PHP Malware Analysis

Rough cut analysis of PHP source code that I got via running a WordPress honey pot

This illustrates what I think the bottom feeders who hack WordPress sites do, once they have illegitimate access to a new WordPress instance or host. It's not scientific in any way. I'm only decoding the pieces of malware that arrive at one honey pot, and I'm only decoding those pieces that seem interesting because of method of download, obfuscation or unique content. Oddities are over-represented because of that.

Broad malware categories

This collection of PHP malware, all found in the wild, fits into a number of categories:

• Email spamming tools
• Access verification
• Reconnaisance, which has subcategories
• Web shells
• Backdoors
• SOCKS servers
• HTTP redirectors
• File Managers
• Password guessers

Some combinations occur: web shells, particularly WSO, often get used as a backdoor (Php action, RC action). Access verification is a form of reconnaisance.

Recon sometimes just looks at what CMS/frameworks are present, but other times collects information about user ID, type and version of OS, file system hints, useful only for potential lateral moves. GetDomains recon seems like something of both, though.

Broad meta-malware categories

It seems to me that there are "cross cutting" aspects of this kind of collection and analysis.

• Password guessing campaigns
• Methods of download, commonality with other malware
• Common "dropper" code usage
• Common phone-home code
• Common back-connect shell code (usually Perl)
• Methods of encoding/encryption (e.g. FOPO)
• Geolocation of attacking IP
• Campaign(s) associated with a specific malware
• subsequent access(es) of downloaded code
• previous access(es) of downloaded code
• common password lists used for guessing

Vigilante Malware Cleaner

Code that checks compromised website files for fragments of PHP that indicate those files are probably malware. Renames, deletes or repairs suspect files, which probably renders most of them inoperative. Injects code into WSO web shells that adds a special cookie check as access control.

Python password guesser

A PHP manager that downloads, runs, then deletes, a Python program that downloads a list of domain names, enumerates users of WordPress blogs on those domain names, and tries to guess working passwords. Guesses passwords using xmlrpc.php calls, not through the WordPress login page.

Spam tool installation and test campaign

574 instances of an email spamming tool downloaded to 7 different types of web shell, followed by 559 attempts to send a test email through the spamming tool URLs. I propose a hypothetical design for this distributed system.

2019-11-01, captured a similar campaign

Thoroughly kinked WSO 2.1 web shell

The most backdoored download I've ever seen. A WSO 2.1 web shell, with two phone-homes It also downloads the LeafMail mailing tool, and a WSO 2.6 web shell.

Crouching JPEG, Hidden PHP - web shell

An instance of b374k Web Shell, which gets some code from EXIF data of a googleusercontent.com JPEG image.

K4X SHELL I'M THE BEST

Descendant of b374k web shell, probably v2.2

FOPO-encoded WSO 2.3

A FOPO-encoded WSO webshell that I hand-decoded because I didn't believe it was really FOPO-encoded. Arrived in the same campaign that delivered the K4X SHELL.

ring.php web shell

Medium-capability web shell downloaded along with login_wall fake plugin. May be related to c99 web shell.

another ring.php instance

Another autokey-encoded instance of the ring.php web shell. The obfuscation has changed, and this wasn't part of a login_wall download.

Korean-language Blackhat SEO

gsptg.php seems to try to convince web crawlers, spiders, search engines and bots to come back often. Ordinary humans probably continue to see the compromised WordPress site, but it also sends users either referred by .kr domains, or using Korean language in their browsers off to new URLs.

Downloaded via ring.php

WSO 4.1.1 Encrypted Malware

A batch of malware received between 2017-11-23 and 2018-05-03 sharing a common method of encryption. The encryption appears to be from WSO 4.x series of web shells, but it has a much shorter key (8 vs 44 bytes). At least 52 different downloads, including 4 instances of mumblehard It's refreshing to see someone using non-trivial encryption.

Mumblehard deep dive

Mumblehard botnet: a server that relays TCP/IP connections, and a persistent payload, executed by cron, that can download code from a command and control server, then start it running.

November 2019 mumblehard instance

Downloaded via WSO 4.x, my honey pot caught an evolved mumblehard.

