Researchers at security firm Proofpoint have spent the past few months tracking the explosive growth of a botnet they dub «Brain Food,» named for its use of bogus brain supplement and diet pills to lure in phishing victims.
According to its report, Proofpoint has discovered more than 5,000 infected websites while investigating Brain Food’s four-month spread, and notes that over 2,400 of them have been active within the past seven days.
Brain Food’s quick growth is likely due to how good it is at hiding itself, its ability to adapt to changes, and the backdoor it gives attackers into the web servers it infects, the report said. All in all, Brain Food is a dangerous piece of PHP script that web developers, systems administrators, and users all need to watch out for.
How Brain Food works
Like many phishing campaigns, Brain Food uses fake landing pages to trick users into providing information like their name, address, credit card numbers, and other potentially identifying information to the attackers.
Brain Food executes its task by sending fake emails that are little more than a barely-customized greeting and a link obfuscated through Bit.ly or Goo.gl that redirect to stolen web servers with spoof landing pages, the report noted.
What Proofpoint didn’t say was how Brain Food is spreading from web server to web server, though its research did find that 40% of Brain Food infections are limited to five web hosting providers.
Regardless of how it’s infecting web servers, the PHP script that operates Brain Food is a lot trickier than the average email spam bot.
SEE: IT leader’s guide to cyberattack recovery (Tech Pro Research)
Brain Food’s PHP script uses polymorphic code to change itself each time it’s run, and it’s also obfuscated behind multiple base64 layers of encoding, the report said. On top of that, antivirus repositories don’t flag it at all, meaning there isn’t a single antivirus platform available that will recognize it.
The script also hides itself when being crawled by forcing redirects to legitimate websites, and it contains code indicating that its command and control server can make changes on the fly by changing landing pages and blacklisting URLs. It’s also built to cloak itself locally, which Proofpoint found renders it invisible to Google.
Lastly, Brain Food gives its controller backdoor access to run shell codes on infected web servers if PHP system commands are enabled. Threatpost pointed out that most web servers have PHP system commands disabled, and that Proofpoint doesn’t believe that feature of Brain Food is being used.
Determining if you’ve been infected by Brain Food
Users aren’t infected by Brain Food so much as they’re phished by it, so there’s not a lot of warning that can be given to users aside from warning them to watch out for suspicious emails and avoid buying diet and brain supplement pills from anyone but trusted online vendors.
Administrators, on the other hand, can keep an eye out for IP addresses 91.236.116[.]14 and 145.239.1[.]13, the two command and control servers discovered by Proofpoint. URLs being used by those two IP addresses are prostodomen1[.]com, thptlienson[.]com, hostcommets[.]com, and sentacomra[.]com.
If you’ve found traces of those IPs or URLs on your web server you’re likely infected by Brain Food and should consider a full wipe and restore. If not, be on the safe side and blacklist those URLs and IP addresses now.
The big takeaways for tech leaders:
- A PHP script dubbed Brain Food has infected over 5,000 web servers in the past four months. Brain Food is a phishing platform that tries to trick users into buying bogus brain supplements in order to steal personal info.
- Brain Food is well equipped to avoid detection and react to changes in its environment. Web administrators should look for signs of infection like C&C IP addresses, and users should be advised to not click on suspicious emails.