We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter.
Everyone who writes code in PHP knows what the eval() function is for. It evaluates a string as PHP code. In other words, it executes the code. But there are certainly many other ways to run a code, which are not always so obvious. The most popular and commonly used one is the preg_replace() function.
According to its description, the preg_replace functions “performs a regular expression search and replace.” Unfortunately, when using the “\e” modifier, this function also runs the code. Yes, there are more ways of running the code without using the eval() function. Example could be the create_function(), or the assert() function. All these options of running the code makes malware analysis all that more complex a process.
That being said, even with our insights we continue to find ingenious ways that malware authors are employing for their backdoors.
more here.........http://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-backdoors.html
Everyone who writes code in PHP knows what the eval() function is for. It evaluates a string as PHP code. In other words, it executes the code. But there are certainly many other ways to run a code, which are not always so obvious. The most popular and commonly used one is the preg_replace() function.
According to its description, the preg_replace functions “performs a regular expression search and replace.” Unfortunately, when using the “\e” modifier, this function also runs the code. Yes, there are more ways of running the code without using the eval() function. Example could be the create_function(), or the assert() function. All these options of running the code makes malware analysis all that more complex a process.
That being said, even with our insights we continue to find ingenious ways that malware authors are employing for their backdoors.
more here.........http://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-backdoors.html