Evading AV signatures, BHEK2 way #malwareMustDie

In Saturday I got an urgent call from a guy who is developing WP themes. He has to showcase a theme in a client but Chrome won’t allow him to enter his blog. My initial thought was WP Theme infection and something like Norton Toolbar blocks him from doing so. VirusTotal  reports that the site is not infected he says. He connect using ftp and downloads the files.
Before I move on, if you want to find more about BHEK2 go here (btw the guys do an excellent job, kudos to #malwaremustdie).

My initial thought was that someone infected it with BHEK2. I had to see such an infection though (WP-based) quite some time. Last time I encountered such an infection, it was sometime around August.

The infection was located in index.php, somewhere around the middle. There was something unusual about this infection though. The main infection was something like


but it wasn’t. When I deobfuscated the string (which ended up in a redirection), it looked like

eval(base64_decode(eval(base64_decode(echo('Javascript redirection to BHEK script');

I did not notice that it was truly evading AV signatures, although I should, until Malware Crusader reported me that it was evading it. Btw, if you don’t follow him, do now 🙂

Now, Ι wrote a sample PHP file that uses the same approach that BHEK2 did to stay off the radar. The sample is found here . You can execute it safely, you’ll end up with a alert(‘Hello World’); greeting you 🙂

Btw, a short mention here since we are dealing with PHP obfuscation. Certain sites that are distributing PHP shells, backdoor the backdoors and when you execute the backdoor, the distributor is informed about the compromised server.

Kudos again to all #malwaremustdie guys.

One response to “Evading AV signatures, BHEK2 way #malwareMustDie

  1. Pingback: Dwarakadisha

Leave a Reply

Your email address will not be published. Required fields are marked *