A Study on the Categorization of Webshell. Jae Chun, Lee(jclee@kisa.or.kr)

Similar documents
Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

THE OPEN UNIVERSITY OF TANZANIA

Playing with Web Application Firewalls

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Why Should You Care About Security Issues? SySmox WEB security Top seven ColdFusion Security Issues

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

How to hack a website with Metasploit

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

How To Fix A Web Application Security Vulnerability

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Ethical Hacking Course Layout

Check list for web developers

Multi-factor authentication

Application Security Best Practices. Wally LEE Principal Consultant

Web Application Security

CTF Web Security Training. Engin Kirda

Client logo placeholder XXX REPORT. Page 1 of 37

Threat Events: Software Attacks (cont.)

An Innovative Two Factor Authentication Method: The QRLogin System

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Web Application Security

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

EC-Council. Program Brochure. EC-Council. Page 1

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

STABLE & SECURE BANK lab writeup. Page 1 of 21

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

SQL Injection for newbie

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Web Application Attacks And WAF Evasion

What is Web Security? Motivation

Network and Host-based Vulnerability Assessment

Network Security Audit. Vulnerability Assessment (VA)

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Targeted(Attacks(Against( Civil(Society(in(Asia. Or(why(you(should(check(the(md5( before(opening(this(deck.

Web Applications Security: SQL Injection Attack

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Common Security Vulnerabilities in Online Payment Systems

How to effectively respond to an information security incident

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

A Decision Maker s Guide to Securing an IT Infrastructure

Still Aren't Doing. Frank Kim

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

The Top Web Application Attacks: Are you vulnerable?

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Chapter 1 Web Application (In)security 1

Penetration Testing: Lessons from the Field

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Final Year Project Interim Report

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

An Introduction to Network Vulnerability Testing

An Anatomy of a web hack: SQL injection explained

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Online shopping store

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Overview of SQL Injection

IJMIE Volume 2, Issue 9 ISSN:

Web Application Report

SQL Injection January 23, 2013

PHP/MySQL SQL Injections: Understanding MySQL Union Poisoining. Jason A. Medeiros :: CEO :: Presented for DC619 All Content Grayscale Research 2008

the barricademx end user interface documentation for barricademx users

(WAPT) Web Application Penetration Testing

CS 558 Internet Systems and Technologies

Certified Ethical Hacker Exam Version Comparison. Version Comparison

The Self-Hack Audit Stephen James Payoff

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Guideline on Auditing and Log Management

Common Cyber Threats. Common cyber threats include:

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

FORBIDDEN - Ethical Hacking Workshop Duration

SECURING APACHE : THE BASICS - III

Old Web Shells, New Tricks

A Modern Framework for Network Security in the Federal Government

Web Application Security 101

Global Partner Management Notice

Penetration: from Application down to OS

Project 2: Web Security Pitfalls

Cross-Site Scripting

The anatomy of an online banking fraud

Web App Security Audit Services

Joomla Admin Protection

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

SECURING YOUR REMOTE DESKTOP CONNECTION

Maintaining Access CHAPTER 10 CHAPTER OVERVIEW AND KEY LEARNING POINTS INTRODUCTION INFORMATION IN THIS CHAPTER

Transcription:

A Study on the Categorization of Webshell Jae Chun, Lee(jclee@kisa.or.kr)

Agenda Part1 - Introduce Webshell Part2 - Advantage and disadvantage of WebShell Profiling Part3 Criteria Categorization of WebShell

Hacking Trend Attack method HIGH Skill of hacker Intruder Knowledge Age of Network hacking Attack Sophistication Age of Webhacking Webhacking DDoS Age of System hacking Sniping Scanning Tools Password Cracking Session Hijecking Attacker s LOW Guess Password 1980 1985 1990 1995 2000 [Reference : John Pescatore, Security Analyst, Gartner Group]

What is Webshell? Backdoor program which is used for web hacking most commonly The first attack tool of hacker General, Easy, Convenience

What is Webshell? Backdoor program which is used for web hacking most commonly The first attack tool of hacker General, Easy, Convenience So, Webshell is important Indicator Of Compromise.

Review : The Pyramid of Pain(1/3) This simple diagram shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them <From mandiant : The Pyramid of Pain>

Review : The Pyramid of Pain(2/3)

Review : The Pyramid of Pain(3/3)

Webshell position (in The Pyramid of Pain) Tools: Software used by the adversary to accomplish their mission. Mostly this will be things they bring with them, rather than software or commands that may already be installed on the computer. This would include utilities designed to create malicious documents for spearphishing, backdoors used to establish C2 or password crackers or other host-based utilities they may want to use post-compromise

Why webshell profiling is difficult? Text format Easy to transform Open-Source program Many attacker used

How can use webshell for profiling?(1/2) Text format Easy to transform Attacker use similar variable name, comment, etc -> it is a important fingerprint

How can use webshell for profiling?(2/2) Open-Source program Many attacker used Attacker not use original Open-Source webshell. They use webshell changed which is similar the method of source code encoding, analysis disturbance, detection evasion, concealment method

(Ex) WSO Webshell(1/2) WSO webshell - Login password: OOO - Nomarl url connection : error page - Related incidents : OO homepage - Regular expression substitution

(Ex) WSO Webshell(2/2) WSO webshell - Login password: OOO By the fingerprint By function - Nomarl url connection : error page By concealment method - Related incidents : OO homepage By incidents - Regular expression substitution By detection evasion

How to classify webshell By the language By function By the length of webshell source code By the method of source code encoding By detection evasion By analysis disturbance By file name By concealment method By the fingerprint and transformation of webshell

Classification by language PHP ASP ASPX JSP Perl

Classification by function System command execution Dynamic code injection File manipulation and download File upload DB-related functions Login Remote file include Back-connecting Sending Mail Brute force Forced moves URL Remote file download Etc.

(CF) Classification by function System command execution Dynamic code injection <example in php>

Classification by length Single line Webshell Html Injected single line Webshell Image file injected single line Webshell Small webshell Program type Webshell

By the method of source code encoding Base64 Gzipinflate vbscript encoding Strtr Zend encoding

By detection evasion Cut the string Hex string display Magic Number insertion Regular expression substitution

(CF) By detection evasion Cut the string detection pattern : wscript.shell <%set os=server.createobject("wsc"+"ri"+"pt.sh"+"ell")

By analysis disturbance Debug code removed Variable and function names randomization

By file name Use a semicolon Insert intermediate extension

By concealment method Display error page Parameters required Login feature

(EX) By concealment method Display error page / Login feature Normal url access If you are login

By the fingerprint and transformation of webshell

Conclusion Criteria Categorization of WebShell In my case, make a DB from list of WebShell and find a hacker profile from DB

Thanks you jclee@kisa.or.kr (Jae Chun, Lee)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information