In part 1 of PHP Malware series, we learned what a web-shell is and learned some basic ways that an attacker can build web-shell in PHP. In part two we took a look at how web-shells can be hidden using base 64 encoding and AES encryption techniques. In part three we’re gonna look at other crafty ways that an attacker could obfuscate PHP web shell or other malware such as a stealer which would exfiltrate sensitive data as it’s processed by a website.
Cyber criminals want to avoid malware being found, and when it is found, they want it to be difficult for a researcher to discover what the malware is doing. An an attack technique is novel, attackers don’t want defensive security researchers to be able to use the technique information to build defensive strategy or make the information public.
In order to demonstrate the skill’s of reverse engineering malware, we will now analyze some known malware samples. Here is a link to the GitHub repository containing examples of PHP malware for researchers to be able to recognize and prevent the malware from infecting a website.
Some Basic Advice About Website Security
If your website is showing indicators of compromise (IOC), you should seek a professional who can remove the malware from your website. If you are hiring a web-development company to develop a new website for your company, I personally feel that it is good advice to get your website development and hosting from the same company. The company you hire should offer a 99.9+% uptime guarantee, which will provide some long-term security from the start.
On the other hand, if you pay a developer a small amount of money for a website design, and then host it with a different company, the site developers could pre-install malware into the site source code that could affect your site at some point down the road. However, even when working with a single company for development and hosting, you should work with a company you trust because the opportunity to steal sensitive data such as user passwords, or payment information is still a reality you need to consider.
More About Web-Shells
Web-shells are dangerous. Since there are several common examples of web-shells available on the internet that a malicious actor can easily copy and use, one might expect to find these commonly available examples of web-shells on many infected websites. This means that attackers can scan websites to try to find ones that have been infected, even if they did not infect the site themselves.
If you are learning about malware hunting, the examples we are about to cover will get you more familiar with malware, how to tackle the process of reverse engineering it, and learn to quickly identify whether a piece of code is likely malware or a legitimate part of a plug-in, theme, or core source code.
Effectively Hidden Web-Shells
First we are going to look at 2 examples of PHP malware in PHP and why I consider them to be effective at hiding themselves. Then we are going to look at some other malware samples and analyze their more advanced techniques of obfuscating.
Using Backticks (`) To Execute Shell Commands
A well documented but little used method for executing shell commands in PHP is to simply encapsulate the command you wish to execute in backticks “`” and then include encapsulated command as a line of code. An example of a web-shell that uses that technique is displayed in the image below. The script will extract the attacker’s command from the URL “cmd” parameter, put it into a string encapsulated by backticks, and then write that command to a file, include the temporary file, and then delete it.
The advantage is that backticks may be used many places in the source code for other reasons. A search of a normal WordPress installation uncovered over 30,000 instances of backticks in the website. If a site is infected with malware using this technique, it is very difficult to uncover, because it is not using any of the usual suspects for command execution mentioned at the end of the first article in this series. If the malware hunter exhausts all those options and attempts to search for backticks in the source code, the resulting search will provide a list that is difficult to search through. One downside for the attacker trying to hide this malware is that is uses a url parameter which means that “cmd” will appear in the server’s url logs. However, this isn’t a very heavy downside.
In order to effectively try to search for malware of this type, it would be better to search for and examine all the instances of the function file_put_contents() in the site’s source code
Using Cookies And die() Function To Execute Shell Commands
Another less common way to execute commands is using the PHP die() function as shown in the example below. This technique was featured in part 2 of PHP Malware series in the smart.php example. However, in the example below it has been combined with using the HTTP_ACCEPT_LANGUAGE cookie. This allows the attacker to better hide their tracks by not using the url to pass the injected command.
The script extracts a function name and submitted parameter by splitting the HTTP_ACCEPT_LANGUAGE on the pipe “|” character. By passing a string like “system|ls -lah”, the attacker can list the directory contents.
More Advanced Obfuscation Techniques