After Ben Hagen and I gave our talk at B-Sides Chicago, I wanted to circle back and recap some of the trends in webshells, new ideas, and reflections on this class of malware. We presented a tool called NeoPI and demoed it’s effectiveness in detecting web shells.
NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text and script files. The intended purpose of NeoPI is to aid in the identification of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches. NeoPI is platform independent and can be run on any system with Python 2.6 installed. NeoPI recursively scans through the file system from a base directory and will rank files based on the results of a number of tests. The ranking helps identify, with a higher probability, which files may be encrypted web shells. It also presents a “general” score derived from file rankings within the individual tests. You can pull a copy of the code from https://github.com/Neohapsis/NeoPI.
There hasn’t been much of a change in the strange obfuscation techniques that some malware developers are using, but more security folks are aware of the problem. One tool that has since been released that aids in the detection of these malicious files is called PHP Shell Detector. This app’s primary focus is on the detection of PHP files, looking for suspicious calls such as eval/system/etc. It then compares against a collection of fingerprints of common webshells. This shares a lot of the same functionality as Linux Malware Detect, but has a pretty nice UI. Unfortunately custom shells using other languages may be able to bypass the detection method.
Elena Kropochkina and Joffrey Czarny presented WebShells: A Framework for Penetration Testing at Hack in the Box Amsterdam earlier this year. They presented a new platform that is language independent, resistant against third party unauthorized access and not be detected by AV/IPS/WAF. I haven’t been able to download the slides for the talk (web server issue on the materials page for the conference) but I am interested to see how NeoPI will hold up against some of the new techniques they are claiming in their proof of concept.
HT shells is an interesting project that contains webshells and other attacks against .htaccess files. The shell first makes the .htaccess file accessible over web, and then another configuration setting makes the .htaccess file interpreted as PHP. As NeoPI currently does not check for .htaccess files when using auto-regex, we will have to make a change to start looking at .htaccess files for potential malware.
Another interesting article I came across was from Rahul Sasi on the effectiveness of Antivirus in detecting web shells. He went though the arduous effort of testing a variety of webshells and Antivirus effectiveness at detecting them. No surprise that antivirus fails at detecting most webshells especially ones that have been customized. This again, shows the importance of alternative mechanisms for detecting webshells.
I still strongly feel that a combination of tools and techniques is the most effective way to detect web shells, with a focus being on analyzing the specific malware for known oddities, and putting less of an emphasis on signatures. This is mainly due to how easy it is to write a shell from scratch or modify an existing shell. Even more important is actually assessing the applications that are being comprised with webshells, as webshell detection is a reactive control, and preventing the compromise all together is obviously preferable .