PHP Malware Finder

What is PHP Malware Finder?

After attacking a website and having it compromised, a pirate often drops malevolent code on the server hosting this website, whether to maintain its access to the machine, exfiltrate data, anonymously send spam, set up DDoS attacks, host illegal content…

PHP Malware Finder (PMF) is a tool whose goal is to spot those malevolent codes and to report them to the administrator for him/her to be able to take the measures needed to protect their server.

Why create PMF?

Founded in 1999, NBS System hosts more than 3000 websites today, in several fields: e-commerce, medias, finance… Like any self-respecting hosting company, we pay a huge attention to the security of our clients’ websites. Some of them are particularly protected of attacks since they chose CerberHost, our very high security Cloud solution, which to this day has never been compromised; but we also do everything we can to guarantee the safety of the clients who did not choose this option.

It can however happen to some of them to be the victims of cyberattaks and to see their websites hacked, on a small or large scale.

To accelerate the response to these incidents (which remain relatively rare), our colleague Julien Voisin developped, in-house, a “home-made anti-malware” named PHP Malware Finder (PMF) based on the open source project yara. This tool is not specific to NBS System and could be useful to other people/companies, we thus made it available with a Free license, not only to share it, but also hoping to receive contributions.

Indeed, we are an open-source minded company and we believe it is important for these tools, useful to everyone’s security, to be available so that everybody can take part in the general advancement of cybersecurity. PHP Malware Finder’s availabilty is notably in line with NAXSI, our web application firewall, also open source.

PMF’s functionning

Once a pirate penetrated a server, the possible uses of it are many and hackers do not lack imagination. The good thing is that these backdoors look a lot alike, since they have the same kind of features, as the ones stated in the beginning of the article.

Malevolent codes detection

porte dérobéeOne of PMF’s functionning principle thus relies on the detection of these similarities.

If a PHP file on the server contains functions to send emails, exfiltrate files and execute commands, it is very likely that it is malevolent. PMF will thus scan the files of the server, looking for doubtful functions; and if it finds a certain number of those in a same file, it will flag it as illegitimate. It will also spot, with the help of a blacklist, pieces of code corresponding to malwares, or even hackers’ signatures (a pseudonym for instance) present in the files; they will be flagged in the same way.

Sometimes, these files are obfuscated in order to slow their analysis by automated tools. However, it does not really matter since generally, only the detection is important and it does not require a thorough analysis of the malevolent file. PMF will in this case simply spot the obfuscation patterns used in malwares (often ready-made, unevoluted models) and flag the particular file as doubtful.

Base64 or Hex encryption

Another interesting feature of the tool: it recognizes trivial encryption like `base64` and `hex`. It is thus able to decypher the concerned files and to also analyze them, which widens it range of detection.

Hashes whitelist

hash functionMoreover, PMF has a whitelist system for files, which enables to avoid false positives. Indeed, our experts already scanned many platforms and CMS in order to record legitimate files on a hash whitelist (SHA-1). After having analyzed a file, if it is considered malevolent, PMF will hash it and compare this result to the entries on its whitelist. If it does not match any authorized file, the doubtful file will then be considered a malware.

The use of this hashing function provides a unilateralism of the whitelist. Thus, a pirate won’t be able to create files that could pass as legitimate when they are malevolent, even if he/she has access to the list of legitimate files.

Do not hesitate to contribute!

As we said before, NBS System’s security experts have screened several platforms and CMS to create a whitelist. But we need you to enrich it!

If you own a website using a web framework, we invite you to spread around the script you will find on the Github page of PHP Malware Finder and to send your results, for the hashes of new legitimate files to be added to the whitelist.

Of course, PMF patches are also welcome, as well as examples of files not yet recognized by the tool.

We remind that PHP Malware Finder is open source, and your contribution of any kind and/or feedback will allow a continuous improvement of the tool for a safer Web, for all!

Source: Julien Voisin

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.