Today we released version 1.21.1 of our malware scanner ISPProtect. It adds further improvements and new signatures for an even better malware recognition.

With this blog post we want to show you a crypted, let’s say creative, type of malware.
<?php [...] $DremCyDVIcUefCvAGjHsXazHSRhDh='O++8>61K7E4X.-T'^',YNYJSn-B+W,GB:'; $wkFbXIabdiDyMjAIjHrrAPR='3>RU5G966'^'TD;;S+XBS'; $XjREnyTkjZLGhlhLUlJh=':.27EG2P0PD4='^'XOARssm4U3+PX'; $RTJYyVDhRUEnHmoSGksRZlPh = $DremCyDVIcUefCvAGjHsXazHSRhDh('',$wkFbXIabdiDyMjAIjHrrAPR($XjREnyTkjZLGhlhLUlJh(

Looks quite suspicious at first sight, of course. But what does this code do? In fact it is the same as:
<?php [...] $var1 = 'create_function'; $var2 = 'gzinflate'; $var3 = 'base64_decode'; $var4 = $var1('', $var2($var3([....]

But how’s that? This malware makes use of a “feature” inside of PHP. Byteshifting strings (who the hell would need this in normal code?).
See this example:
echo 51^81;
Result of this is 98.

Now the bad part:
echo '34'^'QU';
Result of this is: ba
In fact it is the same as:
echo chr(ord('3') ^ ord('Q')) . chr(ord('4') ^ ord('U'));

Sadly this makes it quite easy hiding malicious code from “normal” scanners that look for something like “base64_decode”, but the ISPProtect heuristic mode is able to find code that is hidden in that way.

New version 1.21.1 – and malware analysis