Virus Bulletin 2017 Madrid, Spain

ME & VULNEX

Simon Roses Femerling

•  Founder & CEO, VULNEX www.vulnex.com •  @simonroses •  Former Microsoft, PwC, @Stake •  US DARPA award to research on software security •  Speaker: Black Hat, DEF CON, RSA, HITB, OWASP, SOURCE, AppSec,

DeepSec, TECHNET •  Blog: http://www.simonroses.com/ •  Youtube:

https://www.youtube.com/channel/UC8KUXxTSEdWfpFzAydjEzyQ

•  CyberSecurity Startup •  @vulnexsl •  Professional Services & Training •  Products: BinSecSweeper (File Security Data Analysis Platform)

http://www.vulnex.com/en/binsecsweeper.html

VULNEX

AGENDA

1.  WebShellsOverview2.  InsidetheShell3.  Hun8ngWebShells4.  Conclusions

1. WEB SHELLS

•  Post-exploitation tools. Attackers used them to maintain access on compromised servers.

•  A web shell is a script on a web server: PHP, ASP, Perl, Python, Ruby, Cold Fusion & C.

•  Attackers exploits vulnerabilities to upload web shells: –  Cross-Site Scripting (XSS) –  SQL injection (SQLi) –  Vulnerable apps (WordPress and others CMS) –  Remote File Includes (RFI) and Local File Include

(LFI) vulnerabilities –  Insecure administration panels

1. WEB SHELL ATTACK

1. SOME THINGS NEVER CHANGE

•  Really old tools but still around…

•  Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Alert (TA15-314A) https://www.us-cert.gov/ncas/alerts/TA15-314A November 10, 2015 | September 29, 2016

•  IBM X-FORCE •  https://securityintelligence.com/got-wordpress-php-c99-webshell-

attacks-increasing/ April 14, 2016

•  https://securityintelligence.com/the-webshell-game-continues/July 8, 2016

•  https://securityintelligence.com/media/ibm-x-force-research-understanding-the-webshell-game/ November 18, 2016

1. THE ROCKSTARS

•  BAD –  C99 –  B374K –  WSO –  China Chopper / Cknife –  Gamma Group –  ASPXSpy

•  UGLY

–  php-reverse-shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell

–  Kali webshells /usr/share/webshells/

1. WEB SHELLS & APT RELATIONSHIP

Deep Panda • ASP.NET

Threat Group-3390 • ASPXSpy • OwaAuth

APT33 • ALFA SHELL

1. CLASSIFICATION LO

W

Single Line Simple

MO

DER

ATE

Authentication YES/NO Obfuscation YES/NO File Operations H

IGH

Authentication Obfuscation Hidden File Operations Offensive Capabilities Remove

Complexity / Features

1. WEB SHELLS IN THE NEWS

•  How I Hacked Facebook, and Found Someone’s Backdoor Script https://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/

•  Hackers Hosted Hackers Tools on a Stanford University website for months https://www.helpnetsecurity.com/2017/06/01/hacker-tools-stanford-university/

•  The Equifax Hack Has the Hallmarks of State-Sponsored Pros https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros –  China Chopper –  More than 30 web shells found

2. GOT WEB SHELLS?

529 rootshell cybershell predator soldierofallah winX zaco NTDaddy myshell phantasma ironshell lamashell AK-74 bm shellroot jkt48 angelshell DKShell cpanel 1n73action lolipop matamu PHPSpy ru24 simattacker ASpy reader remexp zehir aspcmdshell list up browser jspbd jspshell dc pws fx GS cgitelnet simple_cmd ngh shutdown57 SaudiShell safe0ver pouyashell Up_win32 mst dmc kral b0s0k fatal sincap kacak cmd

2. SIMPLE WEB SHELLS

2. WEB SHELL: DMC

http://gsec.hitb.org/materials/sg2016/D1%20-%20Moonbeom%20Park%20and%20Youngjun%20Park%20-%20Understanding%20Your%20Opponent%20Attack%20Profiling.pdf

North Korean Cyber Warfare Group

2. WEB SHELL: LIFKA

•  Cross-platform

•  File Operations

•  System Info •  Read

Sensitive Files

•  Hashes •  Command

Executation •  Mail Bomber •  Port Scanning

2. WEB SHELL: SOLDIER OF ALLAH I

2. WEB SHELL: SOLDIER OF ALLAH II

2. WEB SHELL: SYRIAN SHELL

2. WEB SHELL: MINI PHP SHELL

2. WEB SHELL: BLOODSEC I

2. WEB SHELL: BLOODSEC II

2. WEB SHELL: BLOODSEC III

2. WEB SHELL: AYANA

http://stage48.net/wiki/index.php/Ayana_Shahab

2. OBFUSCATION

eval() assert() base64() gzdeflate() str_rot13()

3. NO MAGIC BULLETS

•  US CERT: –  Patching Systems –  Least-privileges Policy –  DMZ –  Backup –  Secure Servers –  Secure Apps –  Pentesting often –  WAF, AV, IDS, etc.

•  Additional –  Log analysis –  File Integrity –  Secure Development

•  Malware Hunting

3. SECURITY TOOLS

•  Security tools catch very few web shells

3. HUNTING TOOLS

•  Shell-Detector (Python) https://github.com/emposha/Shell-Detector

•  PHP-Shell-Detector https://github.com/emposha/PHP-Shell-Detector

•  NeoPI https://github.com/Neohapsis/NeoPI

3. YARA RULEZ

•  Loki - Simple IOC and Incident Response Scanner

https://github.com/Neo23x0/Loki

•  Web Rules

https://github.com/1aN0rmus/Yara/tree/master/web

•  Yara Rules

https://github.com/Yara-Rules/rules

•  Hunting for Web Shells

https://www.tenable.com/blog/hunting-for-web-shells

3. HIDDEN FROM SIGNATURES I

3. HIDDEN FROM SIGNATURES II

3. ALL SOFTWARE HAS BUGS

•  C99 bypass

•  b374K CSRF

http://

hyp3rlinx.altervista.org/

advisories/AS-B374K-

CSRF-CMD-

INJECTION.txt

4. TAKEAWAYS

•  Old tools but still used at large

•  Many types of web shells

•  Hard to detect

•  Defense in Depth

5. Q&A

•  Thanks!

•  Beer appreciated!!!

•  @simonroses •  @vulnexsl

•  www.vulnex.com •  www.simonroses.com