By Andrew Brandt
The other day I was looking at a remote access Trojan written in the PHP scripting language. The bot loads into memory on a victim’s computer when an unsuspecting user, for example, stumbles upon an iframe pointing to the PHP script embedded in a Web page. The code is nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers.
Once loaded into a victim’s browser, the bot connects to, and is capable of executing commands issued by, a botnet server–until the victim reboots their computer. But for most users, that’s probably long enough. If an attacker can execute commands on an infected user’s computer, installing more Trojans is just child’s play.
But someone appears to have embedded a surprise into this PHP backdoor: It’s another backdoor within the backdoor.