Spam Botnet Tracked Down to Malicious PHP Script Found on 5,000 Hacked Sites
Category : Blog
PHP Script (Malicious) Found on 5,000 Hacked Sites
PHP scripts can be created using any basic text editor or HTML editing software tool. Each PHP file must be saved with a .php file extension in order to be recognized as a functioning PHP script. When the Apache server has the appropriate settings, PHP code can be recognized also in .html files. This can also be achieved by adding an additional handler in the .htaccess file of a Linux based web server.
A malicious PHP script found on over 5,000 compromised websites has been fingered as the source of a large-scale spam campaign that has been silently redirecting users to web pages hosting diet and intelligence boosting pills.
The purpose of this script is to keep hacked sites under the control of a group of cyber-criminals, and manage dynamic redirections to various spam campaigns.
Script is part of “Brain Food” botnet
The script is part of the infrastructure of a voracious spam botnet named “Brain Food.” The spam campaigns pushed by this botnet have been spotted as far as March 2017, but its operations were dissected last week by Proofpoint researcher Andrew Conway.
Brain Food is a PHP script that we have found on over 5,000 compromised websites over the past four months. Over 2,400 of those have shown activity in the past 7 days. Nearly 40% of the compromised sites are hosted on five platforms.
Brain Food botnet admins operate by sending email spam to victims containing short links to these PHP scripts on various hacked sites.
If a user clicks on the short links, they arrive on the PHP script, which redirects the user to another hacked site hosting web pages for diet and intelligence-boosting pills, usually containing fake branding.
The PHP scripts are capable of receiving new “redirection targets” from the Brain Food operators based on the most recent spam campaign they are pushing. The scripts also collect click-through statistics for each campaign.
Over 2,400 sites active in the past seven days alone
Conway says he’s been tracking over 5,000 sites containing copies of these PHP scripts, with the vast majority found on GoDaddy’s network. Over 2,400 were active last week, according to Conway.
The botnet doesn’t seem to be living off specific vulnerabilities on certain CMS platforms. Conway says Brain Food is comprised of hacked sites running on a multitude of platforms, such as WordPress, Joomla, and others.
The script’s code is also polymorphic and obfuscated with multiple layers of base64 encoding. Furthermore, it also includes protection against automatic Google indexing, responding to Google’s search crawler with a 404 code “page not found” error.
While the botnet is harmless for end users, pushing only spammy content, it is dangerous for infected sites, mainly because of its backdoor-like capabilities that allow the botnet operators to execute any code they want at any time.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: