How to Use ssdeep to detect webshell

Source: Internet
Author: User
Tags modsecurity

How to Use ssdeep to detect webshell

In the latest version of ModSecurity, The ssdeep webshell detection interface is added, and the client security (game Security) is suddenly recalled) I bought a book about malware analysis know-how and toolbox-techniques and tools against "rogue" software. this book mentions the use of ssdeep to find malware (webshell is a type of malware, and the security field is interconnected). This article describes how to use it to detect webshells.

1. Install ssdeep

Download ssdeep and install http://ssdeep.sourceforge.net/

Tar zxvf ssdeep-2.12.tar.gzcd ssdeep-2.12./configuremakemake install

2. Identify webshell instances

Next we will download a webshell and try to use ssdeep to identify webshell.

Taking b374k. php as an Example

Obtain the ssdeep hash (fuzzy hashinghash value) of webshell b374k. php and store it in the b37_hashs.txt file.

Ssdeep-B webshell/b374k. php> b37_hashs.txt

Cat b37_hashs.txt

Ssdeep, 1.1 -- blocksize: hash, filename384: UsaSwsF3RtJhwhxY5janx0Rig5xJx52FRsBU0ipgFHF3xR: 44snx0Rig5x752EBUxpc5, "b374k. php"

Then use this value to obtain the similarity. The similarity is 100 (of course, because no modification is made)

Ssdeep-bm b37_hashs.txt webshell/b374k. php

B374k. php matches b37_hashs.txt: b374k. php (100)

For ease of understanding, we use ssdeep and md5 for analogy.

Md5 webshell/b374k. php

MD5 (webshell/b374k. php) = b8d3f0f9ad8b1083f24072f8cfe13e04

We know that the md5 value for the file is used to verify the integrity of the file, because it can be felt for any modifications (except for events with low probability of hash collision)

Ssdeep is used to calculate the file similarity. It is used to calculate the contextual hash value (fuzzy hashing) to determine the file similarity.

In the webshell recognition scenario, we can first obtain the ssdeep hash value of the sample, and then set the similarity range to identify the Deformed shell of the same series.

What is the first thing a hacker will do after obtaining a good webshell? It must have changed the password of the Logon account.

Cp webshell/b374k. php webshell/b374k. php. bak

Vim webshell/b374k. php. bak

If you want to trace the geese, it is estimated that the webshell title and other texts will be modified to mark the game.

If you want to bypass WAF's shoes with a little focus, you may also modify the keywords in cookies.

For example, replace the cookie txtauth keyword in batches.

After the modification is complete, use md5 and ssdeep to see what happened.

Md5 webshell/b374k. php. bak

MD5 (webshell/b374k. php. bak) = b8d3f0f9ad8b1083f24072f8cfe13e04

The md5 value has changed, indicating that the content of webshell text has changed.

Then, use ssdeep to view the similarity of the modified webshell.

Ssdeep-bm b37_hashs.txt webshell /*

B374k. php matches b37_hashs.txt: b374k. php (100) # original webshellb374k. php. bak matches b37_hashs.txt: b374k. php (97) # modified the Logon account and author Mark b374k. php. bak2 matches b37_hashs.txt: b374k. php (88) # modified login account, author tag, and cookie features

Finally, we select a proper similarity to determine whether it is a webshell (in real scenarios, finding the appropriate threshold value for parameter adjustment is a test of human activity ...)

For example, only those with a similarity of more than 90 are filtered.

Ssdeep-t 90-bm b37_hashs.txt webshell /*

B374k. php matches b37_hashs.txt: b374k. php (100) b374k. php. bak matches b37_hashs.txt: b374k. php (97)

Iii. Expansion

In addition to using ssdeep to find similar malware (static text), we can also reverse our thinking and determine the malicious processes mixed in normal processes based on the similarity, the reason is that the process changes slightly during running because of variable changes, and the changes after the code is shelled are quite significant. For example, UPX shelling can reduce the similarity to 0% instantly.

Refer:

Http://blog.spiderlabs.com/2014/11/modsecurity-advanced-topic-of-the-week-detecting-malware-with-fuzzy-hashing.html

Malware analysis know-how and toolbox-techniques and tools against "rogue" software

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.