TY - GEN
T1 - No honor among thieves
T2 - 25th International World Wide Web Conference, WWW 2016
AU - Starov, Oleksii
AU - Dahse, Johannes
AU - Ahmad, Syed Sharique
AU - Holz, Thorsten
AU - Nikiforakis, Nick
PY - 2016
Y1 - 2016
N2 - Web shells are malicious scripts that attackers upload to a compromised web server in order to remotely execute arbi-trary commands, maintain their access, and elevate their privileges. Despite their high prevalence in practice and heavy involvement in security breaches, web shells have never been the direct subject of any study. In contrast, web shells have been treated as malicious blackboxes that need to be detected and removed, rather than malicious pieces of soft-ware that need to be analyzed and, in detail, understood. In this paper, we report on the first comprehensive study of web shells. By utilizing different static and dynamic anal-ysis methods, we discover and quantify the visible and in-visible features offered by popular malicious shells, and we discuss how attackers can take advantage of these features. For visible features, we find the presence of password brute-forcers, SQL database clients, portscanners, and checks for the presence of security software installed on the compro-mised server. In terms of invisible features, we find that about half of the analyzed shells contain an authentication mechanism, but this mechanism can be bypassed in a third of the cases. Furthermore, we find that about a third of the analyzed shells perform homephoning, i.e., the shells, upon execution, surreptitiously communicate to various third par-ties with the intent of revealing the location of new shell in-stallations. By setting up honeypots, we quantify the num-ber of third-party attackers benefiting from shell installa-tions and show how an attacker, by merely registering the appropriate domains, can completely take over all installa-tions of specific vulnerable shells.
AB - Web shells are malicious scripts that attackers upload to a compromised web server in order to remotely execute arbi-trary commands, maintain their access, and elevate their privileges. Despite their high prevalence in practice and heavy involvement in security breaches, web shells have never been the direct subject of any study. In contrast, web shells have been treated as malicious blackboxes that need to be detected and removed, rather than malicious pieces of soft-ware that need to be analyzed and, in detail, understood. In this paper, we report on the first comprehensive study of web shells. By utilizing different static and dynamic anal-ysis methods, we discover and quantify the visible and in-visible features offered by popular malicious shells, and we discuss how attackers can take advantage of these features. For visible features, we find the presence of password brute-forcers, SQL database clients, portscanners, and checks for the presence of security software installed on the compro-mised server. In terms of invisible features, we find that about half of the analyzed shells contain an authentication mechanism, but this mechanism can be bypassed in a third of the cases. Furthermore, we find that about a third of the analyzed shells perform homephoning, i.e., the shells, upon execution, surreptitiously communicate to various third par-ties with the intent of revealing the location of new shell in-stallations. By setting up honeypots, we quantify the num-ber of third-party attackers benefiting from shell installa-tions and show how an attacker, by merely registering the appropriate domains, can completely take over all installa-tions of specific vulnerable shells.
UR - https://www.scopus.com/pages/publications/85020858174
U2 - 10.1145/2872427.2882992
DO - 10.1145/2872427.2882992
M3 - Conference contribution
T3 - 25th International World Wide Web Conference, WWW 2016
SP - 1021
EP - 1032
BT - 25th International World Wide Web Conference, WWW 2016
PB - International World Wide Web Conferences Steering Committee
Y2 - 11 April 2016 through 15 April 2016
ER -