PHP Malware Analysis
Rough cut analysis of PHP source code that I got via running a WordPress honey pot
This illustrates what I think the bottom feeders who hack WordPress sites do, once they have illegitimate access to a new WordPress instance or host. It's not scientific in any way. I'm only decoding the pieces of malware that arrive at one honey pot, and I'm only decoding those pieces that seem interesting because of method of download, obfuscation or unique content. Oddities are over-represented because of that.
Broad malware categories
This collection of PHP malware, all found in the wild, fits into a number of categories:
- Email spamming tools
- Access verification
- Reconnaisance, which has subcategories
- Web shells
- SOCKS servers
- HTTP redirectors
- File Managers
- Password guessers
Some combinations occur: web shells, particularly WSO, often get used as a backdoor (Php action, RC action). Access verification is a form of reconnaisance.
Recon sometimes just looks at what CMS/frameworks are present, but other times collects information about user ID, type and version of OS, file system hints, useful only for potential lateral moves. GetDomains recon seems like something of both, though.
Broad meta-malware categories
It seems to me that there are "cross cutting" aspects of this kind of collection and analysis.
- Password guessing campaigns
- Methods of download, commonality with other malware
- Common "dropper" code usage
- Common phone-home code
- Common back-connect shell code (usually Perl)
- Methods of encoding/encryption (e.g. FOPO)
- Geolocation of attacking IP
- Campaign(s) associated with a specific malware
- subsequent access(es) of downloaded code
- previous access(es) of downloaded code
- common password lists used for guessing
Code that tries to identify 56 fragments of PHP that indicate files containing them are probably malware, including itself. Renames suspect files, which probably renders them inoperative. This seems like a very unique effort.
A PHP manager that downloads, runs, then deletes, a Python
program that downloads a list of domain names,
enumerates users of WordPress blogs on those domain names,
and tries to guess working passwords.
Guesses passwords using
xmlrpc.php calls, not through
the WordPress login page.
The most backdoored download I've ever seen. A WSO 2.1 web shell, with two phone-homes It also downloads the LeafMail mailing tool, and a WSO 2.6 web shell.
An instance of b374k Web Shell, which gets some code from EXIF data of a googleusercontent.com JPEG image.
A batch of malware received between 2017-11-23 and 2018-05-03 sharing a common method of encryption. The encryption appears to be from WSO 4.x series of web shells, but it has a much shorter key (8 vs 44 bytes). At least 52 different downloads, including 4 instances of mumblehard It's refreshing to see someone using non-trivial encryption.
b374k has a link to download this moderately capable web shell from pastebin.
Mumblehard botnet: a server that relays TCP/IP connections, and a persistent payload, executed by cron, that can download code from a command and control server, then start it running.
Examination of the 44 Mumblehard instances I caught, to see how the code and methods progress as time goes by.
A password-protected, plugin-extendable back door.
A fake-ish theme, complete with a WSO web shell that
phones home, and an earlier version of
Another compromised WordPress theme, containing a seemingly random complement of malware.
A moderately capable backdoor: saves and executes files, as well as immediate PHP eval. Uses native PHP RC4 encryption for password and data transfered.
.htaccess file that redirects users to yourstockexpert.su,
googlebot, bingbot and Baiduspider get a 404.
Undoes any file name changes that an invocation of the Vigilante Malware Cleaner might make, too. That just seems weird, since ".suspected" file name complaints are around, but not overwhelming. Maybe inter-spamgang warfare?
A WSO 2.5 web shell heavily modified by adding code from various other hacking tools.
3.993 second WSO (Web Shell by oRb, a.k.a. "FilesMan") installation, only eight HTTP requests, including a cold WordPress login.
Apparently an attempt to direct Chinese web traffic to a Macau casino by means of link spamming. Aren't search engines too sophisticated for this to work?
Modifies all .asp, .aspx, .php and .jsp file that have an
assignment to a variable name
remote_server to assign "www.guanjianfalan.com"
to that variable.
Uploads of two Zip-format-files, one of which is WSO 2.5 with some camoflaging code. The other Zip file has an ELF-format executable and a small piece of PHP to run that executable in the background.
Seems to be some kind of search engine optimization thing. It serves up different results for "human" or "bot" invokers. When it decides you're a "bot" it asks a server for text to fill out template HTML. Failing that, it gets text from ask.com or yahoo.com
Dropper that leaves a PHP file behind, which in turn
injects PHP code into every theme's
If the theme injection determines that an access is from a "bot"
(basically every search engine that ever was, plus lots of
crawler libraries), it gets HTML from zalroews.pw to pass
back to the "bot".
