Overview

Abstract

The creation and proliferation of PHP-based Remote Access Trojans (or web shells) used in both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. In the past, such shells were ably detected using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Furthermore, many malware tools disguise themselves by making extensive use of obfuscation techniques designed to frustrate any efforts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave differently if it detects that it is not running on the system for which it was originally targeted. To combat these defensive techniques, this thesis presents a sandbox-based environment that accurately mimics a vulnerable host and is capable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code.

The results obtained during the course of this research demonstrate that the combination of a decoder component responsible for static code analysis and a sandbox component able to record and analyse the behaviour of a shell at runtime is an effective one. Idiomatic PHP obfuscation constructs were successfully extracted and processed to reveal hidden code, and calls to potentially exploitable functions were correctly identified and highlighted after shell execution. Other notable shell characteristics such as variable names, URLs, and email addresses were also extracted and recorded, paving the way for future work in the field of evolutionary similarity analysis.

Project Timeline

01/03/2013
Project Proposal Submitted

19/03/2013
First Seminar

27/05/2013
Literature Review Submitted

06/08/2013
Second Seminar


15/10/2013
Implementation Completed

29/10/2013
Third Seminar

01/11/2013
Thesis Submitted

06/11/2013
Website Completed