Mumblehard campaign

Examination of the 44 Mumblehard instances I caught, to see how the code and methods progress as time goes by.

Extendable back door

A password-protected, plugin-extendable back door.

2019-05-09, I got a download of v3-01 of this backdoor. It has a lot of fun stuff in it.

A Quttera blog entry gives a non-specific description of these backdoors.

Object oriented backdoor dropper

An object oriented dropper, descended from the procedurally-coded code-in-cookie back door's dropper. An attack on a real WSO would leave behind an Extendable back door v2.0-1.

Extendable back door campaign

Campaign that would have installed v1-01 extendable backdoors. The attackers tried to verify working WSO web shell targets before the installation.

Caught a second campaign on 2019-07-07

fack and key backdoor

A backdoor that someone has tried to access over 1 million time on my web site alone. Pretty stupid in and of itself, but apparently an underground market for this backdoor exists.

login_wall fake plugin

A collection of malware masquerading as a plugin, that's under active development.

Kinked Exec-PHP plugin

A trojaned version of a real, but horribly out-of-date, plugin named "Exec-PHP".

CGI-Telnet web shell

b374k has a link to download this moderately capable web shell from pastebin.

Kinked theme and webroot

A fake-ish theme, complete with a WSO web shell that phones home, and an earlier version of webroot.php.

Kinked theme simppeli

Another compromised WordPress theme, containing a seemingly random complement of malware.

Priv8 2011 Attack Shell

A relative of webrot.php, or sometimes known as "webrootv3". More back shells than you can shake a stick at.

Backdoor using RC4 encryption

A moderately capable backdoor: saves and executes files, as well as immediate PHP eval. Uses native PHP RC4 encryption for password and data transfered.

Possibly polymorphic backdoor

A small, highly obfuscated immediate-eval backdoor. The first layer of obfuscation just might be polymorphic, redone every so often, or for every install.

.htaccess redirector with un-vigilante

Creates a .htaccess file that redirects users to yourstockexpert.su, googlebot, bingbot and Baiduspider get a 404.

Undoes any file name changes that an invocation of the Vigilante Malware Cleaner might make, too. That just seems weird, since ".suspected" file name complaints are around, but not overwhelming. Maybe inter-spamgang warfare?

Jijle3, WSO 2.5 variant web shell

A WSO 2.5 web shell heavily modified by adding code from various other hacking tools.

WSO 2.5 installation

3.993 second WSO (Web Shell by oRb, a.k.a. "FilesMan") installation, only eight HTTP requests, including a cold WordPress login.

Another WSO 2.5 installation

Novel, yet oddly obfuscated WSO 2.5, installed via apikey.php. apikey.php would have been installed via a plugin update with a malicious plugin, so this isn't as circular as it could have been, were apikey.php installed via WSO instance.

WSO 2.5, modified and labeled 2.6

Another WSO 2.5, edited a little, called 2.6 and packaged up in a dropper that probably doesn't work. Arrived about an hour after the Chinafans defacement attempt.

hacked by Chinafans defacement

Preceding the WSO 2.5 webshell installation, someone from the same Chinese IP address tried to install a defacement.

WSO passwords revealed

All of the passwords my honey pots have ever seen used to login to WSO instances.

XAttacker attack

What getting hit by a web exploit tool looks like.

UBH plugin

Hacking tools disguised as a plugin, implicating a Bangladeshi hacking crew.

CMS Remote Admin Trojan

Remote Admin Trojans for both WordPress and Joomla.

Link Injector

Apparently an attempt to direct Chinese web traffic to a Macau casino by means of link spamming. Aren't search engines too sophisticated for this to work?

Edit ASP, PHP, JSP, ASPX files

Modifies all .asp, .aspx, .php and .jsp file that have an assignment to a variable name remote_server to assign "www.guanjianfalan.com" to that variable.

Two Plugin Zip files - web shell

Uploads of two Zip-format-files, one of which is WSO 2.5 with some camoflaging code. The other Zip file has an ELF-format executable and a small piece of PHP to run that executable in the background.

nptzow and nowir - SEO tool

Seems to be some kind of search engine optimization thing. It serves up different results for "human" or "bot" invokers. When it decides you're a "bot" it asks a server for text to fill out template HTML. Failing that, it gets text from ask.com or yahoo.com

SEO tool related to nptzow

Dropper that leaves a PHP file behind, which in turn injects PHP code into every theme's header.php file. If the theme injection determines that an access is from a "bot" (basically every search engine that ever was, plus lots of crawler libraries), it gets HTML from zalroews.pw to pass back to the "bot".

Backdoor installation campaign

A 12-access campaign to install a backdoor. Accesses from 12 different IP addresses within 20 seconds, attempting to download one of 2, individually-obfuscated backdoors.

Staged installation campaign

12-request, approx 30 second campaign, installs 2 different malwares, variant WSO 2.5, and Leafmailer.

phpd.local - Native PHP SOCKS server

Native PHP SOCKS server. I often see Perl and even compiled ("bouncer") SOCKS servers downloaded. Can you sell SOCKS servers on some underground markets? Is there value in having a cut-out like this?

Simple SOCKS server installation campaign

A short (11 second, 17 HTTP request) campaign that wanted to install Perl Simple SOCKS Server code, but failed, probably because my WSO emulation is not accurate enough.

niladd.php email spamming tool

Three attempts to install an email spamming tool, featuring attempts to invoke the tool 34 seconds later.

wp-newsletter

Two versions of something.

claw.php - web shell

c99 web shell inside 10-12 levels of obfuscation.

IndoXploit - web shell

Simple web shell, credits itself to an Indonesian URL.

Simple web shell/backdoor

A simple backdoor, with just enough features to allow a human to use it without too much automation. Use could easily be automated. May be kinked, in that it has a backdoor itself, if you know the magic HTTP parameter.

scenery_4.jpg - Web shell email spam

An email spam sent through a WSO web shell, dating to 2015. Contains a vigilante cookie

promos.php - Email spamming tool

Email spamming tool, explodes a single POST request into multiple emails. Has "check" function that looks up compromised machine's IP address in various email black lists.

memoris.php - Remailer

Simple, reasonably carefully coded remailer.

Simple Remailer

Another small, carefully coded remailer.

htaccess.php - web shell

WSO "Web Shell by oRb", downloaded by a previously-installed instance of WSO.

db-config.php - Email spamming tool

An email spamming tool, with WSO web shell appended. Complete with "phone home" code to notify a Ukrainian web site that someone invoked the program.

CMS Recon tool

Knows how to recognize 24 different CMS systems and frameworks. Responds to an HTTP POST with a serialized summary of what CMS and framework(s) it found.

kaylin web shell

Full-featured, Chinese language web shell, with a modern webapp look to it.

Chinese language web shell

mobile phone browser redirector

Redirects mobile phone browsers to some other URL via mod_rewrite comands in document root .htaccess file.

Access verification

Downloads PHP code that when executed, creates an HTML file. The downloading IP address immediately attempted to access the HTML file, so this is probably just access verification.

.htaccess dropper

Creates a .htaccess file that can maybe redirect to a Russian boner pill site. Commented out code could check for compromised host's presence on black lists.

GetDomains - reconnaisance

I hypothesize this is an Apache virtual host directory reconnaisance tool. Looks for directory names with 150+ domain name appearing suffixes, seems to emphasize Russian and eastern European country codes.

archive.php - web shell

Modified PhpSpy web shell, disguised as a GIF file, downloaded as a theme update. Modifications are at least to change some labels to Turkish, and add "phone home" code that lets someone in Turkey know that the web shell has executed. Is there no honor among thieves!?!

SuperFetchExec - file gateway

Ancient SuperFetchExec PHP malware, still using the same old XOR string it was using in 2012.

Deeply obfuscated WSO web shell

Somewhat modified Web Shell by oRb, derived from version 2.5, or possibly 2.9. Many levels of obfuscation.

Legitimate File Manager Plugin

A real (albeit possibly off-license) file manager plugin, illegitimately installed. Interesting dual use of COTS technology.

Flexible email spamming tool

Email spamming tool, where all email/SOCKS/spam parameters are transmitted in an HTTP cookie.

Plausibly Deniable Blind SQL Injection

An intermediary, coded and obfuscated for my specific honey pot, that acts as a cut-out between the downloader, and another web site. Performs SQL injection testing on that other web site.

Busted Dropper - web shell

Dropper that relies on a WSO 2.9 variant to execute, except its Base64 encoding is messed up. Drops a PHP program that can (a) delete all .htaccess files up to document root, or (b) generate some underhanded JavaScript that redirects you to a scammy website.

Code-in-cookie back door

Small piece of obscured PHP that executes functions named in HTTP cookies on PHP code also named in HTTP cookies. Even more obfuscated than it sounds.

ASP injector

PHP that injects ASP code, that itself puts HTML hyperlinks into the ASP-generated HTML. Odd choice to use on a compromised WordPress site, which is probably hosted on Linux.

Trojaned theme - web shell

A WordPress theme containing two PhpSpy web shells, and a web-based file manager that phones home.

php.backdoor.vpsp.001

An encrypting back door.

apikey.php - file gateway

Access validation/PHP execution and file downloader.

Updated apikey.php, and backdoor

A more capable, more robust version of the apikey.php file gateway, along with an immediate eval backdoor someone downloaded via that more robust version.

Mediocre file gateway

A rather ordinary, unremarkable file upload and download utility.

LeafMailer - email spamming tool

A "COTS" email spamming tool. I'm not sure what LeafMail's business model is, however. Doesn't seem to be a way to pay for it.

Blacktools PHP Mailer - email spamming tool

Rebranded version of LeafMailer.

Object-oriented back door

That's right, OOD gone too far, an object-oriented immediate eval back door.

monero.php - backdoor

Simple, HTTP POST backdoor, with a suspicious file name.

404.php theme file backdoor

Confusing PHP that might execute code sent to it two times.

Poorly-coded uploader

Simple uploader which outputs a block of text, destroying its ability to remain hidden.

Backdoor hidden in Akismet plugin update

A somewhate obfuscated backdoor that seems to use assert() to evaluate code passed in an HTTP POST request. Akismet plugin update extremely broken, uses an old version, but also got commented out.

OS, version and user ID recon

Composes and returns a machine-parseable string with information about web server's file system, user ID running PHP or the web server, and "uname" output. Nothing about the web server, which makes sense as this recon code was downloaded to what was believed to be a pre-existing backdoor.

WSO web shell with novel obfuscation

WSO 2.5 web shell, with a novel, 2-step obfuscation. Attacker also added some anti-search-discovery code. Most amusing.

Common Decoder #1 - fUUPd

PHP file downloaded via WSO that decodes and evals some encoded PHP. Some obfuscation of both encoded PHP payload and the decoding PHP.

Email spam sent through WSO Web Shell

Email spam, the download probably works in 3 different web shells or backdoors. Seems to be part of a spamming campaign, my honey pot has caught additional, slightly different, emails.

Rebels Mailer spamming tool

An instance of the "Rebels Mailer" web front end email spamming tool, immediate PHP evaluator, and local file inclusion backdoor.

Email Cut-out

Small PHP program that can use POST parameter values to send email from the compromised machine, concealing the email's true origin.

erena.php - email spamming tool

Straightforward remailing PHP file. The actual download attempt appears double, presumably to allow 2 different web shells to install it.

SEO file downloader and updater

The installer for something to turn a compromised WordPress site into an SEO site, probably peddling online pharmaceuticals to Japanese or Chinese users.

TeaM HacKer EgypT file manager

An actual lightweight, fast file manager, Licensed under GNU GPL v2.

Small Turkish language file manager

Smallish, 297-line-of-code file manager, in Turkish.

Tryag/G22B file manager

Another single-file file manager app for "hackers".

Spam Blocklist Recon

PHP downloaded to WSO web shell. When invoked with proper GET parameter(s) it can check if the hostname it's on is in Google's safe browsing as unsafe, or in Spamhaus' block list.

Email access verification

Interactive web page that sends a test email to the invoker's choice of addresses.

Access and Execution verification

Download to WSO's immediate eval action. Tests if it can write a file, and then maybe execute simple arithmetic in PHP.

Was Hacked by Suleiman Haker

A single HTML file defacement, thanks to Suleiman Haker of Saudi Arabia! Suliman Haker writes quality HTML, though.