Cybercriminals are using the most sophisticated techniques to
bypass the security controls in various organization such as IT, medical,
manufacturing industries, energy sectors, even government entities.
Sometimes developers are creating a backdoor for a legitimate
purpose such as maintenance and easy accessibility during the technical
issue via a remote location.
But the hackers are using it for completely malicious purposes
especially creating and injecting an advanced backdoor to the target system
using various advanced obfuscation techniques into the vulnerable server.
This technique will help them to perform an attack to gain
control over the target and upload malicious payloads to steal the various
sensitive data also mining the cryptocurrencies.
There are various types of backdoor which can be written in
various languages, for an example if the backdoor was written in ASP then
it can run on .net based servers and if it’s written in PHP then it will run on
the servers that run on PHP.
In this case, the organization should learn how to protect your
web applications from vulnerabilities such as a backdoor, SQL injection types
of attack with the best WAF solutions, and
about Incapsula backdoor shell protection.
PHP Based Evasion Techniques
There is a different method that is used by attackers to evade
the detection, mask known functions or PHP keywords are mainly used by
many of the PHP based backdoors.
The first method is Character reordering where attacker
used to place and embedded backdoor code in well-known “404 Not Found
“message and the keyword “_POST” is written in the plain site.
Line 1 – the backdoor code turns off all error
reporting to avoid detection in case of an error.
Line 3- the “default” parameter is
defined -a random combination of characters.
Line 4 – the “about” parameter is defined
when the code reorders these characters and turns them to upper case to build
the keyword “_POST”.
Link 5 – keyword is used in lines 5-12 to check
if the HTTP request to this page was done via the POST method and whether it
contained the “lequ” parameter.
According to Incapsula, if so,
the backdoor uses the “eval” function to run the code that was sent in
the parameter “lequ”. Thus, the backdoor reads the value from a
parameter in a post request without ever using the keyword “$_POST”.
Other than this, some of the other attacks are used by hackers
to hide their malicious code and evade detection.
·
Hiding known PHP function using string manipulations
(replacement, concatenation, reverse, shift and split)
·
Using obscure parameter names, like random characters or
combinations of the characters O and 0 which are visually similar
·
Encoding the backdoor, or part of its code with base64 encoding
·
Using compression as a mean to hide the backdoor code
·
Obfuscating base64 encoded text by manipulating the text in
order to avoid simple decoding
·
Obfuscating requests sent to the backdoor after it was uploaded
by using the “preg_replace” function on the input.
Protection from these kindly of obfuscation techniques Strong
web-application firewall such as Incapsula CDN identifying the malicious
threats using several layers of security policies is highly recommended for
any organization.
Mask Known Functions or PHP Keywords
In some case, the Attacker used to hide known functions or PHP
keywords in order to evade detection.
Here the some of known functions and keywords include:
·
PHP Superglobals – predefined global variables of PHP
1. $_POST –
array containing parameters of the post request
2. $_REQUEST – array
containing parameter of post or get request
3. $_FILES –
array containing items uploaded in a post request
4. $_COOKIE –
array containing variables passed via HTTP cookie
·
String manipulation functions
1. str_replace –
given three strings, replaces all occurrences of the first string with the
second string in the third string
2. preg_replace –
same as str_replace but with regular expression searches
3. strtr –
similar to str_replace, but replaces characters using a map
4. substr –
returns a specified portion of a given string
5. strtoupper –
turns all letters to uppercase
6. ‘.’
operator – concatenates characters or strings
7. str_rot13 –
shifts every letter by 13 places in the alphabet
8. strrev –
reverses a string
·
eval – executes a given
PHP code
·
create function –
creates a new function given the function’s parameters and code
·
base64_decode –
decodes base64 encoded text
·
gzinflate –
decompresses compressed data
·
chr – returns a single
byte string from a number using ascii encoding (or another mapping)
Command line evasion and obfuscation are the most used technique
among many numbers of advance level attacks which are increased by attackers
with their phishing and Malware attacks which create a powerful backdoor.
Mitigations – Advanced Backdoor
Check out the best mitigation and
protection plan for an organization that cannot afford downtime. Includes
complete DDoS protection, advanced security solutions, high availability and
99.999% SLA. And websites in need of hacker and malicious bot protection.
If the backdoor was already uploaded on an infected server, it
is possible to block the communication between the attacker and the
backdoor which will stop the backdoor from working and alerts the server
admin, so the backdoor can be removed.
Placing a web-application firewall can
filter out the malicious backdoor shell and isolate the further attack.
Implement the highly recommended Imperva Incapsula
backdoor shell protection.
No comments:
Post a Comment