PHP.Kryptik.AB – Give me your FTP!

One could think a PHP Developer is free from viruses and malware – and be wrong. Meet PHP.Kryptik.AB – the PHP malware. If you already know this bastard – high...

One could think a PHP Developer is free from viruses and malware – and be wrong. Meet PHP.Kryptik.AB – the PHP malware. If you already know this bastard – high five! But if you don’t – be prepared!

What does it do?

Basically the story starts from a standard computer trojan which (I suppose) attacks popular FTP clients that store FTP login credentials unencrypted. Then it sends fetched informations to a remote host which (by the cover of night) logs into the FTP servers and infects PHP base web-pages by injecting a piece of JavaScript code, that gets executed when a user enters a site.

The injected part of code contains of multiple new lines followed by a starting mark  and terminated with a ending mark.

/* Lot of new lines */
#0247a1# /* Start mark */
/* echo of injected code */
#/0247a1# /* End mark */

The echo’ed part is ridiculously indented so it can be hardly spotted if you view the code too fast. This part echo’es mentioned piece of JS code, that consists of IFRAME creation part and a big array filled with integers that gets iterated over and appended to the output. As a result a IFRAME referring external resources  is being created thus forcing a download to the user’s machine using the browser – so it’s a type of XSS attack. I’ve didn’t manage to check what’s inside the downloaded resource since I was worried about two other effects of this attack.

When the download fails (i.e. the referenced resource was missing) on Firefox it caused a connection reset making the website useless. The other sad repercussion was getting on Google’s Safe Browsing list as containing malicious software. This implies something more than a regular connection reset – on modern browsers a (what I refer) Red Screen of Death is being displayed.

And that’s a page killer that should be immediately removed. Lucky, Google is quite helpful when it comes to resolving this type of issue by providing the Google WebDeveloper service.

Infected files

Most of the infected files are related with rendering the page – I’ve found the code injected in files named like:

  • *index.php
  • *page.php
  • *header.php
  • *login.php
  • *footer.php

Don’t know if it attacks other extensions too. The code could be found somewhere around the HTML body tags (starting, ending). What’s the most important part here is that it infects all matching files that it can reach regardless if it’s your own software, or a Wiki / WordPress installations. So the more files you have under the same FTP directory, the more get infected.

In case of WrodPress – all template header and footer files were infected. In my case about 66 files from 54k were infected.

Getting out of trouble

If your FTP has been already infected change your FTP password. This should cut the path for further modifications made by the attacker. This step is crucial, since there are known cases of hosting providers that use exactly the same password for FTP and Hosting Control Panels access. That’s a big security issue, so if your hosting provider has same password policy – change it immediately after detecting malware.

Secondly – update your software. By updating I mean overwrite each file that could infected. Using your software vendor’s update mechanisms won’t get you any help since most of them is selective by design, and would only (if possible) overwrite only the files contained in the update package. The infection is much more painful when it affected a FTP server containing many projects sharing the same login credentials.

To solve this case – one could run a purging script on the server or if it’s not possible – download all the FTP contents and run the purging script locally and then upload the files back to the server. Since I’ve had to solve the problem that way – I’ve wrote the script and you can get the Gist from GitHub.

How to protect against it?

Write down and remember:

  1. Download and use software from trusted source
  2. Secondly use anti-virus protection – many people asking for solutions of this problem mentioned that theirs AV software was able to detect the trojan
  3. Do not store your FTP login credentials unencrypted (some of the most popular free FTP clients store those passwords as plain text, thus being a great target)

As always when it comes to security – caution is advised. I’ve once heard a nice quote about using passwords:

A good password is used once and then forgotten

That’s why I’ve started to use password management software such as KeePas to store all my unique passwords which are randomly generated to look like:

@)b%;{5?>:PMM:x5IbmIDaZ?!=<w&Vc?XT[XLs;cq[Efe$PJwRT4h=)T^u7H*]1!72ieDSCTlU^Sq2"a>m'7l,6<MqmmJ2Y[t`14EG#:BpI9X)W7;"drCza[M@fGTGG=

Yes – it may by called paranoid, but that’s what’s security all about. And remember – they are watching.

About Grzegorz Godlewski

Senior Software Developer - Graduate of the Wroclaw University of Technology in Poland (Msc. Eng.). Currently working for SMT Software as a PHP / C# Backend Developer