By Andrew Brandt
The other day I was looking at a remote access Trojan written in the PHP scripting language. The bot loads into memory on a victim’s computer when an unsuspecting user, for example, stumbles upon an iframe pointing to the PHP script embedded in a Web page. The code is nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers.
Once loaded into a victim’s browser, the bot connects to, and is capable of executing commands issued by, a botnet server–until the victim reboots their computer. But for most users, that’s probably long enough. If an attacker can execute commands on an infected user’s computer, installing more Trojans is just child’s play.
But someone appears to have embedded a surprise into this PHP backdoor: It’s another backdoor within the backdoor.
I’m not even going to try to understand why whoever is distributing the bot’s source code chose to name the Web domain where they’d store a Trojan getemgirlfriday.com. Perhaps a closet Howard Hawks or Rosalind Russell fan camps out among the malcode community. Wonderful, in a loathsome sort of way. All I know is, someone’s bugged this bug with another bug.
The second chunk of code, invoked during the PHP bot’s loading routine, looks to many like a blob of base64-encoded garbage. But to a security researcher, the presence of an unexpected, obfuscated code section screams hidden goodies here.
Decoding base64-encoded text is not exactly difficult. Down near the end of the bot’s code, there’s this blob of data, set into the variable $dc_source.
Once decoded, the meaning of $dc_source becomes clear. The bot writes out the decoded commands into a Perl script then executes them. The commands instruct the bot to connect elsewhere. Were I the criminally minded type to use such a bot, I’m not sure I’d be particularly happy to discover the “Data Cha0s Connect Back Backdoor” on my server. I suppose that’s why the page hosting the code offers the following overblown expression of gratitude from the group distributing the code:
Go get ‘em, Hildy. Happy Labor Day, everyone else.