Saturday, January 30, 2016

New Generic PHP Shell Malware In The Wild

New Generic PHP Shell Malware In The Wild

Shell body

Background

Massive infection in the form of new generic PHP shell has been, recently, detected by Quttera malware researchers. We are still investigating all the incidents to find out the exact infection vector. Here is what we know so far:
  1. In most cases this shell was uploaded as wp-update.php to WordPress root directory
  2. On almost all sites, where we detected this shell all JavaScript files were infected by malicious JavaScript code injecting reference to malicious IFRAMEs
  3. This is generic shell script and it executes content that is provided in $_POST argument calls "sam"

How this shell works

  1. Firstly it resets last time when it was accessed using @touch function
  2. Then it checks if "eval" function is available via execution of the following command: $l = eval("return true")
  3. After that, it decides how to execute encoded script provided inside $_POST[sam] variable
  4. If eval function is available, then infection is delivered using following expression: eval(base64_decode($_POST[sam]))
  5. If eval command is not available, then shell dumps provided execution script into temporary file _ptemp and executes it using "system" command: system("php _ptemp;rm _ptemp");
  6. The injected infection body depends on input provided in $_POST[sam] variable.
If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.