PHP.net compromised and used to attack visitors

siljaline · Oct 25, 2013

Visitors to the official website for the PHP programming language over the past couple of days might have had their computers infected with malware.

Hackers managed to inject malicious JavaScript code into a file on the php.net site called userprefs.js. The code made requests to a third-party website that scanned visitors' browsers for vulnerable plug-ins and executed exploits that, if successful, installed a piece of malware, said Daniel Peck, a research scientist at Barracuda Networks.
Click to expand...

http://www.networkworld.com/news/2013/102513-phpnet-compromised-and-used-to-275241.html • http://www.cso.com.au/article/530058/php_net_compromised_used_attack_visitors/

ronjor · Oct 25, 2013

PHP.net maintainers to reset user passwords, change SSL certificate

By Lucian Constantin | IDG News Service

The compromise extended to two servers, the PHP Group said
Click to expand...

http://www.infoworld.com/d/security...-user-passwords-change-ssl-certificate-229562

siljaline · Oct 25, 2013

Google Blocks PHP.net – Claims it Serves Malware
http://www.infosecurity-magazine.com/view/35261/google-blocks-phpnet-claims-it-serves-malware/

harsha_mic · Oct 26, 2013

More info from Blaze's Security Blog - http://bartblaze.blogspot.com/2013/10/phpnet-compromised.html

At the end -
- You can see md5 of the samples, and quick look in virustotal gives an idea what antivirus programs blocks the payload with sign...
- Prevention measures for Firefox/Chrome -- Use noscript/notscript, i guess it prevents redirecting to malicious servers by blocking the execution of userprefs.js ( can anyone confirm? )

Thanks, Harsha.

siljaline · Oct 26, 2013

We are continuing to work through the repercussions of the php.net malware issue described in a news post earlier today. As part of this, the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net. The method by which these servers were compromised is unknown at this time.

All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full.
Click to expand...

http://php.net/archive/2013.php#id2013-10-24-2

Dermot7 · Dec 18, 2013

On October 24, adversaries hacked php.net and deployed an exploit kit, which served five different malware types. While the attack received extensive coverage, little is known about the malware and the stories behind them.

As you may be aware, “little known” is a state that irks the experts in Seculert’s Research Lab. So, we decided to dig deeper — and our efforts have revealed something rather strange and disturbing about one of the malware types, which we have dubbed “DGA.Changer”.
Click to expand...

http://www.seculert.com/blog/2013/12/dga-changer-malware-changing-seed-to-evade-sandbox.html

siljaline · Dec 19, 2013

*Thanks @ Dermot7
Unique malware evades sandboxes
http://www.cso.com.au/article/534661/unique_malware_evades_sandboxes/

Malware utilized in the attack last month on the developers' site PHP.net used a unique approach to avoid detection, a security expert says.

On Wednesday, security vendor Seculert reported finding that one of five malware types used in the attack had a unique cloaking property for evading sandboxes. The company called the malware DGA.Changer.
Click to expand...

Baserk · Dec 19, 2013

siljaline said:

Unique malware evades sandboxes
Click to expand...

According to the Seculert researcher;

What Seculert found unique was how the malware could receive a command from a C&C server to change the seed of the software's domain generation algorithm. The DGA periodically generates a large number of domain names as potential communication points to the C&C server, thereby making it difficult for researchers and law enforcement to find the right domain and possibly shutdown the botnet.

"What the attackers behind DGA did is basically change the algorithm on the fly, so they can tell the malware to create a new stream of domains automatically," Raff told CSOonline.

When the malware generates the same list of domains, it can be detected in the sandbox where security technology will isolate suspicious files. However, changing the algorithm on demand means that the malware won't be identified.

"This is a new capability that didn't exist before," Raff said. "This capability allows the attacker to bypass sandbox technology."
Click to expand...

The security technology inside the sandbox is failing in isolating suspicious files and thus the sandbox technology is bypassed.
That hardly warrants the description of malware 'bypassing sandbox technology'.
More like; 'Klutz security technology won't prevent suspicious files from leaving the sandbox technology if you tell it to allow all files deemed 'Not bad' by Klutz'.

Log in or Sign up

PHP.net compromised and used to attack visitors

siljaline Registered Member

ronjor Global Moderator

siljaline Registered Member

harsha_mic Registered Member

siljaline Registered Member

Dermot7 Registered Member

siljaline Registered Member

Baserk Registered Member

Log in or Sign up

PHP.net compromised and used to attack visitors

siljaline Registered Member

ronjor Global Moderator

siljaline Registered Member

harsha_mic Registered Member

siljaline Registered Member

Dermot7 Registered Member

siljaline Registered Member

Baserk Registered Member

Useful Searches