Ebook Towards a sandbox for the deobfuscation and dissection of PHP malware

Ebook "Towards a sandbox for the deobfuscation and dissection of PHP malware" includes content: Introduction, literature review, design and implementation, results, conclusion, code samples from the decoder class, code samples from the sandbox class, complete list of overridden PHP functions, shells contained in the system database.
Nội dung trích xuất từ tài liệu:
Ebook Towards a sandbox for the deobfuscation and dissection of PHP malware Towards a Sandbox for the Deobfuscation and Dissection of PHP Malware Submitted in partial fullment of the requirements of the degree of Bachelor of Science (Honours) of Rhodes University Peter Mark Wrench Grahamstown, South Africa 1st November 2013 Abstract The creation and proliferation of PHP-based Remote Access Trojans (or web shells) used in both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. In the past, such shells were ably detected using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Furthermore, many malware tools disguise themselves by making extensive use of obfuscation techniques designed to frustrate any eorts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave dierently if it detects that it is not running on the system for which it was originally targeted. To combat these defensive techniques, this thesis presents a sandbox-based environment that accurately mimics a vulnerable host and is capable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code. The results obtained during the course of this research demonstrate that the combination of a decoder component responsible for static code analysis and a sandbox component able to record and analyse the behaviour of a shell at runtime is an eective one. Idiomatic PHP obfuscation constructs were successfully extracted and processed to reveal hidden code, and calls to potentially exploitable functions were correctly identied and highlighted after shell execution. Other notable shell characteristics such as variable names, URLs, and email addresses were also extracted and recorded, paving the way for future work in the eld of evolutionary similarity analysis. Acknowledgements During the course of this research, I was privileged to work with and enjoy the support of my supervisor, Professor Barry Irwin, without whose knowledge and guidance this project would never have reached completion. I am also deeply and variously indebted to Dr Karen Bradshaw, for her thorough editing, the Department of Computer Science at Rhodes University, for the use of their excellent facilities and equipment, and my family, for their unwavering love and support. Finally, I wish to acknowledge the nancial support of Telkom, Tellabs, Stortech, Gen- band, Easttel, Bright Ideas 39 and THRIP through the Telkom Centre of Excellence in the Department of Computer Science at Rhodes University. Contents 1 Introduction 1 1.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Research Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Document Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Literature Review 4 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 PHP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1 Language Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.2 Performance and Use . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3 Web Shells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4 Code Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.5 Methods of Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5.1 Layout Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5.1.1 Format Modication . . . . . . . . . . . . . . . . . . . . . 9 2.5.1.2 Identier Name Modication . . . . . . . . . . . . . . . . 9 2.5.2 Data Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.5.2.1 Storage and Encoding Modication . . . . . . . . . . . . . 10 2.5.2.2 Data Aggregation . . . . . . . . . . . . . . . . . . . . . . . 11 2.5.2.3 Data Ordering . . . . . . . . . . . . . . . . . . . . . . . . 11 2.5.3 Control Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . 12 i CONTENTS ii 2.5.3.1 Computation Modication . . . . . . . . . . . . . . . . . . 12 2.5.3.2 Code Aggregation . . . . . . . . . . . . . . . . . . . . . . 13 2.5.3.3 Code Ordering . . . . . . . . . . . . . . . . . . . . . . . . 13 2.6 Code Obfuscation and PHP . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.7 Deobfuscation Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.7.1 Pattern Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.7.2 Program Slicing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.7.3 Statistical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 ...