• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Down the Malware Rabbit Hole Part 2

Down the Malware Rabbit Hole: Part II

November 18, 2019Cesar Anjos

FacebookTwitterSubscribe

In our last post in this series, we took a look at a code snippet that had been encoded in a very specific way — and hidden 91 layers deep.

Today, we’ll reveal how attackers achieve this level of encoding and investigate one of the many possible tools they can use to conceal malware on compromised websites.

Obfuscating Malware: The Basics

There are several tools and obfuscation methods that can be used for concealing code, including IonCube, Zeura, FOPO, and base64, among others. Some are commonly used for malicious purposes, while others are legitimately used to protect trade secrets, minify code to occupy less space, prevent code tampering, meet specific encoding requirements (base64), and other useful applications.

That being said, all of these tools and methods share a common element: they allow code to be obfuscated by transforming it into something else.

Let’s take a look at a tool that was potentially used to hide code from the previous post.

PHP Obfuscation Tool

You have an input box for the code you want to hide, and a drop-down selector to select the level of obfuscation.

Weak Obfuscation

Levels of Obfuscation

You may be wondering what these levels in the PHP Obfuscator mean. Well, let’s take a look at the code and try to understand what this tool is doing.

$option = htmlspecialchars($_POST['option']);

$website = "http://".$_SERVER['HTTP_HOST'];

$file_location = $_SERVER['REQUEST_URI'];

$all_in_one = $website.$file_location;

$uuencode = base64_encode(convert_uuencode($phpcode));

$obfuscate_low_level = strrev(base64_encode(gzdeflate(gzcompress($phpcode))));

$obfuscate_medium_level = strrev(base64_encode(gzdeflate(gzdeflate(gzcompress($phpcode)))));

$obfuscate_high_level = strrev(base64_encode(gzdeflate(gzdeflate(gzdeflate(gzcompress(gzcompress($phpcode)))))));

$high_level = strrev(base64_encode(gzcompress(gzdeflate(gzcompress(gzdeflate(gzcompress(gzdeflate(gzcompress(gzdeflate(str_rot13($phpcode)))))))))));

The code is pretty straightforward; it’s lengthy, but not complex. It takes the input, compresses it many times using gzdeflate() and gzcompress(), and then base64_encodes it.

The number of times that the inputted code is compressed varies depending on the obfuscation level selected by the user. The higher the level, the more times the code is encoded using the compression functions.

On top of all that compression and base64 encoding, the tool also uses the strrev function to reverse the order of the characters.

In the previous post, we featured a piece of malicious code that looked like this:

return eval('?>'.gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzuncompress(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(gzinflate(base64_decode(strrev(strrev(strrev(strrev(strrev(strrev(strrev($Black_Scorpion))))))))))))))))))))))))))))))))))))))));

Notice any similarities? The PHP obfuscation tool is reversing all of those compression operations.

It may not be exactly the same — it’s possible that a newer or customized version of this tool was used to hide the code from the previous post.

Here is the part responsible for actually printing out the code, after all of the encoding and compression has completed with the selected level of obfuscation.

Obfuscation Tool Output

Obfuscation Methods

Now, let’s try to obfuscate some code with this tool to see how it looks.

We tested each available obfuscation level on echo(‘innocent code’);  —  here is the output.

Weak Obfuscation

<?php

$UeXploiT = "Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLEnVSEosTjUziU9JT\x635PSdUoLikqSi3TUHHMM8iLN64IyMnPDEkN0gQ\x42\x61w\x41\x3d";

$An0n_3xPloiTeR = "Aks9Wguh2Yh+0Pz3OHH6ds6O3b/nOd28AWPxuvX7jj5q";

eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));

exit;

?>

Medium Obfuscation

<?php

$UeXploiT = "Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLElFYiUlFqe\x61m\x63Snp\x43\x62np6RqFJ\x63UF\x61WW\x61\x61g45hnkxRtX\x42OTkZ4\x61k\x42mm\x43gTU\x41";

$An0n_3xPloiTeR = "=AQy2bB6GajF6T/Mf7cco3xq7cv9f60ZzDY9E7+etPOmr+v3AESA";

eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));

exit;

?>

Strong Obfuscation

<?php

$UeXploiT = "Sy1LzNFQKyzNL7G2V0svsYYw9dKrSvOS83MLilKLizXQOJl5\x61TmJJ\x61lYWUmJx\x61lmJvEpq\x63n5K\x61k\x61xSVFR\x61llGiqOeQZ58\x63YV\x41Tn5mSGpQZpQY\x410\x41";

$An0n_3xPloiTeR = "O6A25DQy2bB6GajF6T/Mf7cco3xq7cv9f60ZzDY9E7+etPOmryJe/jNAnEw/TDALB8vzAETA";

eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));

exit;

?>

High Level Obfuscation

<?php

$UeXploiT = "Sy1LzNFQKyzNL7G2V0svsYYw9YpLiuKL8ksMjTXSqzLz0nISS1K\x42rNK85Pz\x63gqLU4mLq\x43\x43\x63lFqe\x61m\x63Snp\x43\x62np6Rq\x41O0sSi3TUHHMM8iLN64IyMnPDEkN0kQ\x431g\x41\x3d";

$An0n_3xPloiTeR = "\x3d8YIZUI\x41FQLt6OP/tY9n9Ern\x43lRmlmr\x61LV4SFO\x6334RF\x2b99yFPe7\x2b\x42T2VwqfXveZ2D4OGVkx/\x62ZYVsF05MY\x41j/n6wpMqDi97/YDGdjxJe";

eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));

exit;

?>

An experienced malware investigator will immediately identify this output to be suspicious in nature, and locating any code like this on a website might warrant further investigation. In this example we created, however, the original code is benign and not malicious in the slightest.

Conclusion

Not all hidden code is malicious—and not all tools used to obfuscate code have malicious intentions. That being said, obfuscation can be used for either innocent or malicious purposes.

Most websites are now built using open source software (CMS platforms and their extensions), which rarely have obfuscated code. Every time you find some encrypted code, it’s a good practice to investigate why it is there and if was a part of the original package.

You should now have a better understanding of the methods hackers use to try to conceal their malicious code on the websites they attack.

If you believe you have detected obfuscated malware or other suspicious code on your website and need a hand cleaning it up, we can help.

FacebookTwitterSubscribe

Categories: Security Education, Website SecurityTags: Black Hat Tactics, Encryption, Obfuscation

About Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.