A Dutch web developer has created a rootkit that hides inside a PHP module and can be used to take over web servers via a rarely used attack vector: Apache modules. According to a classic definition of a rootkit, this is a piece of code that works on the lowest levels of the operating system, intercepting kernel operations and injecting malicious actions.
Many of today’s rootkits work near the OS kernel and require a high-level of proficiency on the attacker’s side to get it to run without crashing the victim’s computer. It’s this need for advanced C and C++ coding skills that drove Luke Paris, a Dutch web developer, to attempt to create a rootkit that interacts with the PHP interpreter, instead of the OS kernel.
“Learning how to use the Zend Engine (the framework the entire PHP language is built with) is a lot easier than learning how to write kernel modules, simply because the code base itself is smaller, better documented and a lot less complex,” Paris explains. “Even without good documentation or tutorials, I managed to learn the basics of writing a PHP module within a day. If I (a novice C developer) can do it, the bad guys definitely can.”