http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/ Information Systems and Internet Security Fri, 16 May 2008 15:32:52 +0000 http://wordpress.org/?v= http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-314 sdas Fri, 18 Apr 2008 23:11:05 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-314 ]]> http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-270 Reverse Engineering a PHP “Virus” | WEB ABOUT WEB Fri, 14 Mar 2008 16:00:09 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-270 [...] Source: http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/ [...] […] Source: http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/ […]

]]> http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-141 Swiss Dude Tue, 26 Feb 2008 22:10:55 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-141 Hello webmaster, Nice blog posting about at ISIS Blogs. I would have to agree with you on this one. I am going to look more into . This Tuesday I have time. Hello webmaster, Nice blog posting about at ISIS Blogs. I would have to agree with you on this one. I am going to look more into . This Tuesday I have time.

]]> http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-133 Schmoilito Tue, 26 Feb 2008 02:33:55 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-133 I would consider it a back door, since they could do much more then just host ad's if they wanted to. Anyway, good job! I would consider it a back door, since they could do much more then just host ad’s if they wanted to. Anyway, good job!

]]> http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-131 Aleksey Fateev Tue, 26 Feb 2008 01:25:33 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-131 Lee, yes I'm talking about the "DdNHzptaAEDh5SQRA5ppijIw9RpMb4bJE5e..." line that the browser spits out. I also tried a simple base64_decode, gzuncompress combination and it didn't work. The original file worked with that line in 368 and 3024 pieces (didn't test this) and did the decoding on them separately. So I suspect this should be treated the same way. Also possible that its more complicated then that. If you want this file its on offensivecomputing.com (hash: 6891e6df8e053d3438af8a5404284361) Lee, yes I’m talking about the “DdNHzptaAEDh5SQRA5ppijIw9RpMb4bJE5e…” line that the browser spits out. I also tried a simple base64_decode, gzuncompress combination and it didn’t work. The original file worked with that line in 368 and 3024 pieces (didn’t test this) and did the decoding on them separately. So I suspect this should be treated the same way. Also possible that its more complicated then that. If you want this file its on offensivecomputing.com (hash: 6891e6df8e053d3438af8a5404284361)

]]> http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-130 Aleksey Fateev Tue, 26 Feb 2008 01:02:37 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-130 Schmoilito, you caught my mistake. I meant to put the word virus in quotes. Would you say the proper terminology is adware/backdoor? (or is better not to categorize it to avoid being shot) Schmoilito, you caught my mistake. I meant to put the word virus in quotes. Would you say the proper terminology is adware/backdoor? (or is better not to categorize it to avoid being shot)

]]> http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-129 Lee Tue, 26 Feb 2008 00:31:03 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-129 I took a shot at de-obfuscating the mothership's script, but according to gzip, the data for inflation is invalid, am I missing the first line of the file? (Since you mentioned this was the 2nd line) Are you talking about the "DdNHzptaAEDh5SQRA5ppijIw9RpMb4bJE5e...etcetc" line? I took a shot at de-obfuscating the mothership’s script, but according to gzip, the data for inflation is invalid, am I missing the first line of the file? (Since you mentioned this was the 2nd line) Are you talking about the “DdNHzptaAEDh5SQRA5ppijIw9RpMb4bJE5e…etcetc” line?

]]> http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-126 Schmoilito Mon, 25 Feb 2008 21:19:05 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-126 cool post! but what is viral about it? cool post! but what is viral about it?

]]> http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-111 Analysis of an Obfuscated PHP Virus | Secure Software Engineering Journal Sun, 24 Feb 2008 18:26:25 +0000 http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/#comment-111 [...] process is very interesting. I have the process and functionality analysis on my blog at isisblogs.poly.edu. By the way, this iCTF 2007 challenge is something else you can check out if you like deobfuscating [...] […] process is very interesting. I have the process and functionality analysis on my blog at isisblogs.poly.edu. By the way, this iCTF 2007 challenge is something else you can check out if you like deobfuscating […]

]]>