When cleaning websites, one of the most complicated parts of our job is ensuring we find all backdoors. Most of the time, attackers inject code into different locations to increase the chances of reinfecting the site and maintaining access for as long as possible. Our research finds that in 67% of the websites we clean, there is at least one backdoor variant. Although we have hundreds of posts on backdoors and their effects, today we want to discuss a few techniques and provide in-depth technical knowledge on how to decode an advanced piece of malware. This particular infection isn’t new but over the past few months, we have seen an increase in attacks against WordPress & Joomla using a related variant. The Malware After compromising a website, attackers may inject backdoors, web shells, add bogus admin users, and more. A very common characteristic is that either one or more of the following techniques are employed to hide their code – encoding, encryption, and obfuscation. In the following snippet, attackers added pretty much all three techniques. Let’s go step-by-step through the process of decoding it. Simplifying the Code When decoding, it’s very important
Share This