This morning I've read this in the AlientVault blog: "Google was flagging the php.net website as potentialy harmful".
It is really interesting because if you can spread malware from php.net which according to Alexa, php.net is the 228th most visited site in the world, you will be able to infect to millions of computers.
Currently we can't analyze the php.net website because the page which was hosting the malicious code has been removed, but the guys from Barracuda have published a PCAP file taken from a computer which visited this website and was infected.
If we upload the PCAP file to VirusTotal we can see the URLs which were visited by the infected computer in the "File details" section. You can see the report of this PCAP file here:
We can see that the www.php.net website was visited. If we open the PCAP file with Wireshark and we look at the "Follow TCP Stream" of the petition www.php.net/userprefs.js we can see the script with the obfuscated code in the picture below. (This malicious code has been removed from the website)
The guys from Alienvault have decoded the script. Here they have published the picture below with the code de-ofuscated. We can see an IFRAME with a 10x10px size which redirects the connection to another website was able in the php.net site.
If we research with Wireshark the link contained in the IFRAME in the picture above, we can see how the code is trying to get the information about the computer. It wants to know if the browser has the Java or AdobeReader plugins installed and enabled.
The next URL where the computer is redirected is /PluginDetect_All.js. In the payload of this connection we can see that the hackers are using PluginDetect in order to detect the browser plugins.
In the PCAP file we can see how the computer send a POST connection telling to the website if it has the Java or AdobeReader plugin enabled. Then, the web browser is redirected again.
The connection is redirected again to other site...
...where there are another iframe...
..which is the last site visited before to detect a malicious executable.
The next URL which was visited is marked in bold in VirusTotal. This means that the files that were downloaded are categorized as malware by some antivirus engines.
If we click in the sha256 link...
...we can see that this executables are categorized as malicious.
If we check the next network connections, we can see a lot of them creating connections by 16471/UDP port. This port is usually used by the ZeroAccess Trojan. At the bottom of this post you will find the links which redirects you to other Post talking about some analysis of this Trojan.
If we look at the Snort alerts, we can see the security events detected by this IDS. We can see that it has detected the ZeroAcces Trojan and other interesting events.
You can learn more about ZeroAccess Trojan here: