Smoker Backdoor: Evasion Techniques in Webshell Backdoors

“Smoker Backdoor” is a PHP webshell backdoor that uses hexadecimal and decimal obfuscation in conjunction with the PHP function goto to evade detection from malware scanners.

The hexadecimal/decimal obfuscation is clear to see when viewing the file’s PHP code. For instance, this section of the PHP code is obfuscated using this method:

if ($_GET[“\x72\145\156\x61\155\x65”] == “\164\x72\x75\x65”) {
    echo “\x3c\146\157\162\x6d\x20\145\x6e\143\x74\171\x70\145\75\x22\155\165\x6c\164\x69\x70\141\x72\164\57\x66\x6f\162\155\55\x64\141\x74\141\x22\40\155\x65\x74\x68\x6f\144\x3d\42\160\x6f\163\x74\x22\76\xa\x20\40” .
        htmlspecialchars($_GET[“\x66\x69\x6c\145”])

As with many webshells, it allows the user to set a password to control access to the webshell.

Continue reading Smoker Backdoor: Evasion Techniques in Webshell Backdoors at Sucuri Blog.

Read more: Smoker Backdoor: Evasion Techniques in Webshell Backdoors