How to Use ssdeep to detect webshell
In the latest version of ModSecurity, The ssdeep webshell detection interface is added, and the client security (game Security) is suddenly recalled) I bought a book about malware analysis know-how and toolbox-techniques and tools against "rogue" software. this book mentions the use of ssdeep to find malware (webshell is a type of malware, and the security field is interconnected). This article describes how to use it to detect webshells.
1. Install ssdeep
Download ssdeep and install http://ssdeep.sourceforge.net/
Tar zxvf ssdeep-2.12.tar.gzcd ssdeep-2.12./configuremakemake install
2. Identify webshell instances
Next we will download a webshell and try to use ssdeep to identify webshell.
Taking b374k. php as an Example
Obtain the ssdeep hash (fuzzy hashinghash value) of webshell b374k. php and store it in the b37_hashs.txt file.
Ssdeep-B webshell/b374k. php> b37_hashs.txt
Cat b37_hashs.txt
Ssdeep, 1.1 -- blocksize: hash, filename384: UsaSwsF3RtJhwhxY5janx0Rig5xJx52FRsBU0ipgFHF3xR: 44snx0Rig5x752EBUxpc5, "b374k. php"
Then use this value to obtain the similarity. The similarity is 100 (of course, because no modification is made)
Ssdeep-bm b37_hashs.txt webshell/b374k. php
B374k. php matches b37_hashs.txt: b374k. php (100)
For ease of understanding, we use ssdeep and md5 for analogy.
Md5 webshell/b374k. php
MD5 (webshell/b374k. php) = b8d3f0f9ad8b1083f24072f8cfe13e04
We know that the md5 value for the file is used to verify the integrity of the file, because it can be felt for any modifications (except for events with low probability of hash collision)
Ssdeep is used to calculate the file similarity. It is used to calculate the contextual hash value (fuzzy hashing) to determine the file similarity.
In the webshell recognition scenario, we can first obtain the ssdeep hash value of the sample, and then set the similarity range to identify the Deformed shell of the same series.
What is the first thing a hacker will do after obtaining a good webshell? It must have changed the password of the Logon account.
Cp webshell/b374k. php webshell/b374k. php. bak
Vim webshell/b374k. php. bak
If you want to trace the geese, it is estimated that the webshell title and other texts will be modified to mark the game.
If you want to bypass WAF's shoes with a little focus, you may also modify the keywords in cookies.
For example, replace the cookie txtauth keyword in batches.
After the modification is complete, use md5 and ssdeep to see what happened.
Md5 webshell/b374k. php. bak
MD5 (webshell/b374k. php. bak) = b8d3f0f9ad8b1083f24072f8cfe13e04
The md5 value has changed, indicating that the content of webshell text has changed.
Then, use ssdeep to view the similarity of the modified webshell.
Ssdeep-bm b37_hashs.txt webshell /*
B374k. php matches b37_hashs.txt: b374k. php (100) # original webshellb374k. php. bak matches b37_hashs.txt: b374k. php (97) # modified the Logon account and author Mark b374k. php. bak2 matches b37_hashs.txt: b374k. php (88) # modified login account, author tag, and cookie features
Finally, we select a proper similarity to determine whether it is a webshell (in real scenarios, finding the appropriate threshold value for parameter adjustment is a test of human activity ...)
For example, only those with a similarity of more than 90 are filtered.
Ssdeep-t 90-bm b37_hashs.txt webshell /*
B374k. php matches b37_hashs.txt: b374k. php (100) b374k. php. bak matches b37_hashs.txt: b374k. php (97)
Iii. Expansion
In addition to using ssdeep to find similar malware (static text), we can also reverse our thinking and determine the malicious processes mixed in normal processes based on the similarity, the reason is that the process changes slightly during running because of variable changes, and the changes after the code is shelled are quite significant. For example, UPX shelling can reduce the similarity to 0% instantly.
Refer:
Http://blog.spiderlabs.com/2014/11/modsecurity-advanced-topic-of-the-week-detecting-malware-with-fuzzy-hashing.html
Malware analysis know-how and toolbox-techniques and tools against "rogue" software