Top

Published in:

2023 | OriginalPaper | Chapter

Dazzle-attack: Anti-Forensic Server-side Attack via Fail-Free Dynamic State Machine

Authors : Bora Lee, Kyungchan Lim, JiHo Lee, Chijung Jung, Doowon Kim, Kyu Hyung Lee, Haehyun Cho, Yonghwi Kwon

Published in: Information Security Applications

Publisher: Springer Nature Switzerland

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Server-side malware is one of the prevalent threats that can affect a large number of clients who visit the compromised server. In this paper, we propose Dazzle-attack, a new advanced server-side attack that is resilient to forensic analysis such as reverse-engineering. Dazzle-attack retrieves typical (and non-suspicious) contents from benign and uncompromised websites to avoid detection and mislead the investigation to erroneously associate the attacks with benign websites. Dazzle-attack leverages a specialized state-machine that accepts any inputs and produces outputs with respect to the inputs, which substantially enlarges the input-output space and makes reverse-engineering effort significantly difficult. We develop a prototype of Dazzle-attack and conduct empirical evaluation of Dazzle-attack to show that it imposes significant challenges to forensic analysis.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Survey on Sensor False Data Injection Attacks and Countermeasures in Cyber-Physical and Embedded Systems

next chapter vkTracer: Vulnerable Kernel Code Tracing to Generate Profile of Kernel Vulnerability

Available only for authorised users

The name Dazzle-attack is originated from Dazzle camouflage which is a family of ship camouflage consisted of complex patterns of geometric shapes [67].

The assumption on the compromised servers in cyber attacks is typical [12, 29, 48].

www.cnn.com, www.npr.org, www.gnu.org, 19hz.info, techtonic.fm, earthquaketrack.com, news.ycombinator.com, www.kimbellart.org, lite.poandpo.com, chromereleases.googleblog.com.

https://twitter.com/houstonrockets, https://www.trinitychurchboston.org, https://www.nasa.gov/multimedia/imagegallery/iotd.html, https://www.ebay.com, https://www.theoaklandarena.com.

Best PHP Obfuscator (2018). http://www.pipsomania.com/best_php_obfuscator.do

A text file containing 479 k English words (2019). https://github.com/dwyl/english-words

Joomla: Content Management System (CMS) (2019). https://www.joomla.org/

Linux Malware Detect (2019). https://www.rfxn.com/projects/linux-malware-detect/

NPR: National Public Radio (2019). https://npr.org/

NPR: News and National Top Stories (2019). https://npr.org/sections/national/

PHP: Pspell Functions (2019). https://www.php.net/manual/en/ref.pspell.php

Shellray: A PHP webshell detector (2019). https://shellray.com/

VirusShare (2019). https://virusshare.com/

10.

WordPress (2019). https://wordpress.com/

11.

Dazzle-Attack: Supplementary Materials (2020). https://sites.google.com/view/dazzle-attack-additional/home

12.

Agency, C.I.S.: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets (2020). https://us-cert.cisa.gov/ncas/alerts/aa20-296a

13.

Anderson, H.S., Kharkar, A., Filar, B., Evans, D., Roth, P.: Learning to evade static PE machine learning Malware models via reinforcement learning. arXiv preprint arXiv:1801.08917 (2018)

14.

Aqil, A., et al.: Detection of stealthy TCP-based dos attacks. In: MILCOM 2015–2015 IEEE Military Communications Conference, pp. 348–353. IEEE (2015)

15.

van Arnhem, B.: PHPScan: symbolic execution inspired PHP application scanner for code-path discovery (2017). https://github.com/bartvanarnhem/phpscan

16.

Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (S &P), pp. 387–401. IEEE (2008)

17.

Bart, P.: PHP-backdoors: a collection of PHP backdoors

18.

BDLeet: public-shell: Some Public Shell (2016). https://github.com/BDLeet/public-shell

19.

Becchi, M., Crowley, P.: A hybrid finite automaton for practical deep packet inspection. In: Proceedings of the 2007 ACM CoNEXT Conference, p. 1. ACM (2007)

20.

BlackArch: webshells: Various webshells (2019). https://github.com/BlackArch/webshells

21.

Cadar, C., Dunbar, D., Engler, D.R., et al.: Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol. 8, pp. 209–224 (2008)

22.

Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (S &P), pp. 32–46. IEEE (2005)

23.

Dahse, J., Schwenk, J.: Rips-a static source code analyser for vulnerabilities in PHP scripts (2010). Accessed 28 Feb 2012

24.

Designsecurity: progpilot: a static analysis tool for security (2016). https://github.com/designsecurity/progpilot

25.

Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel bloom filters. In: 11th Symposium on High Performance Interconnects, 2003. Proceedings, pp. 44–51. IEEE (2003)

26.

