Billion Homepage

Originally found by avast! antivirus, a regular user reported the problem on the avast! forums here.

Yesterday, urlQuery reported 2 evals. The first one is the important one, so lets start there. CleanMX has the evidence in hex.

Billion Exploit In Hex

Which deobfuscates to something like this:
Billion Exploit Base 1 Decoded

That deobfuscates to this:

Billion Exploit Base 2 Decoded

That can be simplified like this:
Billion Exploit Base 3 DecodedNow that we got a good, clean image of the malware at hand, we see that it checks the document referrer, or how the site got to this site. If from a major search engine, create a cookie and redirect the user. Scanning the url at VirusTotal returns nothing, however URLVoid has issues. This also gives us information that sites with the IP of 66.199.231.59 should be considered suspicious.

The site is now under maintenance to remove the malicious content. Should update their Apache software, as latest is 2.4.2 while they use 1.3.37.

Keep your software up to date,
~!Donovan

Advertisements