Cybersecurity Awareness Month isn’t a marketing gambit. Now in its 17th year, CSAM is a collab between government agencies and industry leaders, created to raise awareness and provide resources to further a safer internet. People like web designers and developers should look at CSAM as an opportunity to discuss website security with clients.
This is a simple script that allows hackers to block specific crawlers based upon website requests from specific user-agents. This is useful when you don’t want certain traffic from being able to load certain content – usually a phishing page or a malicious download.
It’s no secret that a secure sockets layer (SSL) encrypts data as it moves between a visitor’s browser and the site host. For many people, a single SSL appears to be sufficient for protecting data exchanged between visitors and their website.
But what happens to your SSL protection when you add a web application firewall like the Sucuri WAF? Protecting that additional data transit point is a topic we often discuss with customers, and it’s relevant for anyone to understand.
While string concatenation has many valuable applications in development — such as making code more efficient or functions more effective — it is also a popular way for attackers to obfuscate code and try to make it more difficult to detect. Let’s dig into how bad actors are leveraging this technique to conceal their malware.
Avoiding Detection with String Concatenation
String concatenation obfuscation works by using a period between each string, which instructs PHP to join these character strings together and run it as a single function — for example, ‘cr’.’ea’.’te’.’_f’.’un’.’c’.’ti’.’o’.’n’; would become create_function.
When possible, an attacker will want to avoid using specific functions in their PHP code that they know are more likely to be flagged by a scanner. Some examples of suspicious functions commonly detected include system and file_put_contents.
In this malware dropper file we recently found on a compromised website, the attacker chose to create a user-defined PHP function getFile to accomplish the same task as file_put_contents.
In the past, I have explained how small one line PHP backdoors use obfuscation and strings of code in HTTP requests to pass attacker’s commands to backdoors. Today, I’ll highlight another similar injection example and describe some of the malicious behavior we’ve seen recently on compromised websites.
Obfuscated PHP Backdoor
Discovered by our Remediation team, this PHP backdoor variant uses a method to hide the create_function which requires the attacker to provide it in their request.