Erdődi, L., Jøsang, A.: Exploitation vs. prevention: the ongoing saga of software vulnerabilities. Acta Polytech. Hung. 17(7) (2020)

27.

Fauth, M.M.: phpMyAdmin: a web interface for MySQL and MariaDB (2019). https://github.com/phpmyadmin/phpmyadmin

28.

Filaretti, D., Maffeis, S.: An executable formal semantics of PHP. In: Jones, R. (ed.) ECOOP 2014. LNCS, vol. 8586, pp. 567–592. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44202-9_23CrossRef

29.

FIREEYE: APT41: Double Dragon, a dual espionage and cyber crime operation (2019). https://content.fireeye.com/apt-41/rpt-apt41

30.

Fonk, M.: PHP-obfuscator: a parsing PHP obfuscator (2019). https://github.com/naneau/php-obfuscator

31.

Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: TriggerScope: towards detecting logic bombs in android applications. In: 2016 IEEE symposium on security and privacy (SP), pp. 377–396. IEEE (2016)

32.

Grimes, H.Y.: Eir–static vulnerability detection in PHP applications (2015)

33.

Hauzar, D., Kofroň, J.: WeVerca: web applications verification for PHP. In: Giannakopoulou, D., Salaün, G. (eds.) SEFM 2014. LNCS, vol. 8702, pp. 296–301. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10431-7_24CrossRef

34.

Jensen, T., Pedersen, H., Olesen, M.C., Hansen, R.R.: THAPS: automated vulnerability scanning of PHP applications. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 31–46. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34210-3_3CrossRef

35.

Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy (S &P), p. 6. IEEE (2006)

36.

Jovanovic, N., Kruegel, C., Kirda, E.: Static analysis for detecting taint-style vulnerabilities in web applications. J. Comput. Secur. 18(5), 861–907 (2010)CrossRef

37.

Jung, C., et al.: Hiding critical program components via ambiguous translations. In: 2022 IEEE/ACM 44rd International Conference on Software Engineering (ICSE). IEEE (2022)

38.

Jung, C., Kim, D., Wang, W., Zheng, Y., Lee, K.H., Kwon, Y.: Defeating program analysis techniques via ambiguous translation. In: 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 1382–1387. IEEE (2021)

39.

Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Presented as part of the 22nd USENIX Security Symposium, pp. 637–652 (2013)

40.

Kasturi, R.P., et al.: TARDIS: rolling back the clock on CMS-targeting cyber attacks. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, 18–21 May 2020, pp. 1156–1171. IEEE (2020). https://doi.org/10.1109/SP40000.2020.00116

41.

Kim, K., et al.: J-force: forced execution on JavaScript. In: Proceedings of the 26th international conference on World Wide Web, pp. 897–906. International World Wide Web Conferences Steering Committee (2017)

42.

Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 174–187. Springer, Heidelberg (2005). https://doi.org/10.1007/11506881_11CrossRef

43.

Kissian, P.: YAK Pro: PHP Obfuscator (2019). https://www.php-obfuscator.com/

44.

Kneuss, E., Suter, P., Kuncak, V.: Phantm: PHP analyzer for type mismatch. In: FSE 2010 Proceedings of the Eighteenth ACM SIGSOFT International Symposium on Foundations of Software Engineering, No. CONF (2010)

45.

Kolosnjaji, B., et al.: Adversarial malware binaries: evading deep learning for malware detection in executables. In: 2018 26th European Signal Processing Conference (EUSIPCO), pp. 533–537. IEEE (2018)

46.

Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: ACM SIGCOMM Computer Communication Review, vol. 36, pp. 339–350. ACM (2006)

47.

Lie, R.: Simple online PHP obfuscator: encodes PHP code into random letters, numbers and/or characters (2019). https://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php

48.

Magazine, C.: New Report Reveals Chinese APT Groups May Have Been Entrenched in Some Servers for Nearly a Decade Using Little-Known Linux Exploits, CPO Magazine (2020). https://www.cpomagazine.com/cyber-security/new-report-reveals-chinese-apt-groups-may-have-been-entrenched-in-some-servers-for-nearly-a-decade-using-little-known-linux-exploits/

49.

Mao, J., et al.: Detecting malicious behaviors in JavaScript applications. IEEE Access 6, 12284–12294 (2018)CrossRef

50.

Masters, L.: CakePHP: The Rapid Development Framework for PHP (2019). https://cakephp.org/

51.

Medeiros, I., Neves, N.F., Correia, M.: Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: Proceedings of the 23rd International Conference on World Wide Web, pp. 63–74. ACM (2014)

52.

Microsoft: Microsoft Defender Advanced Threat Protection (2019). https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection

53.

Mirtes, O.: PHPStan: PHP Static Analysis Tool (2019). https://github.com/phpstan/phpstan

54.

Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: 2007 IEEE Symposium on Security and Privacy, pp. 231–245. IEEE (2007)

55.

Naderi-Afooshteh, A., Kwon, Y., Nguyen-Tuong, A., Razmjoo-Qalaei, A., Zamiri-Gourabi, M.R., Davidson, J.W.: MalMax: multi-aspect execution for automated dynamic web server malware analysis. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1849–1866 (2019)

56.

Nathan, P.: Pytextrank, a python implementation of textrank for text document nlp parsing and summarization (2016). https://github.com/ceteri/pytextrank/

57.

Nguyen, H.V., Nguyen, H.A., Nguyen, T.T., Nguyen, T.N.: Auto-locating and fix-propagating for html validation errors to PHP server-side code. In: Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering, pp. 13–22. IEEE Computer Society (2011)

58.

nixawk: fuzzdb: Web Fuzzing Discovery and Attack Pattern Database (2018). https://github.com/nixawk/fuzzdb

59.

Nunes, P.J.C., Fonseca, J., Vieira, M.: phpSAFE: a security analysis tool for OOP web application plugins. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2015)

60.

Olivo, O.: TaintPHP: Static Taint Analysis for PHP web applications (2016). https://github.com/olivo/TaintPHP

61.

OneSourceCat: phpvulhunter: A tool that can scan php vulnerabilities automatically using static analysis methods (2015). https://github.com/OneSourceCat/phpvulhunter

62.

Papagiannis, I., Migliavacca, M., Pietzuch, P.: PHP Aspis: using partial taint tracking to protect against injection attacks. In: 2nd USENIX Conference on Web Application Development, vol. 13 (2011)

63.

Peng, F., Deng, Z., Zhang, X., Xu, D., Lin, Z., Su, Z.: X-force: force-executing binary programs for security applications. In: 23rd USENIX Security Symposium, pp. 829–844 (2014)

64.

Piantadosi, V., Scalabrino, S., Oliveto, R.: Fixing of security vulnerabilities in open source projects: a case study of apache http server and apache tomcat. In: 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 68–78. IEEE (2019)

65.

Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantics-based approach to malware detection. ACM SIGPLAN Not. 42(1), 377–388 (2007)CrossRefMATH

66.

Ridter: Pentest (2019). https://github.com/Ridter/Pentest

67.

Ruslan Budnik: The Fantastic Idea of Dazzle Camouflage (2019). https://www.warhistoryonline.com/instant-articles/dazzle-camouflage.html

68.

Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: 2010 IEEE Symposium on Security and Privacy, pp. 513–528. IEEE (2010)

69.

Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. ACM SIGCOMM Comput. Commun. Rev. 45(4), 213–226 (2015)CrossRef

70.

Shu, X., Yao, D., Ramakrishnan, N.: Unearthing stealthy program attacks buried in extremely long execution paths. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 401–413. ACM (2015)

71.

Symantec: Norton\(^{\rm TM}\)–Antivirus & Anti-Malware Software (2019). https://us.norton.com/

72.

Systems, N.: GitHub - nbs-system/php-malware-finder: Detect potentially malicious PHP files (2019). https://github.com/nbs-system/php-malware-finder/

73.

tanjiti: webshellSample: Webshell sample for WebShell Log Analysis (2018). https://github.com/tanjiti/webshellSample

74.

Taylor, T., et al.: Detecting malicious exploit kits using tree-based similarity searches. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 255–266. ACM (2016)

75.

tennc: webshell: A webshell open source project (2019). https://github.com/tennc/webshell

76.

Troon, J.: PHP-webshells: Common PHP webshells (2016). https://github.com/JohnTroony/php-webshells

77.

tutorial0: WebShell: WebShell Collect (2016). https://github.com/tdifg/WebShell

78.

vimeo: psalm: A static analysis tool for finding errors in PHP applications (2019). https://github.com/vimeo/psalm

79.

xl7dev: WebShell: Webshell & Backdoor Collection (2017). https://github.com/xl7dev/WebShell

80.

Yang, Q.: Taint-em-All: a taint analysis tool for the PHP language (2019). https://github.com/quanyang/Taint-em-All

Title: Dazzle-attack: Anti-Forensic Server-side Attack via Fail-Free Dynamic State Machine
Authors: Bora Lee
Kyungchan Lim
JiHo Lee
Chijung Jung
Doowon Kim
Kyu Hyung Lee
Haehyun Cho
Yonghwi Kwon
Publisher: Springer Nature Switzerland
Book: Information Security Applications
Print ISBN: 978-3-031-25658-5

Electronic ISBN: 978-3-031-25659-2

Copyright Year: 2023
DOI: https://doi.org/10.1007/978-3-031-25659-2_15

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner