• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
A Puzzling Backdoor Upload

A Puzzling Backdoor Upload

May 3, 2018Douglas SantosEspanolPortugues

13
SHARES
FacebookTwitterSubscribe

After a successful compromise, backdoors are frequently left behind and function as a point of re-entry into the website environment. These malicious pieces of code are a valuable tool for attackers and allow them to bypass any existing access controls into the web server environment.

To demonstrate just how common this malware is, in 2017 we identified that 71% of all compromises seen by Sucuri had a PHP-based backdoor hidden within the site.

The effectiveness of these backdoors often comes from their elusiveness – these files can be difficult to find because they can be very small, don’t need to be linked to a website, and can be easily confused with “normal” code. We often see a variety of different techniques used in backdoors to avoid detection and maintain access to the site for as long as possible.

Obfuscation Through String Rearrangement

During an investigation, we identified a backdoor which utilized a type of obfuscation that could bypass detection tools based on function names and malicious patterns.

In the malware world, string rearrangement is commonly used to create a specific pattern in order to execute arbitrary code. This code is typically based on a set of non-human readable characters.

The malware sample and explanation follows:

string rearrangment in a backdoor

In this case, the base for the rearrangement is located in the variable $PZI and even though it doesn’t make much sense at first, the malicious intent is revealed when checking the variables ($iC, $VgT, $HNR).

We can think of this code as a puzzle, where the attacker carefully put pieces of the variable $PZI{x} (x is the position of the string) together to create the desired combination and execute the malicious code.

After replacing the characters for $PZI{x}, we get the following:

$iC = str_replace
$VgT = base64_decode
$HNR = create_function
$iQ = create_function( “”, base64_decode(str_replace(array(“,”, “\n”), “”, “....”) ) );

The resulting code is a malicious upload script that allows attackers to send arbitrary files to the victim’s website and help them maintain access to the server if the backdoor is not found.

This obfuscation technique would bypass certain automated scanners and other defense mechanisms because it doesn’t use any PHP function, per se.

Mitigating the Risk of Backdoors

Backdoors pose a serious risk to website owners. They provide attackers with remote control of a compromised website while bypassing the usual authentication methods. Even if you change your passwords or update your website, the backdoor will remain and bad actors will continue to have access to your website environment.

For this reason, it’s extremely important to keep all of your software updated, use a file integrity monitoring tool, and maintain regular website backups. If you notice something suspicious on your website, get in touch with us – we can help.

13
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Website Malware Infections, Website SecurityTags: Hacked Websites, Malware Updates, Obfuscation, Website Backdoor

About Douglas Santos

Douglas Santos is Sucuri’s Malware Analyst who joined the company in 2015. Douglas main responsibilities include helping our customers. His professional experience covers 17 of ethical hacking. When Douglas isn’t poking malware code, you might find him doing landscape photography and hacking games. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.