Dangerous whitespaces

A few days ago, I blogged about a PHP/JS malware targeting the osCommerce platform, which used an interesting new technique to obfuscate the malicious code. It so happens, that today I came across even more advanced sample of a PHP infector, also in the context of a vulnerable e-commerce solution.

When I came to work today, my colleague from our Polish office asked me to help him with finding malware which was affecting his friend's online store. The HTML page, viewed with the browser, contained a link to a jquery.js script in some randomly generated cx.cc domain, although there was no sign of this link in the source files on the server. Reaching a verdict was simple - this piece of code was being added dynamically, by some infected PHP script.

We looked into all of PHP files stored on the server and got a bit confused - there was nothing really suspicious at first glance. But having in mind the div_colors malware, I started to study the code line by line. What at last attracted my attention was a small function at the beginning of one of the core PHP files.

This code owes its innocent look to the several layers of obfuscation. The first (and very tricky one) is that the function pretends to be commented out. If we look more closely, we will see that comment tags are situated in the wrong way, starting the comment at the end of each line and closing it at the beginning of another. It's easier to catch that with the use of syntax highlighting. The second misleading thing is the function description, along with the names in the code, which suggest the function should deal with some libraries.

And now the most interesting stuff: how does this function really work? Could you determine that at first sight? The key here is to understand what we have between the brackets of the $session_key variable; and "nothing" is the wrong answer ;) It may seem not so obvious, but there's a bit more than a bunch of spaces too: it's a mix of spaces and tabulators. We can see that clearly, when the non-printable characters are shown in an editor.

The function splits this whitespace mix into 8-digit pieces, and then it changes all TAB chars into "1" and all spaces into "0". In this way it gets the binary code, which is later transformed into decimal value and printed as ASCII character... Pretty inventive, Mr. malware writer!

Execution of PHP file containing this CoreLibrariesHandler() function results in a malicious link appended to the end of HTML files:

The script is redirected to another script, which redirected to another... and so on, but the final destination seems to be already offline. The interesting thing is that the final URL is quite the same as in case of div_colors malware, which led us to the conclusion, that both div_colors and CoreLibraries malware have the same origin.

The signature for this PHP script was added to our bases as Trojan.PHP.Injecter.c.