New PHP Malware Source Available for Analysis

After about a month of running my Glastopf honeypot, I've started getting some hits.

You can take a look at the files I've collected (including deobfuscated code) over at my malware analysis site.

One thing which stands out me in some of the malware is that it intentionally hides from being cached by search engines using the following code:

if(!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');

See something else worth discussing? Post it here!

No comments:

Post a Comment