Stealth Code for New Mutation of PHP Bot Infector

Tuesday, February 21, 2012

Brent Huston

E313765e3bec84b2852c1c758f7244b6

Recently, I found another new mutation of a PHP bot infector, with zero percent detection by anti-virus software. There was an anti-security tool code included as well. 

For those interested, you can view this link to see that the total number of anti-virus detections was 0.

However, when I decoded the PHP backdoor, I got 17 anti-virus hits on it. It seems they locked into the c99 backdoor code remnants, which is a pretty old backdoor PHP trojan.

This leads to the question about evasion techniques and how effective anti-virus applications are at doing code de-obfuscation.

For example, if you want a currently effective AV evasion technique in PHP, it comes down to this simple line of code:

  • ( g z i n f l a t e ( s t r _ r o t 1 3 ( b a s e 6 4 _ d e c o d e ( $ c o d e ) ) ) ) ;

There’s the cash money key in terms of evading most, if not all, current anti-virus tools.

However, if you have a process that runs grep against your files  looking for base64_decode and alerts you to new ones, you’ll get visibility to it and many, many others like it. Base64 encoding is still quite a popular call in PHP attack and compromise tools.

Here are some examples of this specific trivial control — here, and here. Now you have a real life example of how it pays off. So simple, yet so effective at detecting these slippery backdoors.

Finding specific nuance controls that pay off against specific threats to your assets is a key way to better security. It’s a win, all around!

Cross-posted from State of Security

Possibly Related Articles:
9736
Viruses & Malware
Information Security
Antivirus Trojans Software malware PHP Network Security Detection infection backdoor variants Obfuscation Brent Huston
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.