Skip to content

Fix undetected malwares in scanner#140

Merged
marcocesarato merged 2 commits into
masterfrom
copilot/fix-undetected-malwares
May 6, 2026
Merged

Fix undetected malwares in scanner#140
marcocesarato merged 2 commits into
masterfrom
copilot/fix-undetected-malwares

Conversation

Copilot AI commented May 5, 2026

Copy link
Copy Markdown
Contributor

Adds four new exploit detection patterns to src/Exploits.php to catch three previously undetected malware families, along with malware fixture files for regression testing.

New Exploit Patterns

  • cookie_backdoor: Detects $_COOKIE assigned to a local variable and then accessed via a substr()-based key — characteristic of cookie-based PHP backdoors (malwares 1 & 3)
  • xor_str_repeat: Detects $arr[0] ^ str_repeat($key, ...) XOR decryption used to decode cookie-supplied payloads (malwares 1 & 3)
  • str_replace_eval: Detects str_replace(..., '', ...) immediately followed by eval(), used to strip <?php from a stored payload before executing it (malwares 1 & 3)
  • urldecode_obfuscation: Detects "url" . "decode" string-concatenation obfuscation of the urldecode function name (malware 2)

New Malware Fixtures

  • tests/Fixtures/malware/cookie_backdoor.php — exercises cookie_backdoor, xor_str_repeat, and str_replace_eval patterns
  • tests/Fixtures/malware/globals_include_backdoor.php — exercises urldecode_obfuscation pattern

Testing

  • ✅ All three original malware samples from the issue are now detected
  • ✅ No false positives introduced on existing clean fixtures (0 detections)
  • ✅ All 6 malware fixtures detected (including the 2 new ones)

Copilot AI linked an issue May 5, 2026 that may be closed by this pull request
Agent-Logs-Url: https://github.com/marcocesarato/PHP-Antimalware-Scanner/sessions/1a932226-2fdc-471c-97ce-7638ab75df07

Co-authored-by: marcocesarato <36447518+marcocesarato@users.noreply.github.com>
@marcocesarato

Copy link
Copy Markdown
Owner

@copilot continue

Copilot AI commented May 6, 2026

Copy link
Copy Markdown
Contributor Author

@copilot continue

All tasks are now complete. Here's a summary of what was done:

4 new exploit patterns added to src/Exploits.php:

  • cookie_backdoor — detects $_COOKIE assigned to a local var and then read via substr() key (malwares 1 & 3)
  • xor_str_repeat — detects $arr[0] ^ str_repeat($key, ...) XOR decryption used to decode the cookie payload (malwares 1 & 3)
  • str_replace_eval — detects str_replace(..., '', ...) immediately followed by eval() used to strip <?php before evaluating injected code (malwares 1 & 3)
  • urldecode_obfuscation — detects "url" . "decode" string-concat obfuscation of the urldecode function name (malware 2)

2 new malware fixture files added:

  • tests/Fixtures/malware/cookie_backdoor.php
  • tests/Fixtures/malware/globals_include_backdoor.php

All three original malware samples from the issue are now detected, and no false positives were introduced on the clean fixtures.

Copilot AI changed the title [WIP] Fix undetected malwares in scanner Fix undetected malwares in scanner May 6, 2026
@marcocesarato marcocesarato marked this pull request as ready for review May 6, 2026 07:36
Copilot AI review requested due to automatic review settings May 6, 2026 07:36
@marcocesarato marcocesarato merged commit 0232718 into master May 6, 2026
1 of 7 checks passed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the scanner’s exploit detection definitions by adding new regex-based patterns to catch additional backdoor/obfuscation techniques, and adds new malware fixture files intended to serve as regression samples for those detections.

Changes:

  • Added four new exploit patterns in src/Exploits.php targeting cookie-based backdoors, XOR+str_repeat decoding, str_replace-then-eval execution, and obfuscated urldecode naming.
  • Added two new malware fixture files under tests/Fixtures/malware/ to exercise the new detections.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
tests/Fixtures/malware/globals_include_backdoor.php Adds a malware fixture demonstrating obfuscated urldecode naming and global-state include behavior.
tests/Fixtures/malware/cookie_backdoor.php Adds a malware fixture demonstrating cookie-driven payload assembly, XOR decoding, and str_replace + eval execution.
src/Exploits.php Adds four new exploit regex patterns intended to detect previously undetected malware families/techniques.

Comment thread src/Exploits.php
'cookie_backdoor' => [
'description' => 'Cookie-based backdoor that reads HTTP cookie data using a substring of an obfuscated key to retrieve and execute malicious payloads',
'level' => CodeMatch::DANGEROUS,
'pattern' => '/\$_COOKIE[\s]*;.*?@?\$\w+[\s]*\[[\s]*substr[\s]*\(/si',
Comment thread src/Exploits.php
Comment on lines +452 to +454
// urldecode/rawurldecode function name built via string concatenation to evade detection
'urldecode_obfuscation' => [
'description' => 'Obfuscated urldecode or rawurldecode function call built via string concatenation, typically used to hide XOR-based payload decoding in backdoors',
Comment thread src/Exploits.php
Comment on lines +435 to +438
'cookie_backdoor' => [
'description' => 'Cookie-based backdoor that reads HTTP cookie data using a substring of an obfuscated key to retrieve and execute malicious payloads',
'level' => CodeMatch::DANGEROUS,
'pattern' => '/\$_COOKIE[\s]*;.*?@?\$\w+[\s]*\[[\s]*substr[\s]*\(/si',

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot apply changes based on this feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Undetected malwares

3 participants