Backdoor.PHP.WEBSHELL.SBGIFLD

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This Backdoor does not have any propagation routine.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Execute arbitrary commands
• Execute specific command line commands
• Execute port scanning
• Download files from specified URL
• Steal information specified in gathered data
• Execute SQL commands
• Create reverse shell
• Download files through FTP
• Brute force database credentials
• Add user accounts
• Inject code into specific files
• XOR encode strings
• Manage files (create directory, create files, delete, query)
• Manage registry entries (create, delete)
• Upload/download files

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Information Theft

This Backdoor gathers the following data:

• Server Time Started
• Server domain name
• Server IP Address
• Server OS text encoding
• Server Engine
• IP Address of infected machine
• Web Service Port
• File Path
• Server Admin
• Disk free space
• Existence of/Ability to do the following in the server:
  • Allow file to be opened using URL
  • Allows dynamic loading of linked libraries
  • Display error message
  • Automatically define register_globals in global variables
  • magic_quotes_gpc
  • max memory allowed by program
  • memory_limit POST max bytes
  • max allowed upload file size
  • max running time of program
  • phpinfo() function
  • Graphics processing GD Library
  • IMAP email system
  • MySQL database
  • SyBase database
  • Oracle database
  • Oracle 8 database
  • PREL compatible syntax PCRE
  • PDF document support
  • Postgre SQL database SNMP
  • Network Management protocol
  • Zlib/Compressed file support
  • xML analysis
  • FTP
  • ODBC database connection
  • Session support
  • Socket Support

Other Details

However, as of this writing, the said sites are inaccessible.

It requires being hosted on a web server in order to proceed with its intended routine.

NOTES:

This Backdoor does the following:

• It requires the following password to be accessed by users:
  • YGHFK
• It uses the following URLs and files as placeholders in the given backdoor commands:
  • for URL used in Code injection:
    • http://{BLOCKED}bap.org/ad.js?{6 Random Characters}
  • for Download files from specified URL:
    • http://{BLOCKED}bap.org/a.exe (saves file as {Directory pointed by __FILE__ PHP environment variable}\a.exe)
  • for FTP server used in Download files through FTP:
    • {BLOCKED}.{BLOCKED}.222.1 (saves file as C:\silic.exe)
  • for string used for XOR encode strings:
    • http://{BLOCKED}bap.org/hello.exe