36
Virus Bulletin 2017 Madrid, Spain

Virus Bulletin 2017 Madrid, Spain · 1. WEB SHELLS • Post-exploitation tools. Attackers used them to maintain access on compromised servers. • A web shell is a script on a web

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

  • Virus Bulletin 2017 Madrid, Spain

  • ME & VULNEX

    Simon Roses Femerling

    •  Founder & CEO, VULNEX www.vulnex.com •  @simonroses •  Former Microsoft, PwC, @Stake •  US DARPA award to research on software security •  Speaker: Black Hat, DEF CON, RSA, HITB, OWASP, SOURCE, AppSec,

    DeepSec, TECHNET •  Blog: http://www.simonroses.com/ •  Youtube:

    https://www.youtube.com/channel/UC8KUXxTSEdWfpFzAydjEzyQ

    •  CyberSecurity Startup •  @vulnexsl •  Professional Services & Training •  Products: BinSecSweeper (File Security Data Analysis Platform)

    http://www.vulnex.com/en/binsecsweeper.html

    VULNEX

  • AGENDA

    1.  WebShellsOverview2.  InsidetheShell3.  Hun8ngWebShells4.  Conclusions

  • 1. WEB SHELLS

    •  Post-exploitation tools. Attackers used them to maintain access on compromised servers.

    •  A web shell is a script on a web server: PHP, ASP, Perl, Python, Ruby, Cold Fusion & C.

    •  Attackers exploits vulnerabilities to upload web shells: –  Cross-Site Scripting (XSS) –  SQL injection (SQLi) –  Vulnerable apps (WordPress and others CMS) –  Remote File Includes (RFI) and Local File Include

    (LFI) vulnerabilities –  Insecure administration panels

  • 1. WEB SHELL ATTACK

  • 1. SOME THINGS NEVER CHANGE

    •  Really old tools but still around…

    •  Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Alert (TA15-314A) https://www.us-cert.gov/ncas/alerts/TA15-314A November 10, 2015 | September 29, 2016

    •  IBM X-FORCE •  https://securityintelligence.com/got-wordpress-php-c99-webshell-

    attacks-increasing/ April 14, 2016

    •  https://securityintelligence.com/the-webshell-game-continues/July 8, 2016

    •  https://securityintelligence.com/media/ibm-x-force-research-understanding-the-webshell-game/ November 18, 2016

  • 1. THE ROCKSTARS

    •  BAD –  C99 –  B374K –  WSO –  China Chopper / Cknife –  Gamma Group –  ASPXSpy

    •  UGLY

    –  php-reverse-shell http://pentestmonkey.net/tools/web-shells/php-reverse-shell

    –  Kali webshells /usr/share/webshells/

  • 1. WEB SHELLS & APT RELATIONSHIP

    Deep Panda • ASP.NET

    Threat Group-3390 • ASPXSpy • OwaAuth

    APT33 • ALFA SHELL

  • 1. CLASSIFICATION LO

    W

    Single Line Simple

    MO

    DER

    ATE

    Authentication YES/NO Obfuscation YES/NO File Operations H

    IGH

    Authentication Obfuscation Hidden File Operations Offensive Capabilities Remove

    Complexity / Features

  • 1. WEB SHELLS IN THE NEWS

    •  How I Hacked Facebook, and Found Someone’s Backdoor Script https://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/

    •  Hackers Hosted Hackers Tools on a Stanford University website for months https://www.helpnetsecurity.com/2017/06/01/hacker-tools-stanford-university/

    •  The Equifax Hack Has the Hallmarks of State-Sponsored Pros https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros –  China Chopper –  More than 30 web shells found

  • 2. GOT WEB SHELLS?

    529 rootshell cybershell predator soldierofallah winX zaco NTDaddy myshell phantasma ironshell lamashell AK-74 bm shellroot jkt48 angelshell DKShell cpanel 1n73action lolipop matamu PHPSpy ru24 simattacker ASpy reader remexp zehir aspcmdshell list up browser jspbd jspshell dc pws fx GS cgitelnet simple_cmd ngh shutdown57 SaudiShell safe0ver pouyashell Up_win32 mst dmc kral b0s0k fatal sincap kacak cmd

  • 2. SIMPLE WEB SHELLS

  • 2. WEB SHELL: DMC

    http://gsec.hitb.org/materials/sg2016/D1%20-%20Moonbeom%20Park%20and%20Youngjun%20Park%20-%20Understanding%20Your%20Opponent%20Attack%20Profiling.pdf

    North Korean Cyber Warfare Group

  • 2. WEB SHELL: LIFKA

    •  Cross-platform

    •  File Operations

    •  System Info •  Read

    Sensitive Files

    •  Hashes •  Command

    Executation •  Mail Bomber •  Port Scanning

  • 2. WEB SHELL: SOLDIER OF ALLAH I

  • 2. WEB SHELL: SOLDIER OF ALLAH II

  • 2. WEB SHELL: SYRIAN SHELL

  • 2. WEB SHELL: MINI PHP SHELL

  • 2. WEB SHELL: BLOODSEC I

  • 2. WEB SHELL: BLOODSEC II

  • 2. WEB SHELL: BLOODSEC III

  • 2. WEB SHELL: AYANA

    http://stage48.net/wiki/index.php/Ayana_Shahab

  • 2. OBFUSCATION

    eval() assert() base64() gzdeflate() str_rot13()

  • 3. NO MAGIC BULLETS

    •  US CERT: –  Patching Systems –  Least-privileges Policy –  DMZ –  Backup –  Secure Servers –  Secure Apps –  Pentesting often –  WAF, AV, IDS, etc.

    •  Additional –  Log analysis –  File Integrity –  Secure Development

    •  Malware Hunting

  • 3. SECURITY TOOLS

    •  Security tools catch very few web shells

  • 3. HUNTING TOOLS

    •  Shell-Detector (Python) https://github.com/emposha/Shell-Detector

    •  PHP-Shell-Detector https://github.com/emposha/PHP-Shell-Detector

    •  NeoPI https://github.com/Neohapsis/NeoPI

  • 3. YARA RULEZ

    •  Loki - Simple IOC and Incident Response Scanner

    https://github.com/Neo23x0/Loki

    •  Web Rules

    https://github.com/1aN0rmus/Yara/tree/master/web

    •  Yara Rules

    https://github.com/Yara-Rules/rules

    •  Hunting for Web Shells

    https://www.tenable.com/blog/hunting-for-web-shells

  • 3. HIDDEN FROM SIGNATURES I

  • 3. HIDDEN FROM SIGNATURES II

  • 3. ALL SOFTWARE HAS BUGS

    •  C99 bypass

    •  b374K CSRF

    http://

    hyp3rlinx.altervista.org/

    advisories/AS-B374K-

    CSRF-CMD-

    INJECTION.txt

  • 4. TAKEAWAYS

    •  Old tools but still used at large

    •  Many types of web shells

    •  Hard to detect

    •  Defense in Depth

  • 5. Q&A

    •  Thanks!

    •  Beer appreciated!!!

    •  @simonroses •  @vulnexsl

    •  www.vulnex.com •  www.simonroses.com