O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Web shell detector

132 visualizações

Publicada em

Presentation of the web shell detector by Enzo Borel

Publicada em: Software
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Web shell detector

  1. 1. webshell-detector ~$ whoami Enzo Borel ~$ date 31 Mai 2018
  2. 2. tree -L 2 webshell-detector webshell-detector ├── Introduction │ ├── Statement │ └── Goal ├── Structure_of_the_system │ ├── Overview │ └── detectors └── usage_and_project_continuation
  3. 3. whatis ~$ whatis webshell Malicious script uploaded by an attacker Often used as RAT Problem: hard to detect. Scan at upload time is not sufficient ~$ whatis webshell-detector Goal: propose a new detection system not only based on signatures
  4. 4. cd Structure_of_the_system ~$ eog overview.png
  5. 5. cd detectors ~$ ls -w 1 Entropy Dangerous_routines Obfuscation Signatures Fuzzy_hashing ~$ cat Entropy Based on the formula: Information viewed as the unexpectedness of a signal −∑ i=0 n f i×log2(f i) ∑ i=0 n f i
  6. 6. cd detectors ~$ cat Dangerous_routines System commands: exec, passthru, system… Anonymous routines Variables functions: $var = “phpinfo”; $var(); ~$ cat Obfuscation Longest string Decoding routines: base64_decode, gzuncompress… Non-ASCII characters /! Not always relevant by itself! ∑ i=0 n f i
  7. 7. cd detectors ~$ cat Signatures Signature: based on a portion of file Identify known webshells. Easily bypassed by obfuscation or new webshells ~$ cat Fuzzy_hashing Similar files → similar bit sequences The longer they are, the closer the hashes will be Spamsum algorithm + Levenshtein distance Computed by removing blanck spaces and carriage returns ∑ i=0 n f i
  8. 8. man webshell-detector - as a Composer library $ composer require rucd/webshell-detector - as a command line tool Uses the library Symfony Console $ webshell-detector.phar analyze:file <file> $ webshell-detector.phar analyze:directory -t <threshold> <dir> ∑ i=0 n f i