Abstract
Server-side malware is one of the prevalent threats that can affect a large number of clients who visit the compromised server. In this paper, we propose Dazzle-attack, a new advanced server-side attack that is resilient to forensic analysis such as reverse-engineering. Dazzle-attack retrieves typical (and non-suspicious) contents from benign and uncompromised websites to avoid detection and mislead the investigation to erroneously associate the attacks with benign websites. Dazzle-attack leverages a specialized state-machine that accepts any inputs and produces outputs with respect to the inputs, which substantially enlarges the input-output space and makes reverse-engineering effort significantly difficult. We develop a prototype of Dazzle-attack and conduct empirical evaluation of Dazzle-attack to show that it imposes significant challenges to forensic analysis.
B. Lee and K. Lim—Co-first authors and listed in alphabetical order.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The name Dazzle-attack is originated from Dazzle camouflage which is a family of ship camouflage consisted of complex patterns of geometric shapes [67].
- 2.
- 3.
- 4.
References
Best PHP Obfuscator (2018). http://www.pipsomania.com/best_php_obfuscator.do
A text file containing 479 k English words (2019). https://github.com/dwyl/english-words
Joomla: Content Management System (CMS) (2019). https://www.joomla.org/
Linux Malware Detect (2019). https://www.rfxn.com/projects/linux-malware-detect/
NPR: National Public Radio (2019). https://npr.org/
NPR: News and National Top Stories (2019). https://npr.org/sections/national/
PHP: Pspell Functions (2019). https://www.php.net/manual/en/ref.pspell.php
Shellray: A PHP webshell detector (2019). https://shellray.com/
VirusShare (2019). https://virusshare.com/
WordPress (2019). https://wordpress.com/
Dazzle-Attack: Supplementary Materials (2020). https://sites.google.com/view/dazzle-attack-additional/home
Agency, C.I.S.: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets (2020). https://us-cert.cisa.gov/ncas/alerts/aa20-296a
Anderson, H.S., Kharkar, A., Filar, B., Evans, D., Roth, P.: Learning to evade static PE machine learning Malware models via reinforcement learning. arXiv preprint arXiv:1801.08917 (2018)
Aqil, A., et al.: Detection of stealthy TCP-based dos attacks. In: MILCOM 2015–2015 IEEE Military Communications Conference, pp. 348–353. IEEE (2015)
van Arnhem, B.: PHPScan: symbolic execution inspired PHP application scanner for code-path discovery (2017). https://github.com/bartvanarnhem/phpscan
Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (S &P), pp. 387–401. IEEE (2008)
Bart, P.: PHP-backdoors: a collection of PHP backdoors
BDLeet: public-shell: Some Public Shell (2016). https://github.com/BDLeet/public-shell
Becchi, M., Crowley, P.: A hybrid finite automaton for practical deep packet inspection. In: Proceedings of the 2007 ACM CoNEXT Conference, p. 1. ACM (2007)
BlackArch: webshells: Various webshells (2019). https://github.com/BlackArch/webshells
Cadar, C., Dunbar, D., Engler, D.R., et al.: Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol. 8, pp. 209–224 (2008)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (S &P), pp. 32–46. IEEE (2005)
Dahse, J., Schwenk, J.: Rips-a static source code analyser for vulnerabilities in PHP scripts (2010). Accessed 28 Feb 2012
Designsecurity: progpilot: a static analysis tool for security (2016). https://github.com/designsecurity/progpilot
Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel bloom filters. In: 11th Symposium on High Performance Interconnects, 2003. Proceedings, pp. 44–51. IEEE (2003)
Erdődi, L., Jøsang, A.: Exploitation vs. prevention: the ongoing saga of software vulnerabilities. Acta Polytech. Hung. 17(7) (2020)
Fauth, M.M.: phpMyAdmin: a web interface for MySQL and MariaDB (2019). https://github.com/phpmyadmin/phpmyadmin
Filaretti, D., Maffeis, S.: An executable formal semantics of PHP. In: Jones, R. (ed.) ECOOP 2014. LNCS, vol. 8586, pp. 567–592. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44202-9_23
FIREEYE: APT41: Double Dragon, a dual espionage and cyber crime operation (2019). https://content.fireeye.com/apt-41/rpt-apt41
Fonk, M.: PHP-obfuscator: a parsing PHP obfuscator (2019). https://github.com/naneau/php-obfuscator
Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: TriggerScope: towards detecting logic bombs in android applications. In: 2016 IEEE symposium on security and privacy (SP), pp. 377–396. IEEE (2016)
Grimes, H.Y.: Eir–static vulnerability detection in PHP applications (2015)
