Malicious PHP Script Conceals Harmful Stuff inside 'White-Space' Between ‘Spaces’ and ‘Tabs’

In a latest research, Kaspersky researchers have identified a malicious PHP script, spotted on the Polish online store, which actively inserts some distantly connected malicious code into the website's HTML. What is possibly more striking is the technique the malware's creators went about concealing the script's behavior, as reported by Virus Bulletin on June 09, 2011.

The news further stated that besides an extraordinary technique of using comments - which might originally imply the code itself is commented out - the code includes what appears like a huge volume of white-space. Nevertheless, upon further examining, the white-space comprises a blend of spaces and tabs. The script then cracks this into a binary string of ones (tabs) and zeroes (spaces), which is further changed to decimal values and then ultimately into ASCII characters including the actual bad code.

Once executed, the script is again directed to another script, which further redirects to another and so on, however the final location appears to be already offline.

The innocent look of the code is due to the various layers of obfuscation. The first (and quite tricky one) is that the function poses to be commented out. There is nothing actually suspicious at first appearance, but if it is examined more closely, it can be noticed that comment tags are located in the wrong position, beginning the comment at the end of each line and closing it at the starting of another. It's simpler to catch that with the usage of syntax highlighting. The second deceptive thing is the function description, coupled with the names in the code, which suggest the function must deal with few libraries.

Malware creators utilize this type of obfuscation on a frequent basis. At the VB Seminar held recently at the OU campus, Milton Keynes, UK on May 24, 2011, TrustDefender's Alex Shipp elucidated that this is done to irritate security researchers. The reason is the additional time they have to spend de-obfuscating the malware to halt its malicious behavior means the malware can remain unidentified for a longer time period, thereby augmenting the probability of it being utilized for its malicious purposes.

Related article: Malicious Scripts with Zero-byte Padding can Pass Undetected

» SPAMfighter News - 6/17/2011