Developer Creates Rootkit That Hides in PHP Server Modules

Share this…

A Dutch web developer has created a rootkit that hides inside a PHP module and can be used to take over web servers via a rarely used attack vector: Apache modules.

According to a classic definition of a rootkit, this is a piece of code that works on the lowest levels of the operating system, intercepting kernel operations and injecting malicious actions.

Many of today’s rootkits work near the OS kernel and require a high-level of proficiency on the attacker’s side to get it to run without crashing the victim’s computer.

It’s this need for advanced C and C++ coding skills that drove Luke Paris, a Dutch web developer, to attempt to create a rootkit that interacts with the PHP interpreter, instead of the OS kernel.

“Learning how to use the Zend Engine (the framework the entire PHP language is built with) is a lot easier than learning how to write kernel modules, simply because the code base itself is smaller, better documented and a lot less complex,” Paris explains. “Even without good documentation or tutorials, I managed to learn the basics of writing a PHP module within a day. If I (a novice C developer) can do it, the bad guys definitely can.”

PHP rootkits have many advantages

According to Paris, using PHP modules to hide rootkits is actually a pretty clever idea. The developer details a series of advantages.

⋙ Poorly written PHP rootkits will not crash the OS, only causing segmentation faults that interrupt current server requests, allowing infections to go unnoticed for a longer time.
⋙ Very few developers check the hashes of their PHP modules, meaning it’s quite easy to trick devs into downloading a tainted PHP module or replacing PHP modules on hacked servers.
⋙ PHP rootkits only have to hook into one system process, while kernel rootkits have to hook into every single kernel call, reducing a machine’s performance.
⋙ PHP rootkits are cross-platform rootkits because PHP is a cross-platform project and PHP modules can be cross-compiled for different platforms.

Proof of concept code available on GitHub

Paris has created a proof-of-concept PHP rootkit which he open-sourced on GitHub. The test rootkit he developed hooks into the PHP server’s “hash” and “sha1” functions. The entire rootkit is 80 lines of code, and an attacker could easily hide it in legitimate modules.

To prevent attackers from easily weaponizing his code, the developer has defanged some of its parts, making compilation harder for people with no expertise in PHP modules.

Nevertheless, his test PHP rootkit shows a possible attack vector that server administrators need to take into consideration. To prevent such attacks, Paris has a series of recommendations for server owners.

“The most simple way of detecting whether or not any of your modules are malicious would be to keep a list of the module hashes after installing PHP,” Paris says. “Once you have a list of hashes, add a cron job that tries to hash all files in the extension directory and compares them to the current hash.”

To make everyone’s job easier, Paris even published a Python script that checks the SHA1 hashes of a user’s PHP modules.

Mitigate attack by scanning Apache module file hashes

“This is an interesting research project,” Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, told Bleeping Computer in an email today.

“I’ve seen .htaccess-based malware used in infected systems before, a PHP module or Apache module is certainly not out of the question,” Arciszewski added.

The expert, who is also the man behind Airship, a PHP CMS designed with improved security, says the only suggestion he’d make to Paris’ mitigation script is to use SHA256 hashes instead of SHA1.

His advice comes after Google researchers have broken the SHA1 hashing function earlier this year, creating two files with the same SHA1 hash. This would allow an attacker to add the PHP rootkit and then generate an Apache module with the same hash (at least in theory for now, has not been done before).

PHP rootkit gives attackers the persistence they always wanted

On hacked servers, most incident responders would not consider looking for malicious code inside PHP modules, as this is not a common place to hide malware, usually found in the source code of public websites, .htaccess files, or other files stored in the web server’s directories.

Paris’ PHP rootkit is the persistence tool that many attackers have always wanted, allowing them to remain at the lowest server level without getting detected.

It’s because of this increased level of persistence that Arciszewski recommends taking drastic options when dealing with servers suspected of being infected with malware, as there’s always a new attack vector around the corner, unknown to most server administrators.

“If you’re trying to clean up a compromised system, after the forensic investigation is complete, we always recommend building a new, clean environment and migrating the data over from a trusted backup for reasons like this,” the expert said.

Paris is not the first to play around with the idea of hiding malicious code in Apache modules. Back in 2015, London-based developer Christian Papathanasiou created a similar rootkit that he hid inside an Apache module.