Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis

Wrench, Peter M; Irwin, Barry V W

Title: Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis
Creator: Wrench, Peter M
Creator: Irwin, Barry V W
Subject: To be catalogued
Date Issued: 2015
Date: 2015
Type: text
Type: article
Identifier: http://hdl.handle.net/10962/429560
Identifier: vital:72622
Identifier: 10.1109/ISSA.2015.7335066
Description: The abundance of PHP-based Remote Access Trojans (or web shells) found in the wild has led malware researchers to develop systems capable of tracking and analysing these shells. In the past, such shells were ably classified using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Although a large percentage of newly-created webshell software incorporates portions of code derived from seminal shells such as c99 and r57, they are able to disguise this by making extensive use of obfuscation techniques intended to frustrate any attempts to dissect or reverse engineer the code. This paper presents an approach to shell classification and analysis (based on similarity to a body of known malware) in an attempt to create a comprehensive taxonomy of PHP-based web shells. Several different measures of similarity were used in conjunction with clustering algorithms and visualisation techniques in order to achieve this. Furthermore, an auxiliary component capable of syntactically deobfuscating PHP code is described. This was employed to reverse idiomatic obfuscation constructs used by software authors. It was found that this deobfuscation dramatically increased the observed levels of similarity by exposing additional code for analysis.
Format: 7 pages
Format: pdf
Language: English
Relation: Information Security for South Africa (ISSA)
Relation: Wrench, P.M. and Irwin, B.V., 2015, August. Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis. In 2015 Information Security for South Africa (ISSA) (pp. 1-8). IEEE
Relation: Information Security for South Africa (ISSA) volume 2015 number 1 1 8 2015 Conference
Rights: Publisher
Rights: Use of this resource is governed by the terms and conditions of the IEEE Xplore Terms of Use Statement (https://ieeexplore.ieee.org/Xplorehelp/overview-of-ieee-xplore/terms-of-use)

Hits: 192
Visitors: 194
Downloads: 9

Collections

Irwin, Barry V W (Prof)

RU Department of Computer Science

SDG 09. Industry, Innovation and Infrastructure

		Thumbnail	File	Description	Size	Format
View Details Download			SOURCE1	Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis.pdf	666 KB	Adobe Acrobat PDF	View Details Download