Smoker Backdoor: Evasion Techniques in Webshell Backdoors

Smoker Backdoor: Evasion Techniques in Webshell Backdoors

“Smoker Backdoor” is a PHP webshell backdoor that uses hexadecimal and decimal obfuscation in conjunction with the PHP function goto to evade detection from malware scanners.

The hexadecimal/decimal obfuscation is clear to see when viewing the file’s PHP code. For instance, this section of the PHP code is obfuscated using this method:

if ($_GET[“x72145156x61155x65”] == “164x72x75x65”) {
    echo “x3c146157162x6dx20145x6e143x74171x7014575x22155165x6c164x69x70141x7216457x66x6f16215555x64141x74141x2240155x65x74x68x6f144x3d42160x6f163x74x2276xax2040” .
        htmlspecialchars($_GET[“x66x69x6c145”])

As with many webshells, it allows the user to set a password to control access to the webshell.

Continue reading Smoker Backdoor: Evasion Techniques in Webshell Backdoors at Sucuri Blog.

Some of the links in this article are "affiliate links", a link with a special tracking code. This means if you click on an affiliate link and purchase the item, we will receive an affiliate commission. The price of the item is the same whether it is an affiliate link or not. Regardless, we only recommend products or services we believe will add value to our readers. By using the affiliate links, you are helping support our Website, and we genuinely appreciate your support.
Smoker Backdoor: Evasion Techniques in Webshell Backdoors

“Smoker Backdoor” is a PHP webshell backdoor that uses hexadecimal and decimal obfuscation in conjunction with the PHP function goto to evade detection from malware scanners.

The hexadecimal/decimal obfuscation is clear to see when viewing the file’s PHP code. For instance, this section of the PHP code is obfuscated using this method:

if ($_GET[“x72145156x61155x65”] == “164x72x75x65”) {
    echo “x3c146157162x6dx20145x6e143x74171x7014575x22155165x6c164x69x70141x7216457x66x6f16215555x64141x74141x2240155x65x74x68x6f144x3d42160x6f163x74x2276xax2040” .
        htmlspecialchars($_GET[“x66x69x6c145”])

As with many webshells, it allows the user to set a password to control access to the webshell.

Continue reading Smoker Backdoor: Evasion Techniques in Webshell Backdoors at Sucuri Blog.

Author: mcnmm

MCNM Marketing, Graphics and Website Development service