Last week, I gave a talk at the RSA Security Conference about. For those who couldn’t attend the conference, I wanted to give you a glimpse into this world to which, until last year, I hadn’t paid much attention. My normal week begins with a quick scan of malware lists — URLs that point to new samples — that come from a variety of public sources. I started noticing an increasing number of non-executable PHP and Perl scripts appearing on those lists and decided to dig a little deeper. Ullathai Allitha Song Download.

In a lot of ways, PHP is an ideal platform for malicious Web pages. For programmers and techies, PHP is easy to learn. Virtually all Web servers run the PHP engine, so there are vast numbers of potential “victims” (though the numbers aren’t anything close to the number of Windows-using potential malware victims). And just like many forms of executable malware that runs on Windows — the type I’m more familiar with — the most successful malicious PHP scripts permit their users (the criminals) to control and manipulate Web servers for their own benefit and, most commonly, profit. How Infections Happen When a Web server becomes “infected” with malicious PHP, it’s not the same as when a Trojan executes on a Windows desktop. The “infection process” involves little more than a criminal breaking and entering a Web server using stolen FTP credentials, dropping off the files in directories accessible from the outside world, and logging out. This can be accomplished manually, one server at a time, but is more commonly done using automated processes that attempt to break into large numbers of servers using stolen (or brute-forced) FTP credentials.

The most simplistic forms of malicious PHP scripts, shown above, simply redirect site visitors to a different page, but can do so dynamically. The code shown here was pushed to a Web server whose owner’s FTP credentials had been stolen. Links to the page then were sent as spam email and instant messages, and people who clicked one of those spammed links ended up redirected to one of three “Canadian Pharmacy” type Web sites selling “pharmaceuticals” — with each visitor redirected, at random, to one of the three URLs embedded in the script. Every few minutes, the malicious script distributor’s automated process would upload a new version of this script, containing different URLs. While that behavior definitely qualifies as malicious, that’s not especially dynamic or even particularly interesting. What really caught my eye were the scripts that offered criminals remote access to the server’s file system, as well as scripts that, when executed, force servers to join botnets. PHP Malware types The most commonly distributed botnet client is a script that its author named Pbot.