While we encounter a wide variety of threats on a regular basis, sometimes we come across those that are truly unusual. This is one of them: it appears to be a PHP backdoor delivered via spammed emails.
At first glance, this threat appears to be a fairly typical malicious spam email: it pretends to be a notification from Visa that the user’s card has been suspended.
Figure 1. Fake email notification
The body of the email itself appears to be blank. Neither a malicious attachment nor a link to a website can be found here. So what is the threat here?
Figure 2. Embedded PHP code
The body of the email is actually not blank; instead it contains PHP code. This particular code is actually a well-known website backdoor known as c99madshell, which we detect as PHP_C99SHEL.SMC. C99madshell has been around since at least 2008. It allows an attacker who has compromised a website via FTP to control the said website using an easy-to-use control panel accessible with any browser, as can be seen below running on a test machine:
Figure 3. c99madshell control panel
It should be clear right away that something is very off-base here. The control panel is meant to be accessed by the attacker, not the victim. It would make no sense for the victim to see a backdoor to their own server’s control panel!
That assumes, of course, that the backdoor would even run. It is theoretically possible, but in practice it is very difficult. Anyone reading the email on a non-webmail client – such a desktop email client, or a mobile app – would merely see the blank page. Even then, the webmail client would have to be configured to allow arbitrary embedded PHP code to run in the first place, which is extraordinarily dangerous. Finally, the attacker would then be unable to view the page unless he got access to the email inboxes somehow.
There are several possibilities as to how this happened. One possible attack scenario is that the attacker was going after a webmail provider or email list archive; however in such a case the attacker would not need to send spam messages with this content. In addition, this would require a server set up so insecurely, it would be insane.
Other possibilities involve mistakes on the part of the attacker: he could have made a mistake in inserting the contents of the email, or it could be an attacker with faulty knowledge of PHP. However, without getting into the mind of the attacker, we cannot be sure.
Both the email and file components of this attack are detected and blocked by the appropriate Trend Micro solutions.