Advanced webshell detection and removal

Many people have been focusing on attacks, but are not concerned about defense.
 
The attack lies in innovation and prevention lies in comprehensiveness.
In computer terms, attacking is a single-threaded task. The higher the frequency of your single-core cpu, the better the effect. Defense is a multi-threaded task. The more cpu cores you have, the better the effect Yu Jia.
The preface above describes webshell detection and removal.
 
In fact, like PCs, Android malicious bundle Trojans and linux malicious image sources. In the same way, the web has to go through, and pc-side anti-virus is also a few stages.
From the initial killing, scanning and removal of signatures, to behavior-based detection and removal (heuristic detection and removal), to the recent hot cloud detection and removal.
To put it bluntly, cloud scanning and removal is more like network-based scanning and removal.
Similarly, webshell scanning and removal on servers also require the pattern line. When the current hardware level is higher than the network communication bandwidth, the pattern is necessary,
Next we will talk about webshell signatures.
According to the principle of pc-side virus pattern: according to the execution file such as PE file, multiple signatures are proposed from each segment for multi-to-one ing and location (this is mainly to prevent the kill-free removal like myccl). There are many methods for this extraction, most of the efficient practices are for experienced virus analysts to locate signatures based on experience.
 
For example, the PC-side virus pattern is similar, but not the same. The pc-side virus exists in the execution file, and the extraction pattern is located only on the basis of the machine code-disassembly code. Webshell is located in the form of source code. Machine code is the underlying language, which is very difficult to set. For example, int3 commonly used in od is a one-to-one correspondence between 0cch and will not change. While webshell uses advanced scripting language, the writing of advanced languages is diverse, such as various string operation functions in php, which undoubtedly increases the difficulty of locating signatures.
In fact, the reality is that it is relatively easy to scan and kill the trojan, regardless of php, asp ,. net, some of the functions they call are not used by common script code, so these special functions can be used as regular matching rules for matching. (Most of the server security software also does this) Of course, this will lead to mistaken killing, so we need to use multiple signatures for matching. Some friends who do not want to kill may laugh. This is too good. They directly split the string and connect it, or write an encryption/decryption code, or, it's easy to confuse the code.
This is theoretically correct, but the computer hardware capability is ignored. For 2 ^ 32 operations, the computer generally configured will not exceed 10 seconds, for various string encryption and decryption, we can match the characters in the encryption and decryption operations, and then add the scanning and removal design to semantic analysis. If you have learned the compilation principles, you should be familiar with it, restore the matched string addition and subtraction operations for final matching.
It is troublesome to scan and kill a single-sentence Trojan. Some of the mutative Trojan Horses use functions normally called by web applications, and some variants are added, this kind of scanning and removal requires a large number of samples to be collected for signature extraction.
The statistical sampling method can be used to extract a certain number of samples (including normal samples and webhorse samples), and then extract the same number of samples, then, the probability of occurrence is added. Finally, a signature sample is generated.
This basically matches a Known Trojan.
Matching Algorithms for signatures are still being tested.
 
You are welcome to provide more webshell samples.
 
 
If you have any questions, we recommend that you use QQ124839584 or blog: http: // livers or sinaapp.com.