Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Virus Bulletin 2017 Madrid, Spain
ME & VULNEX
Simon Roses Femerling
• Founder & CEO, VULNEX www.vulnex.com • @simonroses • Former Microsoft, PwC, @Stake • US DARPA award to research on software security • Speaker: Black Hat, DEF CON, RSA, HITB, OWASP, SOURCE, AppSec,
DeepSec, TECHNET • Blog: http://www.simonroses.com/ • Youtube:
https://www.youtube.com/channel/UC8KUXxTSEdWfpFzAydjEzyQ
• CyberSecurity Startup • @vulnexsl • Professional Services & Training • Products: BinSecSweeper (File Security Data Analysis Platform)
http://www.vulnex.com/en/binsecsweeper.html
VULNEX
AGENDA
1. WebShellsOverview2. InsidetheShell3. Hun8ngWebShells4. Conclusions
1. WEB SHELLS
• Post-exploitation tools. Attackers used them to maintain access on compromised servers.
• A web shell is a script on a web server: PHP, ASP, Perl, Python, Ruby, Cold Fusion & C.
• Attackers exploits vulnerabilities to upload web shells: – Cross-Site Scripting (XSS) – SQL injection (SQLi) – Vulnerable apps (WordPress and others CMS) – Remote File Includes (RFI) and Local File Include
(LFI) vulnerabilities – Insecure administration panels
1. WEB SHELL ATTACK
1. SOME THINGS NEVER CHANGE
• Really old tools but still around…
• Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Alert (TA15-314A) https://www.us-cert.gov/ncas/alerts/TA15-314A November 10, 2015 | September 29, 2016
• IBM X-FORCE • https://securityintelligence.com/got-wordpress-php-c99-webshell-
attacks-increasing/ April 14, 2016
• https://securityintelligence.com/the-webshell-game-continues/July 8, 2016
• https://securityintelligence.com/media/ibm-x-force-research-understanding-the-webshell-game/ November 18, 2016
1. THE ROCKSTARS
• BAD – C99 – B374K – WSO – China Chopper / Cknife – Gamma Group – ASPXSpy
• UGLY
– php-reverse-shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell
– Kali webshells /usr/share/webshells/
1. WEB SHELLS & APT RELATIONSHIP
Deep Panda • ASP.NET
Threat Group-3390 • ASPXSpy • OwaAuth
APT33 • ALFA SHELL
1. CLASSIFICATION LO
W
Single Line Simple
MO
DER
ATE
Authentication YES/NO Obfuscation YES/NO File Operations H
IGH
Authentication Obfuscation Hidden File Operations Offensive Capabilities Remove
Complexity / Features
1. WEB SHELLS IN THE NEWS
• How I Hacked Facebook, and Found Someone’s Backdoor Script https://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/
• Hackers Hosted Hackers Tools on a Stanford University website for months https://www.helpnetsecurity.com/2017/06/01/hacker-tools-stanford-university/
• The Equifax Hack Has the Hallmarks of State-Sponsored Pros https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros – China Chopper – More than 30 web shells found
2. GOT WEB SHELLS?
529 rootshell cybershell predator soldierofallah winX zaco NTDaddy myshell phantasma ironshell lamashell AK-74 bm shellroot jkt48 angelshell DKShell cpanel 1n73action lolipop matamu PHPSpy ru24 simattacker ASpy reader remexp zehir aspcmdshell list up browser jspbd jspshell dc pws fx GS cgitelnet simple_cmd ngh shutdown57 SaudiShell safe0ver pouyashell Up_win32 mst dmc kral b0s0k fatal sincap kacak cmd
2. SIMPLE WEB SHELLS
2. WEB SHELL: DMC
http://gsec.hitb.org/materials/sg2016/D1%20-%20Moonbeom%20Park%20and%20Youngjun%20Park%20-%20Understanding%20Your%20Opponent%20Attack%20Profiling.pdf
North Korean Cyber Warfare Group
2. WEB SHELL: LIFKA
• Cross-platform
• File Operations
• System Info • Read
Sensitive Files
• Hashes • Command
Executation • Mail Bomber • Port Scanning
2. WEB SHELL: SOLDIER OF ALLAH I
2. WEB SHELL: SOLDIER OF ALLAH II
2. WEB SHELL: SYRIAN SHELL
2. WEB SHELL: MINI PHP SHELL
2. WEB SHELL: BLOODSEC I
2. WEB SHELL: BLOODSEC II
2. WEB SHELL: BLOODSEC III
2. WEB SHELL: AYANA
http://stage48.net/wiki/index.php/Ayana_Shahab
2. OBFUSCATION
eval() assert() base64() gzdeflate() str_rot13()
3. NO MAGIC BULLETS
• US CERT: – Patching Systems – Least-privileges Policy – DMZ – Backup – Secure Servers – Secure Apps – Pentesting often – WAF, AV, IDS, etc.
• Additional – Log analysis – File Integrity – Secure Development
• Malware Hunting
3. SECURITY TOOLS
• Security tools catch very few web shells
3. HUNTING TOOLS
• Shell-Detector (Python) https://github.com/emposha/Shell-Detector
• PHP-Shell-Detector https://github.com/emposha/PHP-Shell-Detector
• NeoPI https://github.com/Neohapsis/NeoPI
3. YARA RULEZ
• Loki - Simple IOC and Incident Response Scanner
https://github.com/Neo23x0/Loki
• Web Rules
https://github.com/1aN0rmus/Yara/tree/master/web
• Yara Rules
https://github.com/Yara-Rules/rules
• Hunting for Web Shells
https://www.tenable.com/blog/hunting-for-web-shells
3. HIDDEN FROM SIGNATURES I
3. HIDDEN FROM SIGNATURES II
3. ALL SOFTWARE HAS BUGS
• C99 bypass
• b374K CSRF
http://
hyp3rlinx.altervista.org/
advisories/AS-B374K-
CSRF-CMD-
INJECTION.txt
4. TAKEAWAYS
• Old tools but still used at large
• Many types of web shells
• Hard to detect
• Defense in Depth
5. Q&A
• Thanks!
• Beer appreciated!!!
• @simonroses • @vulnexsl
• www.vulnex.com • www.simonroses.com