PHP.net flagged for malware by Google, researchers confirm it was no false positive
By Steve Ragan , Staff Writer
October 24, 2013 — CSO — On Thursday, PHP.net was flagged by Google's Safe Browsing for malware. The warning, sparked debate among the development and security communities, as the initial reaction claimed Google triggered a false positive. However, additional research makes that claim seem unlikely.
Researchers at Barracuda Labs were able to confirm that Google's assessment was correct, and provided a pcap (packet capture) file for researchers to examine. Those who examine the file can see the malicious activity start with a suspicious DNS request at packet 158, while packets 177 and 180 show malicious Shockwave (Flash) files being delivered. It's unknown what vulnerabilities the SWF files were targeting.
Speculation has driven the notion that this incident could be related to a watering hole attack, which as become a popular attack method over the last year or so. Many of those contributing to this speculation are referencing an attack earlier this year, where a popular iOS developers forum was compromised, leveraging Zero-Day vulnerabilities in Java to compromise systems used by developers at Apple, Facebook, and Twitter.
During a watering hole attack, an attacker will compromise a domain that's likely to be visited by their selected victims, such as a group of developers or programmers, rather than attempting to attack them directly though phishing or another means. The hope is that eventually, someone from the targeted group will visit the compromised domain — the watering hole — and compromise their systems.
This style of attack exploits the trust users place in frequented domains. Such attacks are also popular for run-of-the-mill attackers, because the exploited trust allows them to target a wider pool of potential victims, which is one of the reasons exploit kits were created.
The suspect file on PHP.net has been restored, but there is no information available as to how file was changed. Despite the findings from Barracuda Labs and others who investigated the issue, opinion remains split on the topic, with some remaining doubtful that a problem existed to begin with.
Read more about data protection in CSOonline's Data Protection section.
Other stories by Steve Ragan