In a previous blog posting I talked about how phishers typically use backdoor programs called PHP shells to access web servers and install their phish kits. I had tested several leading antivirus programs against a number of PHP shells that had been found in the wild to see how well they were detected. The results were disappointing.
Since I received several comments and questions from vendors after the first round of testing, I decided to do a follow-up test with the same files to see if anything has changed. With one exception, not much has changed. Big kudos go out to the Fortinet Team that moved from detecting only 17% of these backdoors to 98%. Unfortunately, they were the only vendor of the 24 tested to move into one of the top 10 spots.
Here are the entire updated results for all 24 vendors (note some companies use a scan engine from others – hence the duplicate results):
As I mentioned in my previous posting, not all of these vendors develop antivirus products that are designed for server environments and therefore it may be appropriate for them not to detect these files in some cases. That said, certainly web gateway products should prevent these backdoors from being installed via RFI attacks which is one of the more common methods used by phishers to install them. Another common tactic of phishers is to use web applications meant to allow users to upload photos or avatars. Far too often, these applications fail to check that the image file is actually an image or in other words fail the fundamental tenet of application security: don’t trust user input. Gateway antivirus products can help with both cases and should detect these malicious programs. Another class of antivirus product that should detect these files are those that can be configured to run “headless” or only on-demand. It’s not unusual for webhosting companies and system administrators to scan web servers that they suspect to have been compromised for malicious files. If products that support on-demand scanning would do a better job of detecting these files, they could help prevent phishing and other types of cybercrime.
Just in case you’re thinking that these PHP shells and backdoors are only used on Linux systems, don’t forget that PHP does in fact run on Windows. Many of these malicious programs have functionality to detect whether they are running on a Linux system or Windows system and adjust appropriately. Also, there do exist .NET backdoors as well. They are relatively rare compared to the wide variety of PHP shells, but they are out there and in the wild too. To see if the antivirus products had a PHP or .NET bias, I decided to test 7 .NET backdoors against the suite of 24 antivirus products as well. It’s hard to draw any conclusions about bias, but clearly these programs are not well detected. While most products detected at least one file, only 4 products detected at least 3 of the 7 files: BitDefender, ClamAV, Ikarus, and SecureWeb.
While I’ll continue my quest to have security products better detect malicious programs used by phishers, the next project will focus on the vulnerabilities exploited to gain access to web servers for phishing. I’ll be working with my colleagues at the AntiPhishing Working Group on this project and look forward to publishing the results from our study next year some time.