PHP Backdoor Has Another Backdoor Inside

Is there no honor among thieves anymore?

The other day I was looking at a remote access Trojan written in the PHP scripting language. The bot loads into memory on a victim’s computer when an unsuspecting user, for example, stumbles upon an iframe pointing to the PHP script embedded in a Web page. The code is  nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers.

Once loaded into a victim’s browser, the bot connects to, and is capable of executing commands issued by, a botnet server–until the victim reboots their computer. But for most users, that’s probably long enough. If an attacker can execute commands on an infected user’s computer, installing more Trojans is just child’s play.

But someone appears to have embedded a surprise into this PHP backdoor: It’s another backdoor within the backdoor.

I’m not even going to try to understand why whoever is distributing the bot’s source code chose to name the Web domain where they’d store a Trojan Perhaps a closet Howard Hawks or Rosalind Russell fan camps out among the malcode community. Wonderful, in a loathsome sort of way. All I know is, someone’s bugged this bug with another bug. […]

Once decoded, the meaning of $dc_source becomes clear. The bot writes out the decoded commands into a Perl script then executes them.  The commands instruct the bot to connect elsewhere. Were I the criminally minded type to use such a bot, I’m not sure I’d be particularly happy to discover the “Data Cha0s Connect Back Backdoor” on my server. I suppose that’s why the page hosting the code offers the following overblown expression of gratitude from the group distributing the code

Leave a Reply