Today we released version 1.24.7 of ISPProtect. The new version contains new heuristics to recognize further malicious code.

Following we take a closer look at some malicious code snippet.

$a = base64_decode($b);
for($i = 0; $i < strlen($a); $i++){
    $a[$i] = chr(ord($a[$i]) ^ ((41528) % 256));
}
$c = gzinflate(strrev($a));

So what is this code doing? It loads some base64 encoded binary data from a variable ($b). Then it loops over each character of this decoded string and converts it to the desired final character that is needed for later processing with gzinflate.
Before the final string is passed to gzinflate it is reversed. There is absolutely no need to use code like this in non-malicious code. If you see something similar in one of your code files you should investigate it very closely.

New version 1.24.7 released