php.net was compromised. The hackers uploaded a javascript to this site  which redirects to another one where there was a web plugin detector. Depends of what browser plugins are enabled in the computer, the website could redirects you to a Java or AdobeReader exploit. Then, after exploiting the vulnerability,  a trojan that seems to be the ZeroAccess trojan is donwloaded and installed. It seems that this trojan is focused in click-fraud.


You can learn more about ZeroAccess Trojan here:

http://www.behindthefirewalls.com/2013/06/zeroaccess-trojan-network-analysis-part.html

http://www.behindthefirewalls.com/2013/06/zeroaccess-network-analysis-part-ii.html

http://www.behindthefirewalls.com/2013/06/detecting-zeroaccess-in-your-network.html

http://www.behindthefirewalls.com/2013/04/trying-avoid-callbacks-to-botnet-using.html


Great info:

http://www.alienvault.com/open-threat-exchange/blog/phpnet-potentially-compromised-and-redirecting-to-an-exploit-kit

http://news.netcraft.com/archives/2013/10/24/php-net-blocked-by-google-false-positive-or-not.html

http://barracudalabs.com/2013/10/php-net-compromise/

http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf