PHP Malware - Hiding A Payload
PHP Security
Date: January 12, 2022
Author: Joseph Lee
Comments: 0 Comments
Categories: Information Technology, IT Security, Malware Analysis, PHP, Software
In part 1 of this series on PHP malware, we learned what a web shell is and looked at some basic examples. Basic web-shells are not too difficult to find since there are only so many commands that can be used to execute a string as a shell command.
However, most attackers would not include a basic web shell such as the ones discussed in the first video. They know it would be much too easy to find and dwell time would be short. Instead the attacker will encode or encrypt the malware so it is more difficult to find. Also, there is an important difference between encrypting and encoding. Before we look at some more advanced ways to hide malware, let’s understand the difference between these two terms.
What is Encoding?
Encoding refers to the process of converting data from one form to another. Encoding does not normally imply that the encryptor is trying to hide or protect the contents from being discovered. Therefore decoding is usually a simple process once you know how the data has been encoded and some encoding schemes are easy to guess by looking at the data. For example, Mp3 and WAV are both standard audio encoding formats, and similarly JPEG, PNG, and GIF are all image encoding formats.
Another common encoding format is Base64. It’s an effective way to encode binary data that needs to pass through a firewall, web-application firewall (WAF), or other appliance that might not allow special characters because base64 encodes any binary data into only human readable characters. If someone does not know that the data has been encoded, it may look like random letters and numbers.
Base64 can be used to hide text, or code from being easily searched for or read in human readable language, although it doesn’t do a great job of hiding it because the same input will always have the same base64 output, and also because security malware hunters already know to look out for base64 encoded data. So, if you are searching an application’s source code for the string ‘eval(’ in order to hunt down any potential web shells, you can also search for the string ‘ZXZhbCg=’ to include its base64 equivalent.
What is Encrypting?
On the other hand, encryption refers to converting the data into a cipher-code, (also known as cipher-text) which is meant to maintain confidentiality of the data and prevent unauthorized access. This requires a known algorithm or standard process to be used so that the cipher-text can be returned to plain-text by (and hopefully only by) the authorized person.
Other Types of Obfuscation
So, to recap, the main purpose of encoding is not hide the data’s contents, but it can serve that purpose, while the purpose of encryption is always to hide. However, there are other ways to obfuscate some code from being easily discovered. In the next part of this series on PHP malware, we will cover some other types of obfuscation found in documented PHP malware samples.