Hauzar, D., Kofroň, J.: WeVerca: web applications verification for PHP. In: Giannakopoulou, D., Salaün, G. (eds.) SEFM 2014. LNCS, vol. 8702, pp. 296–301. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10431-7_24
Jensen, T., Pedersen, H., Olesen, M.C., Hansen, R.R.: THAPS: automated vulnerability scanning of PHP applications. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 31–46. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34210-3_3
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy (S &P), p. 6. IEEE (2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Static analysis for detecting taint-style vulnerabilities in web applications. J. Comput. Secur. 18(5), 861–907 (2010)
Jung, C., et al.: Hiding critical program components via ambiguous translations. In: 2022 IEEE/ACM 44rd International Conference on Software Engineering (ICSE). IEEE (2022)
Jung, C., Kim, D., Wang, W., Zheng, Y., Lee, K.H., Kwon, Y.: Defeating program analysis techniques via ambiguous translation. In: 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 1382–1387. IEEE (2021)
Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Presented as part of the 22nd USENIX Security Symposium, pp. 637–652 (2013)
Kasturi, R.P., et al.: TARDIS: rolling back the clock on CMS-targeting cyber attacks. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, 18–21 May 2020, pp. 1156–1171. IEEE (2020). https://doi.org/10.1109/SP40000.2020.00116
Kim, K., et al.: J-force: forced execution on JavaScript. In: Proceedings of the 26th international conference on World Wide Web, pp. 897–906. International World Wide Web Conferences Steering Committee (2017)
Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 174–187. Springer, Heidelberg (2005). https://doi.org/10.1007/11506881_11
Kissian, P.: YAK Pro: PHP Obfuscator (2019). https://www.php-obfuscator.com/
Kneuss, E., Suter, P., Kuncak, V.: Phantm: PHP analyzer for type mismatch. In: FSE 2010 Proceedings of the Eighteenth ACM SIGSOFT International Symposium on Foundations of Software Engineering, No. CONF (2010)
Kolosnjaji, B., et al.: Adversarial malware binaries: evading deep learning for malware detection in executables. In: 2018 26th European Signal Processing Conference (EUSIPCO), pp. 533–537. IEEE (2018)
Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: ACM SIGCOMM Computer Communication Review, vol. 36, pp. 339–350. ACM (2006)
Lie, R.: Simple online PHP obfuscator: encodes PHP code into random letters, numbers and/or characters (2019). https://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php
Magazine, C.: New Report Reveals Chinese APT Groups May Have Been Entrenched in Some Servers for Nearly a Decade Using Little-Known Linux Exploits, CPO Magazine (2020). https://www.cpomagazine.com/cyber-security/new-report-reveals-chinese-apt-groups-may-have-been-entrenched-in-some-servers-for-nearly-a-decade-using-little-known-linux-exploits/
Mao, J., et al.: Detecting malicious behaviors in JavaScript applications. IEEE Access 6, 12284–12294 (2018)
Masters, L.: CakePHP: The Rapid Development Framework for PHP (2019). https://cakephp.org/
Medeiros, I., Neves, N.F., Correia, M.: Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: Proceedings of the 23rd International Conference on World Wide Web, pp. 63–74. ACM (2014)
Microsoft: Microsoft Defender Advanced Threat Protection (2019). https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection
Mirtes, O.: PHPStan: PHP Static Analysis Tool (2019). https://github.com/phpstan/phpstan
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: 2007 IEEE Symposium on Security and Privacy, pp. 231–245. IEEE (2007)
Naderi-Afooshteh, A., Kwon, Y., Nguyen-Tuong, A., Razmjoo-Qalaei, A., Zamiri-Gourabi, M.R., Davidson, J.W.: MalMax: multi-aspect execution for automated dynamic web server malware analysis. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1849–1866 (2019)
Nathan, P.: Pytextrank, a python implementation of textrank for text document nlp parsing and summarization (2016). https://github.com/ceteri/pytextrank/
Nguyen, H.V., Nguyen, H.A., Nguyen, T.T., Nguyen, T.N.: Auto-locating and fix-propagating for html validation errors to PHP server-side code. In: Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering, pp. 13–22. IEEE Computer Society (2011)
nixawk: fuzzdb: Web Fuzzing Discovery and Attack Pattern Database (2018). https://github.com/nixawk/fuzzdb
Nunes, P.J.C., Fonseca, J., Vieira, M.: phpSAFE: a security analysis tool for OOP web application plugins. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2015)
