I published the following diary on isc.sans.org: “Another webshell, another backdoor!“.
I’m still busy to follow how webshells are evolving… I recently found another backdoor in another webshell called “cor0.idâ€. The best place to find webshells remind pastebin.com[1]. When I’m testing a webshell, I copy it in a VM located on a “wild Internet” VLAN in my home lab with, amongst other controls, full packet capture enabled. This way, I can spot immediately is the VM is trying to “phone home†to some external hosts. This was the case this time! [Read more]
Interesting read. I’m using the fuzzy command from the Viper framework for this purpose (based on ssdeep)
Example:
Webshells viper sZY0idJH.php > fuzzy
[*] 2 relevant matches found
+——-+————–+——————————————————————+
| Score | Name | SHA256 |
+——-+————–+——————————————————————+
| 99% | xNqNpLkP.php | f5a967bf43068c3d34cbbe0a3e16fe33c634b0bbdb0da284b5952d8696f21cac |
| 97% | kiFHSP2j.php | cf11418cf32b7be0b2f16887f9aa56498f6aec2d743867818f1a45e474dac853 |
+——-+————–+——————————————————————+
I caught the same webshell, I think: https://github.com/bediger4000/php-malware-analysis/tree/master/b374k_3.2.3.php
Looks like the developers have changed the pastebin and googleusercontent.com URLs, but the whole code-in-EXIF-data is still intact.
If you’re interested in WSO web shells, I’v developed a phylogeny for them: https://github.com/bediger4000/malware-phylogeny