Release Note – Introducing the PHP Simulator

The Ninjas are working day’n’night to find the perfect solution against obfuscated malware. Last year, we invented a unique detection technique, the Source Code Structure Analysis. This month, we have made another breakthrough.

BitNinja 2.25 is here, and it brings many new features, most notably a new malware scanner mechanism.  With this new feature, you can analyze old PHP files on the servers and discover the most recent zero-day attacks, even if they are obfuscated.

What is Obfuscated Malware?

First, let’s discuss what obfuscated malware is.

Obfuscation attempts to hide the real intention of a program. The hacker writes a code that is not readable by humans, but the functionality behind it remains the same. So, when you run the program, it behaves like the encapsulated program it was created for.

The Dynamic Analysis

When we talk about malware, there are two different types of analysis: static and dynamic.

The static analysis includes hash algorithms, string matching, code-based detection, and also our award-winning invention, the source code structure analysis.

And what do we call dynamic analysis? During the dynamic analysis, the system observes the program’s behavior after you have run the source code partially or entirely.

Deobfuscation

eval obfuscation

If you find the obfuscation mechanism, you can deobfuscate the code. After that, you can decapsulate the real program and match the deobfuscated source code. But unfortunately, there are too many obfuscation techniques. It is hard to deobfuscate the code, and other aspects are difficult to analyze without running the code at least partially.

Output

Another technique is from the output when you analyze the output of the program. Most of the time, when you run a malware, you can find traces of malicious behavior from the output.

Function Calls

Function Calls

Within the confines of the “Function Calls” analysis, you run the code and find which functions are used for malicious activities.

Variable Content

Variable Content

You can see in this picture that this program contains something “phishy”. It’s always suspicious when a source code includes function names like explode and basic commands used to decode interesting variable names.

File Manipulation

File Manipulation

It can happen with real files or within a simulated environment to safely analyze file manipulations.

Multi-Path Execution

Multi-Path Execution

You can also do multi-path execution when you analyze what would happen if you forced the interpreter into a code branch. With this method, you can find locked code parts, and it is also helpful in discovering malicious behaviors.

The Old School Way

Sandboxing is one way to use these techniques if you have a couple of special servers for this purpose.

These servers can spin up virtual servers. You upload the PHP file to it, run the code and use the above-mentioned analyzing methods. The disadvantage of sandboxing is that it takes around 20 seconds to analyze one PHP file. Analyzing all of your PHP files would take a lot of time and eat up too many resources.

The New Way

We added a new module to the BitNinja system we named Sandbox Simulator. It’s a PHP emulator, which runs the PHP files on the server in a safe environment and automatically analyses the file’s behavior. It also analyzes the old PHP files on the servers. With the Sandbox Simulator, we can easily discover the most recent zero-day malware, even if they are obfuscated.

In the video below, our Ninja, Mark, shows you how the PHP simulator works. You can find the malware snippet that Mark used here.

How can you try out the PHP simulator?

  1. Update the agent to the latest version on a machine you would like to use the PHP simulator.

  2. Enable the module with:
    bitninjacli --module=SandboxScanner --enable
    (You can disable it with: bitninjacli --module=SandboxScanner --disable)

  3. After enabling, it will automatically check every PHP file that our Malware Detection module finds. You can follow its logs with this command:
    tail -f /var/log/bitninja/mod.sandbox_scanner.log

  4. Validate the signatures by clicking on the “Start Validation” button on the Anti-Malware section’s Local Malware Signature tab.

When the PHP scanner finds a malicious file, it creates a validating signature from it. We wrote about our validating process in our previous release note. Make sure only to validate signatures that are legitimately malware, or please feel free to contact us so we can assist you with a suspicious signature.

Would you like to participate in developing our most recent innovation? We still have some new ideas to improve the Malware Detection module, and we are looking for people who would like to help us test the first version and give feedback about the user experience.

If you are interested in it, reach out to our product manager, Adam.


Cybersecurity is not optional anymore. It is a must! If you haven’t tried BitNinja yet, don’t forget to register for the 7-day free trial! No credit card needed!

Free Trial

We are always happy to help you! If you have any questions, check out our Knowledgebase, feel free to ask at info@bitninja.io, or you can even reach us on the Dashboard chat!

Let’s make the internet a safer place together!