Smoker Backdoor: Evasion Techniques in Webshell Backdoors

“Smoker Backdoor” is a PHP webshell backdoor that uses hexadecimal and decimal obfuscation in conjunction with the PHP function goto to evade detection from malware scanners.

The hexadecimal/decimal obfuscation is clear to see when viewing the file’s PHP code. For instance, this section of the PHP code is obfuscated using this method:

if ($_GET[“x72145156x61155x65”] == “164x72x75x65”) {
    echo “x3c146157162x6dx20145x6e143x74171x7014575x22155165x6c164x69x70141x7216457x66x6f16215555x64141x74141x2240155x65x74x68x6f144x3d42160x6f163x74x2276xax2040” .
        htmlspecialchars($_GET[“x66x69x6c145”])

As with many webshells, it allows the user to set a password to control access to the webshell.

Continue reading Smoker Backdoor: Evasion Techniques in Webshell Backdoors at Sucuri Blog.