Hundreds of thousands of users PhpStudy be implanted backdoors, come to detect whether you have become a "chicken"!

Beijing on September 20, Hangzhou Public Security issued "Hangzhou informed the police to combat criminal networks involved cum 'net net 2019' special action victories," the article, the article exposed a well-known PHP debugging environment program integrated package "PhpStudy software" hacker tampering and implanted the "back door." As of the incident, nearly one million users in over 670,000 PHP user has been controlled by hackers, and wantonly steal account passwords, chats, and other sensitive data device code class group of up to more than 100,000 illegal profits of more than 600 million.

Cracked the case: since the beginning of 2016 lurking, the cumulative 670,000 computers become a "chicken"

PhpStudy For many domestic software developers, is no stranger. It is a free PHP program integrated debugging environment package, integrates the latest Apache, PHP, MySQL, phpMyAdmin, ZendOptimizer variety of one-time software installation, no configuration can be used directly with PHP PHP development environment and debugging functions. Because the public free, convenient and easy, it has grown to a certain size, with nearly a million PHP language learners, developers user.

However, such a green pollution-free "national" software was developed by hackers behind the atrocities, and the motive for the crime even from hackers really ambitious and vanity. According to Hangzhou Public Security disclosed that hackers as early as 2016 on the preparation of the "back door" file, and illegally invaded PhpStudy official website, tampering with the software installation package implanted "back door." And the "back door" ability to control the computer, you can download the remote control to run the script to achieve your personal information collected.

Since 2016, hackers use the "back door" evil crime out of control, caught a large number of computers become a "chicken" dangerous command execution, numerous user account password, computer data, sensitive information is crawled and remote return. According to statistics, the hacker had taken control of more than 670,000 computers, illegally obtaining account password type, chat data type, equipment type code and other data of 10 million sets, and the case is since 2019, the country most affected supply chain attacks .

"Back door" involving multiple versions

It is worth noting that the tampered version of the software is not just Php5.4 version PhpStudy2016 version of the official announcement in, but in two versions PhpStudy version 2016 and version 2018 was found to have both at the same time there is a "back door" file and the effects of partially used PhpStudy built Php5.2, Php5.3 and Php5.4 environment. Although the official presentation software download link page has lapsed, but the official website version of history can still be downloaded to. In addition to the official website, some of the same version of the download site also provides PhpStudy "unclean."

Confirmed that the vast majority located in the back door "php \ php-5.4.45 \ ext \ php_xmlrpc.dll" file and "\ php \ php-5.2.17 \ ext \ php_xmlrpc.dll" PhpStudy file in the directory, but there are also some by third-party download site to download PhpStudy back door located "\ php53 \ ext \ php_xmlrpc.dll" file. String can be found by looking at the file appears suspicious "eval" string.

(Suspicious "eval" string php_xmlrpc.dll file) 

"Eval" code string is located where the decompression offset 0xd028 to 0xd66c shellcode is executed by PHP and gzuncompress function.

(Decompress and execute shellcode)

(Part shellcode) 

After extracting shellcode as shown below, through the shellcode base64 encoded content is the final back door.

(Shellcode after decompression)

The final request back door C & C address, the implementation of content returned by the C & C, now the address is not properly connected.

(Code schematic rear door)

POC example:

While in Hangzhou network operations task force of police, respectively, have been respectively named Ma, Yang, Tan Mou, Zhou Moumou seven apprehend suspects in Hainan, Sichuan, Chongqing, Guangdong, but after analysis, the current network there are more than 1700 still exist "back door" php_xmlrpc.dll file.

These commonly used software by modifying the underlying source code, add secret "back door", the user can not perceive the state of illegally obtaining user data privacy.


Guess you like