«
»

How AV software can stop phishing sites

Over the course of examining hundreds if not thousands of phishing sites I’ve learned that the vast majority of phishing sites are created by compromising legitimate web sites through vulnerabilities of one type or another.   Most often the vulnerabilities are web applications which don’t properly check that user content is really just user content.    For example, instead of uploading their avatar image to an online forum like ZeroBoard, hackers upload malicious files which they can then run on the server giving them access to the system.   The application does a poor job (if any) of checking that the picture file is only a picture file.

The most often uploaded malicious files are PHP shells.   A PHP shell is a PHP program which provides a hacker with access to the web server as well as many tools and features:

  • Find, Edit, Rename, Download Files
  • Point-and-click Directory and File Navigator
  • Shell Command Execution
  • PHP Statement Evaluation
  • Find Vulnerable Files and Directories
  • Upload / Download files from FTP Servers
  • Dump MySQL Databases
  • Create a proxy server
  • Create a back-connect shell
  • Encode / Decode Base64, URL escape encoding, etc.
  • Show running processes, system name, kernel version, IP addresses, etc.
  • Show PHP configuration (php.ini), safe-mode, register globals, etc.
  • FTP brute-force password cracker
  • Emailer (spammer)
  • Self-update and self-remove
c99 shell

c99 shell

 The most common PHP shells are the C99 shell from the Captain Crunch Security Team and the r57 shell from the Rush Security Team / GHC.    However, some PHP shells are simple one-box forms used to enter a command which will be executed on the server.

Because PHP shells make hacking easy and phish kits are freely available, even ‘ankle-biters’ can create phishing sites.   In fact, most phishing is done by criminals with only mediocre computer skills.   This is unfortunate because it makes the problem seem bigger than it is and limits our ability to focus in on the really bad actors.    Those of us wearing the white hats need to find solutions that make it only possible for skilled cyber-criminals to attempt scams like phishing.
One possible solution is to detect and stop malicious programs like PHP shells on web sites.   Perhaps anti-virus products could be used to detect malicious files like PHP shells.   Then if web hosting companies would use these anti-virus products on their servers there would be less phishing.   Of course it wouldn’t stop the problem altogether, but if we can make the ‘script kiddies’ that use PHP shells go away, we can stop a lot phishing and focus in on the really really bad guys.
So do anti-virus products detect PHP shells and other hacker backdoors?   It turns out that some of them do with, not a surprise, varying detection rates.    It’s ironic that security vendors a huge amount of time and money seeking every phishing site so that it can be included in blacklists and collecting every piece of Windows malware that’s out there, yet they don’t execute well on preventing hackers from plying attacks that lead toward more phishing and malware.
I decided to test out anti-virus products against some PHP shells and backdoors and see exactly how they fare.   I started out by collecting PHP shells and backdoors from compromised systems.    The files gathered were found ‘in the wild’ and weren’t created by me or by others as proof-of-concepts.   Next I submitted them to an antivirus scanning system similar to VirusTotal built by Andreas Marx and av-test.org.  Note that Andreas and av-test.org did not otherwise participate in this test in any way except by allowing me to use their multi-vendor scanner.   Ultimately 99 malicious PHP files were scanned by 29 anti-virus scanners plus 6 more cases where beta signatures were used.
Top 10 Detection Rates for PHP Backdoors

Top 10 Detection Rates for PHP Backdoors

The results are a bit disheartening, but there are some caveats worth mentioning:  

Not all vendors have a Linux based product.    Almost always (but not quite), the compromised system which has a PHP shell installed on it is running a version of Linux.   So it’s perfectly reasonable not to detect files that generally are only used on an operating system on which your product doesn’t run.

Some anti-virus products are geared as gateway products and not file scanners.   That means, that some anti-virus products might detect the HTML generated by these backdoors, identify them as unwanted web applications, and block access to the PHP shell.   That’s easy enough to test, but wasn’t tested here.

Some of the PHP programs could be considered dual-use applications – used for evil or for good.   That argument is some what constrained by the fact that the tested files were all from compromised web sites and nearly all were made by hackers for hackers.

Another argument is that it’s more important to focus resources on catching desktop malware.   I disagree.  Server compromises often lead to more desktop malware, more end-user phishing, and more distribution of spam.   If every web site on the Internet were secure, almost all of the badness we see every day on the Internet would go away.

So how about it anti-virus vendors!   Time to start detecting PHP backdoors?

This entry was posted on Friday, November 7th, 2008 at 10:59 am and is filed under Malware, Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “How AV software can stop phishing sites”

  1. Jarek Bechemot says:
    November 26, 2008 at 12:13 pm

    Dear All,
    I wonder why there was no TrendMicro in this test ? TM has av scan engine for Linux (unix) system – eg.: http://emea.trendmicro.com/emea/products/enterprise/serverprotect-for-linux/index.html and detects PHP shells, backdoors, etc.
    This is because neither av-test.org nor VirusTotal has it in its scan engine pool ?
    Any answer will be appreciated. Regards,

  2. jal says:
    November 26, 2008 at 6:31 pm

    @Jarek

    Trend Micro and 29 other vendors were tested. The published results only include the top 10 performing vendors. The point of the test was not to shame the underperforming vendors, but rather to call attention to the need to detect these files in general since all vendors performed relatively poor compared to, for example, the typical Win32 trojan. Soon, the same samples will be tested again to see which vendors have responded and which have not. Stay tuned.

  3. Light Blue Touchpaper » Blog Archive » Evil Searching says:
    February 25, 2009 at 12:19 pm

    [...] phishing websites (”if you can break in, then so can I”); or they were seeking the PHP “shells” that phishing attackers often install to help them upload files onto the website (”if you [...]

Leave a Reply