Oleksii Starov
Syed Sharique Ahmad
Thorsten Holz
ABSTRACT
Web shells are malicious scripts that attackers upload to a compromised web server in order to remotely execute arbitrary commands, maintain their access, and elevate their privileges. Despite their high prevalence in practice and heavy involvement in security breaches, web shells have never been the direct subject of any study. In contrast, web shells have been treated as malicious blackboxes that need to be detected and removed, rather than malicious pieces of software that need to be analyzed and, in detail, understood. In this paper, we report on the first comprehensive study of web shells. By utilizing different static and dynamic analysis methods, we discover and quantify the visible and invisible features offered by popular malicious shells, and we discuss how attackers can take advantage of these features. For visible features, we find the presence of password bruteforcers, SQL database clients, portscanners, and checks for the presence of security software installed on the compromised server. In terms of invisible features, we find that about half of the analyzed shells contain an authentication mechanism, but this mechanism can be bypassed in a third of the cases. Furthermore, we find that about a third of the analyzed shells perform homephoning, i.e., the shells, upon execution, surreptitiously communicate to various third parties with the intent of revealing the location of new shell installations. By setting up honeypots, we quantify the number of third-party attackers benefiting from shell installations and show how an attacker, by merely registering the appropriate domains, can completely take over all installations of specific vulnerable shells.
- JohnTroony's php-webshells repository. https://github.com/JohnTroony/php-webshells.Google Scholar
- Nikicat's web-malware-collection repository. https://github.com/nikicat/web-malware-collection/tree/master/Backdoors/PHP.Google Scholar
- Tennc's webshell repository. https://github.com/tennc/webshell/.Google Scholar
- UnPHP, the Online PHP Decoder. http://www.unphp.net/.Google Scholar
- Web Shells and RFIs Collection. http://www.irongeek.com/i.php?page=webshells-and-rfis.Google Scholar
- M. Abu Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A Multifaceted Approach to Understanding the Botnet Phenomenon. In Internet Measurement Conference (IMC), 2006. Google ScholarDigital Library
- A. Aiken et al. Moss: A system for detecting software plagiarism, 2005. https://theory.stanford.edu/ aiken/moss/.Google Scholar
- S. Alrwais, K. Yuan, E. Alowaisheq, Z. Li, and X. Wang. Understanding the Dark Side of Domain Parking. In Proceedings of the 23rd USENIX Security Symposium, 2014. Google ScholarDigital Library
- VirusTotal. https://www.virustotal.com/.Google Scholar
- A. Brandt. Malicious PHP Scripts on the Rise. http://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/.Google Scholar
- D. Canali and D. Balzarotti. Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web. In 20th Annual Network & Distributed System Security Symposium (NDSS), 2013.Google Scholar
- D. Canali, D. Balzarotti, and A. Francillon. The role of web hosting providers in detecting compromised websites. In Proceedings of the 22Nd International Conference on World Wide Web, pages 177--188, 2013. Google ScholarDigital Library
- M. Cova, C. Kruegel, and G. Vigna. There is no free phish: An analysis of "free" and live phishing kits. In Proceedings of the 2Nd Conference on USENIX Workshop on Offensive Technologies (WOOT), pages 4:1--4:8, 2008. Google ScholarDigital Library
- J. Dahse and T. Holz. Simulation of Built-in PHP Features for Precise Static Code Analysis. In Symposium on Network and Distributed System Security (NDSS), 2014. Google ScholarCross Ref
- Google Hacking Database (GHDB). https://www.exploit-db.com/google-hacking-database/.Google Scholar
- S. Englehardt, C. Eubank, P. Zimmerman, D. Reisman, and A. Narayanan. OpenWPM: An Automated Platform for Web Privacy Measurement. Manuscript, 2015.Google Scholar
- C. Holmes. Malware Lateral Movement: A Primer. https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html, 2015.Google Scholar
- T. Holz. A Short Visit to the Bot Zoo. Security & Privacy, IEEE, 3(3):76--79, 2005. Google ScholarDigital Library
- D. Kesmodel. The Domain Game: How People Get Rich from Internet Domain Names. Xlibris Corporation, 2008.Google Scholar
- J. Kim, D.-H. Yoo, H. Jang, and K. Jeong. "webshark 1.0: A benchmark collection for malicious web shell detection. In Journal of Information Processing Systems (JIPS), 2015.Google Scholar
- J. Kornblum. Identifying Almost Identical Files Using Context Triggered Piecewise Hashing. Digit. Investig., 3, 2006. Google ScholarDigital Library
- J. Nazario. http://web.archive.org/web/20120722073150/http://ddos.arbornetworks.com/2008/04/netbot-attacker-anti-cnn-tool/, 2008.Google Scholar
- NeoPI: Detection of web shells using statistical methods. https://github.com/Neohapsis/NeoPI.Google Scholar
- N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 736--747. ACM, 2012. Google ScholarDigital Library
- OWASP : Testing for Local File Inclusion. https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion.Google Scholar
- OWASP : Testing for Remote File Inclusion. https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion.Google Scholar
- OWASP : Unrestricted File Upload. https://www.owasp.org/index.php/Unrestricted_File_Upload.Google Scholar
- PHP: runkit Functions - Manual. http://php.net/manual/en/ref.runkit.php.Google Scholar
- PHP: Using Register Globals - Manual. http://php.net/manual/en/security.globals.php.Google Scholar
- R-fx Networks. Linux Malware Detect. https://www.rfxn.com/projects/linux-malware-detect/.Google Scholar
- R57 Shell | C99 Shell | Shell | TXT Shell | R57.php | c99.php | r57shell.net. http://www.r57shell.net/.Google Scholar
- Web Shell Detector. http://www.shelldetector.com/.Google Scholar
- Webserver Malware Scanner. http://sourceforge.net/projects/smscanner/.Google Scholar
- PHP Shell Detector -- web shell detection tool. http://www.emposha.com/security/php-shell-detector-web-shell-detection-tool.html, 2011.Google Scholar
- M. Stowe. PHP Malicious Code Scanner. http://www.mikestowe.com/2010/10/php-malicious-code-scanner.php.Google Scholar
- H. Sverre. c99.php - phpshell. https://helgesverre.com/c99.php.Google Scholar
- T. D. Tu, C. Guang, G. Xiaojun, and P. Wubin. Webshell detection techniques in web applications. In Computing, Communication and Networking Technologies (ICCCNT), 2014 International Conference on, pages 1--7. IEEE, 2014.Google Scholar
Index Terms
- No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells
Recommendations
The Research of Malware Prevention Technology Based on UEFI
ICECC '12: Proceedings of the 2012 International Conference on Electronics, Communications and ControlUEFI is an international standard which describes an interface between the OS and the platform firmware. To solve the low-level attack threats to computer system, a malicious software prevention system based on UEFI firmware is proposed in this paper. ...
Vulnerability-Based Backdoors: Threats from Two-step Trojans
SERE '13: Proceedings of the 2013 IEEE 7th International Conference on Software Security and ReliabilityAttackers like to install trojans in a target system to control it. However, it becomes more and more difficult to deceive a user into installing such trojans. One reason is that antivirus software uses more strict policies on the first run of unknown ...
Rootkits and Their Effects on Information Security
A rootkit is cloaked software that infiltrates an operating system or a database with the intention to escape detection, resist removal, and perform a specific operation. Many rootkits are designed to invade the "root," or kernel, of the program, and ...
Comments