Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web shell detector


Published on

Presentation of the web shell detector by Enzo Borel

Published in: Software
  • Be the first to comment

  • Be the first to like this

Web shell detector

  1. 1. webshell-detector ~$ whoami Enzo Borel ~$ date 31 Mai 2018
  2. 2. tree -L 2 webshell-detector webshell-detector ├── Introduction │ ├── Statement │ └── Goal ├── Structure_of_the_system │ ├── Overview │ └── detectors └── usage_and_project_continuation
  3. 3. whatis ~$ whatis webshell Malicious script uploaded by an attacker Often used as RAT Problem: hard to detect. Scan at upload time is not sufficient ~$ whatis webshell-detector Goal: propose a new detection system not only based on signatures
  4. 4. cd Structure_of_the_system ~$ eog overview.png
  5. 5. cd detectors ~$ ls -w 1 Entropy Dangerous_routines Obfuscation Signatures Fuzzy_hashing ~$ cat Entropy Based on the formula: Information viewed as the unexpectedness of a signal −∑ i=0 n f i×log2(f i) ∑ i=0 n f i
  6. 6. cd detectors ~$ cat Dangerous_routines System commands: exec, passthru, system… Anonymous routines Variables functions: $var = “phpinfo”; $var(); ~$ cat Obfuscation Longest string Decoding routines: base64_decode, gzuncompress… Non-ASCII characters /! Not always relevant by itself! ∑ i=0 n f i
  7. 7. cd detectors ~$ cat Signatures Signature: based on a portion of file Identify known webshells. Easily bypassed by obfuscation or new webshells ~$ cat Fuzzy_hashing Similar files → similar bit sequences The longer they are, the closer the hashes will be Spamsum algorithm + Levenshtein distance Computed by removing blanck spaces and carriage returns ∑ i=0 n f i
  8. 8. man webshell-detector - as a Composer library $ composer require rucd/webshell-detector - as a command line tool Uses the library Symfony Console $ webshell-detector.phar analyze:file <file> $ webshell-detector.phar analyze:directory -t <threshold> <dir> ∑ i=0 n f i