In our last post in this series, we took a look at a code snippet that had been encoded in a very specific way — and hidden 91 layers deep.
Today, we’ll reveal how attackers achieve this level of encoding and investigate one of the many possible tools they can use to conceal malware on compromised websites.
Obfuscating Malware: The Basics
There are several tools and obfuscation methods that can be used for concealing code, including IonCube, Zeura, FOPO, and base64, among others. Some are commonly used for malicious purposes, while others are legitimately used to protect trade secrets, minify code to occupy less space, prevent code tampering, meet specific encoding requirements (base64), and other useful applications.
That being said, all of these tools and methods share a common element: they allow code to be obfuscated by transforming it into something else.
Let’s take a look at a tool that was potentially used to hide code from the previous post.
You have an input box for the code you want to hide, and a drop-down selector to select the level of obfuscation.
Levels of Obfuscation
You may be wondering what these levels in the PHP Obfuscator mean. Well, let’s take a look at the code and try to understand what this tool is doing.
$option = htmlspecialchars($_POST['option']); $website = "http://".$_SERVER['HTTP_HOST']; $file_location = $_SERVER['REQUEST_URI']; $all_in_one = $website.$file_location; $uuencode = base64_encode(convert_uuencode($phpcode)); $obfuscate_low_level = strrev(base64_encode(gzdeflate(gzcompress($phpcode)))); $obfuscate_medium_level = strrev(base64_encode(gzdeflate(gzdeflate(gzcompress($phpcode))))); $obfuscate_high_level = strrev(base64_encode(gzdeflate(gzdeflate(gzdeflate(gzcompress(gzcompress($phpcode))))))); $high_level = strrev(base64_encode(gzcompress(gzdeflate(gzcompress(gzdeflate(gzcompress(gzdeflate(gzcompress(gzdeflate(str_rot13($phpcode)))))))))));
The code is pretty straightforward; it’s lengthy, but not complex. It takes the input, compresses it many times using gzdeflate() and gzcompress(), and then base64_encodes it.
The number of times that the inputted code is compressed varies depending on the obfuscation level selected by the user. The higher the level, the more times the code is encoded using the compression functions.
On top of all that compression and base64 encoding, the tool also uses the strrev function to reverse the order of the characters.
In the previous post, we featured a piece of malicious code that looked like this:
return eval('?>'.gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(base64_decode(strrev(strrev(strrev(strrev(strrev(strrev(strrev($Black_Scorpion))))))))))))))))))))))))))))))))))))))));
Notice any similarities? The PHP obfuscation tool is reversing all of those compression operations.
It may not be exactly the same — it’s possible that a newer or customized version of this tool was used to hide the code from the previous post.
Here is the part responsible for actually printing out the code, after all of the encoding and compression has completed with the selected level of obfuscation.
Obfuscation Methods
Now, let’s try to obfuscate some code with this tool to see how it looks.
We tested each available obfuscation level on echo(‘innocent code’); — here is the output.
Weak Obfuscation
<?php $UeXploiT = "Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLEnVSEosTjUziU9JT\x635PSdUoLikqSi3TUHHMM8iLN64IyMnPDEkN0gQ\x42\x61w\x41\x3d"; $An0n_3xPloiTeR = "Aks9Wguh2Yh+0Pz3OHH6ds6O3b/nOd28AWPxuvX7jj5q"; eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT)))); exit; ?>
Medium Obfuscation
<?php $UeXploiT = "Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLElFYiUlFqe\x61m\x63Snp\x43\x62np6RqFJ\x63UF\x61WW\x61\x61g45hnkxRtX\x42OTkZ4\x61k\x42mm\x43gTU\x41"; $An0n_3xPloiTeR = "=AQy2bB6GajF6T/Mf7cco3xq7cv9f60ZzDY9E7+etPOmr+v3AESA"; eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT)))); exit; ?>
Strong Obfuscation
<?php $UeXploiT = "Sy1LzNFQKyzNL7G2V0svsYYw9dKrSvOS83MLilKLizXQOJl5\x61TmJJ\x61lYWUmJx\x61lmJvEpq\x63n5K\x61k\x61xSVFR\x61llGiqOeQZ58\x63YV\x41Tn5mSGpQZpQY\x410\x41"; $An0n_3xPloiTeR = "O6A25DQy2bB6GajF6T/Mf7cco3xq7cv9f60ZzDY9E7+etPOmryJe/jNAnEw/TDALB8vzAETA"; eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT)))); exit; ?>
High Level Obfuscation
<?php $UeXploiT = "Sy1LzNFQKyzNL7G2V0svsYYw9YpLiuKL8ksMjTXSqzLz0nISS1K\x42rNK85Pz\x63gqLU4mLq\x43\x43\x63lFqe\x61m\x63Snp\x43\x62np6Rq\x41O0sSi3TUHHMM8iLN64IyMnPDEkN0kQ\x431g\x41\x3d"; $An0n_3xPloiTeR = "\x3d8YIZUI\x41FQLt6OP/tY9n9Ern\x43lRmlmr\x61LV4SFO\x6334RF\x2b99yFPe7\x2b\x42T2VwqfXveZ2D4OGVkx/\x62ZYVsF05MY\x41j/n6wpMqDi97/YDGdjxJe"; eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT)))); exit; ?>
An experienced malware investigator will immediately identify this output to be suspicious in nature, and locating any code like this on a website might warrant further investigation. In this example we created, however, the original code is benign and not malicious in the slightest.
Conclusion
Not all hidden code is malicious—and not all tools used to obfuscate code have malicious intentions. That being said, obfuscation can be used for either innocent or malicious purposes.
Most websites are now built using open source software (CMS platforms and their extensions), which rarely have obfuscated code. Every time you find some encrypted code, it’s a good practice to investigate why it is there and if was a part of the original package.
You should now have a better understanding of the methods hackers use to try to conceal their malicious code on the websites they attack.
If you believe you have detected obfuscated malware or other suspicious code on your website and need a hand cleaning it up, we can help.
