Analysis of an Obfuscated PHP Virus

Recently, I received a copy of an obfuscated php "virus". OC hash: 6891e6df8e053d3438af8a5404284361. It is not very complex, but the deobfuscation process is very interesting. I have the process and functionality analysis on my blog at isisblogs.poly.edu. By the way, this iCTF 2007 challenge is something else you can check out if you like deobfuscating php.

The PHP code was collected from a working server after unusual traffic patterns were noticed. After the machine was compromised (not in scope of this description), the code was injected. It listened to and executed commands passed through a POST request with ‘www’ user privileges. Some of the commands that were run include id, pwd as well as directory searches and wgets of various files. The compromised machine also served as a hop in a pharmacy ad delivery scheme. It redirected HTTP requests for medications to a possible ‘mothership’ server. There is evidence that links to our server were posted as ads on websites like MySpace.

I have found descriptions of similarly obfuscated filed on blogs such as arbornetworks, cyberlot and waraxe. So there must be an obfuscator that does this. If anyone knows what it is please let me know, I'd like to check it out. Anyway, the obfuscation on the file I provided seems to be slightly more complex then the links I gave. So there must be good options on that obfuscator that allow specification of how many iterations to do etc.

The mothership adware server is still alive at the time of this writing (link in my blog).