A 12-access campaign to install a backdoor. Accesses from 12 different IP addresses within 20 seconds, attempting to download one of 2, individually-obfuscated backdoors.
Native PHP SOCKS server. I often see Perl and even compiled ("bouncer") SOCKS servers downloaded. Can you sell SOCKS servers on some underground markets? Is there value in having a cut-out like this?
A short (11 second, 17 HTTP request) campaign that wanted to install Perl Simple SOCKS Server code, but failed, probably because my WSO emulation is not accurate enough.
Three attempts to install an email spamming tool, featuring attempts to invoke the tool 34 seconds later.
Two versions of something.
c99 web shell inside 10-12 levels of obfuscation.
Simple web shell, credits itself to an Indonesian URL.
A simple backdoor, with just enough features to allow a human to use it without too much automation. Use could easily be automated. May be kinked, in that it has a backdoor itself, if you know the magic HTTP parameter.
Email spamming tool, explodes a single POST request into multiple emails. Has "check" function that looks up compromised machine's IP address in various email black lists.
WSO "Web Shell by oRb", downloaded by a previously-installed instance of WSO.
An email spamming tool, with WSO web shell appended. Complete with "phone home" code to notify a Ukrainian web site that someone invoked the program.
Knows how to recognize 24 different CMS systems and frameworks. Responds to an HTTP POST with a serialized summary of what CMS and framework(s) it found.
Full-featured, Chinese language web shell, with a modern webapp look to it.
Redirects mobile phone browsers to some other URL via
mod_rewrite comands in document root
Downloads PHP code that when executed, creates an HTML file. The downloading IP address immediately attempted to access the HTML file, so this is probably just access verification.
I hypothesize this is an Apache virtual host directory reconnaisance tool. Looks for directory names with 150+ domain name appearing suffixes, seems to emphasize Russian and eastern European country codes.
Modified PhpSpy web shell, disguised as a GIF file, downloaded as a theme update. Modifications are at least to change some labels to Turkish, and add "phone home" code that lets someone in Turkey know that the web shell has executed. Is there no honor among thieves!?!
Ancient SuperFetchExec PHP malware, still using the same old XOR string it was using in 2012.
Somewhat modified Web Shell by oRb, derived from version 2.5, or possibly 2.9. Many levels of obfuscation.
A real (albeit possibly off-license) file manager plugin, illegitimately installed. Interesting dual use of COTS technology.
Email spamming tool, where all email/SOCKS/spam parameters are transmitted in an HTTP cookie.
An intermediary, coded and obfuscated for my specific honey pot, that acts as a cut-out between the downloader, and another web site. Performs SQL injection testing on that other web site.
Dropper that relies on a WSO 2.9 variant to execute,
except its Base64 encoding is messed up. Drops a PHP
program that can (a) delete all
.htaccess files up to
that redirects you to a scammy website.
Small piece of obscured PHP that executes functions named in HTTP cookies on PHP code also named in HTTP cookies. Even more obfuscated than it sounds.
A WordPress theme containing two PhpSpy web shells, and a web-based file manager that phones home.
An encrypting back door.
Access validation/PHP execution and file downloader.
A "COTS" email spamming tool. I'm not sure what LeafMail's business model is, however. Doesn't seem to be a way to pay for it.
Rebranded version of LeafMailer.
Simple, HTTP POST backdoor, with a suspicious file name.
A somewhate obfuscated backdoor that seems to use
to evaluate code passed in an HTTP POST request. Akismet plugin
update extremely broken, uses an old version, but also got commented out.
Composes and returns a machine-parseable string with information about web server's file system, user ID running PHP or the web server, and "uname" output. Nothing about the web server, which makes sense as this recon code was downloaded to what was believed to be a pre-existing backdoor.
WSO 2.5 web shell, with a novel, 2-step obfuscation. Attacker also added some anti-search-discovery code. Most amusing.
PHP file downloaded via WSO that decodes and evals some encoded PHP. Some obfuscation of both encoded PHP payload and the decoding PHP.
Email spam, the download probably works in 3 different web shells or backdoors. Seems to be part of a spamming campaign, my honey pot has caught additional, slightly different, emails.
An instance of the "Rebels Mailer" web front end email spamming tool, immediate PHP evaluator, and local file inclusion backdoor.
Small PHP program that can use POST parameter values to send email from the compromised machine, concealing the email's true origin.
An actual lightweight, fast file manager, Licensed under GNU GPL v2.
Smallish, 297-line-of-code file manager, in Turkish.
PHP downloaded to WSO web shell. When invoked with proper GET parameter(s) it can check if the hostname it's on is in Google's safe browsing as unsafe, or in Spamhaus' block list.
Interactive web page that sends a test email to the invoker's choice of addresses.