Olivo, O.: TaintPHP: Static Taint Analysis for PHP web applications (2016). https://github.com/olivo/TaintPHP
OneSourceCat: phpvulhunter: A tool that can scan php vulnerabilities automatically using static analysis methods (2015). https://github.com/OneSourceCat/phpvulhunter
Papagiannis, I., Migliavacca, M., Pietzuch, P.: PHP Aspis: using partial taint tracking to protect against injection attacks. In: 2nd USENIX Conference on Web Application Development, vol. 13 (2011)
Peng, F., Deng, Z., Zhang, X., Xu, D., Lin, Z., Su, Z.: X-force: force-executing binary programs for security applications. In: 23rd USENIX Security Symposium, pp. 829–844 (2014)
Piantadosi, V., Scalabrino, S., Oliveto, R.: Fixing of security vulnerabilities in open source projects: a case study of apache http server and apache tomcat. In: 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 68–78. IEEE (2019)
Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantics-based approach to malware detection. ACM SIGPLAN Not. 42(1), 377–388 (2007)
Ridter: Pentest (2019). https://github.com/Ridter/Pentest
Ruslan Budnik: The Fantastic Idea of Dazzle Camouflage (2019). https://www.warhistoryonline.com/instant-articles/dazzle-camouflage.html
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: 2010 IEEE Symposium on Security and Privacy, pp. 513–528. IEEE (2010)
Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. ACM SIGCOMM Comput. Commun. Rev. 45(4), 213–226 (2015)
Shu, X., Yao, D., Ramakrishnan, N.: Unearthing stealthy program attacks buried in extremely long execution paths. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 401–413. ACM (2015)
Symantec: Norton\(^{\rm TM}\)–Antivirus & Anti-Malware Software (2019). https://us.norton.com/
Systems, N.: GitHub - nbs-system/php-malware-finder: Detect potentially malicious PHP files (2019). https://github.com/nbs-system/php-malware-finder/
tanjiti: webshellSample: Webshell sample for WebShell Log Analysis (2018). https://github.com/tanjiti/webshellSample
Taylor, T., et al.: Detecting malicious exploit kits using tree-based similarity searches. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 255–266. ACM (2016)
tennc: webshell: A webshell open source project (2019). https://github.com/tennc/webshell
Troon, J.: PHP-webshells: Common PHP webshells (2016). https://github.com/JohnTroony/php-webshells
tutorial0: WebShell: WebShell Collect (2016). https://github.com/tdifg/WebShell
vimeo: psalm: A static analysis tool for finding errors in PHP applications (2019). https://github.com/vimeo/psalm
xl7dev: WebShell: Webshell & Backdoor Collection (2017). https://github.com/xl7dev/WebShell
Yang, Q.: Taint-em-All: a taint analysis tool for the PHP language (2019). https://github.com/quanyang/Taint-em-All
Acknowledgement
We thank the anonymous referees for their constructive feedback. The authors gratefully acknowledge the support of NSF 1916499, 1908021, 1850392, 2145616, and 2210137. This research was partially supported by Science Alliance’s StART program, National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. NRF-2021R1A4A102 9650), and gifts from Cisco Systems and Google exploreCSR. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Payload types
A webshell is malware that enables attackers to access a compromised server via a web browser that acts like a command-line interface. Backdoor is used to provide remote access to an infected machine for attackers. Bypassers are used to avoid detections of local or remote security mechanisms (e.g., firewalls). Uploaders are used to remotely inject additional malware into victim machines. Spammers compose and send spoof/spam emails. SQLShells allows remote attackers to access databases of compromised servers, similar to webshells. A reverse shell is a type of shell that communicates back to the attacker’s machine from a victim’s machine. Flooders are used to launch Denial of Service (DoS) attacks by sending an excessive number of network packets.
Rights and permissions
Copyright information
© 2023 Springer Nature Switzerland AG
About this paper
Cite this paper
Lee, B. et al. (2023). Dazzle-attack: Anti-Forensic Server-side Attack via Fail-Free Dynamic State Machine. In: You, I., Youn, TY. (eds) Information Security Applications. WISA 2022. Lecture Notes in Computer Science, vol 13720. Springer, Cham. https://doi.org/10.1007/978-3-031-25659-2_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-25659-2_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25658-5
Online ISBN: 978-3-031-25659-2
eBook Packages: Computer ScienceComputer Science (R0)