III. Ice Scorpion
1、Behinder v2.0
(1) Principle of realization
When connecting to the webshell for the first time, the client first initiates a GET request to the server.
② The server side randomly generates a16-bitkey, reveals the key back to the client, and writes the key to the server-side Session
③ After the client obtains the key, the binary payload will first beAES encryption(local openssl module), and then sent to the server side via POST
④ After the server receives the data, it takes out the key from the Session and performs AES decryption, and after decryption, it gets the binary payload data
⑤ The server parses the binary payload file, executes arbitrary code, and returns the results encrypted.
The client decrypts the results returned by the server
(2) Code Analysis
The communication process of the ice scorpion can be divided into two stages:key negotiationcap (a poem)encrypted transmission
Phase I - Key Negotiation
①Request the server key via the GET or POST method.
②The server uses the high 16 bits of the random number MD5 as the key
③and stored in the session's $_SESSION variable
④Returns the key to the attacker
Phase II - Encrypted Transmission
①The client takes the command to be executed as input, encrypts it using the AES algorithm, and sends it to the server
②The server accepts the ciphertext and decrypts it with AES operations and executes the corresponding command.
③The execution result is encrypted with AES and returned to the attacker.
(3) Packet analysis
Phase I - Key Negotiation
IceScorpion in order to realize can add any content in the webshell (such as gif89a subclass of the file header or other marking characters) IceScorpion in the initialization of the key will be two visits to the webshell, and then compare the difference between the two page returns, the two requests are the same characters recorded in a location, the subsequent encryption will be used in the two locations (beginIndex, endIndex). endIndex)
Phase II - Encrypted Transmission
The AES decryption message using the key is as follows:
(4) Flow characteristics
1. Accept field
IceScorpion's default Accept field has a special value, a feature that exists at any stage of IceScorpion's communication
2. UserAgent field
IceScorpion has 17 built-in UserAgents, one of which is randomly selected each time you connect to the shell.
3, long connection and Content-Length
IceScorpion communication uses long connections by default to avoid the resource overhead caused by frequent handshakes. By default, the request and response headers will have the
Connection: Keep-Alive
Content-Length: 16 ##16 is the characteristic of the IceScorpion 2 connection
Four,URL parameters for key transfer
①There is only one URI for key deliverykey-valueParameters
②Key is the password that the hacker sets for the shell, usually 10 or fewer letters and numbers
③Value is generally 2 to 3 random pure numbers
④The extension of webshell is usually an executable script
Five,Transferred keys
①The key used for encryption is a random string of length 16, consisting of lowercase letters + numbers
②The key delivery phase, where the key exists in the Response Body
2、Behinder v3.0
(1) Code analysis
①Compared to IceScorpion 2, IceScorpion 3 removes dynamic key acquisition
②The key uses the first 16 bits of the MD5 value of the connection password and is stored in the Session
(2) Packet analysis
Request Request Packet
Response packet
(3) Flow characteristics
1、Accept field
Head features:application/xhtml+xml,application/xml,application/signed-exchange
2、UserAgent field
The latest version of IceScorpion has 14 built-in UserAgents, one of which is randomly selected for use each time you connect to the shell.
(4) Detection rules
alert: logs all matching rules and logs the packets associated with the matching rules, generating an alert
msg: rule name, the first field in the rule, the message displayed on the ids alarm
flow: packets with the same data (5-tuple information) at a given time belong to the same flow
content: detect the presence of this content in the packet
pcre: regular expression
flowbits: ensures that an alert is generated if, for example, two different packets match at the same time
classtype category: categorizes rules based on the type of activity detected by the rule
sid feature identifier: used for unique rule identification, sid cannot be repeated
alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_client; pcre: "/\r\n\r\n[A-Za-z0-9]{16}$/"; content:"200 OK"; content: "Content-Length: 16"; fast_pattern;nocase; flowbits: set, bx_first_get_resp; noalert; classtype:web-attack;sid:3000021; rev:1; metadata:created_at 2019_11_20, updated_at 2019_11_20;) alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_server; content:"GET"; http_method; pcre:"/\.(php|jsp|asp|jspx|aspx)\?\w{1,8}=\d{1,10} HTTP/1\.1/";flowbits:isset, bx_first_get_resp; flowbits:set, bx_second_get_req; noalert;classtype:web-attack; sid:3000022; rev:1; metadata:created_at 2019_11_20,updated_at 2019_11_20;) alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_client; pcre: "/\r\n\r\n[A-Za-z0-9]{16}$/"; content:"Content-Length: 16"; fast_pattern; nocase; flowbits: isset,bx_second_get_req; flowbits:set, bx_second_get_resp; noalert;classtype:web-attack; sid:3000023; rev:1; metadata:created_at 2019_11_20,updated_at 2019_11_20;) alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_server; content:"POST"; http_method; pcre:"/\.(php|jsp|asp|jspx|aspx) HTTP/1\.1/"; flowbits:isset, bx_second_get_resp;flowbits:set, bx_first_post_req; noalert; classtype:web-attack; sid:3000024;rev:1; metadata:created_at 2019_11_20, updated_at 2019_11_20;) alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_client; pcre: "/[^\w\s><=\-'"\:\;\,\!\(\)\{\}][\w]{2}[^\w\s><=\-'"\.\:\;\,\!\(\)\{\}][a-zA-Z\d]{2}/";content: "200 OK"; content: "Content-Type: text/html";flowbits: isset, bx_first_post_req; classtype:web-attack; sid:3000025; rev:1;metadata:created_at 2019_11_20, updated_at 2019_11_20;) alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell-jspx online"; flow:established,to_server; pcre:"/\r\n\r\n[a-zA-Z\d\+\/]{10,}\/[a-zA-Z\d\/]{50}/"; content:"Content-Type: application/octet-stream"; fast_pattern; flowbits:isset, bx_second_get_resp; flowbits: set, bx_req_jspx; noalert;classtype:web-attack; sid:3000026; rev:1; metadata:created_at 2019_11_20,updated_at 2019_11_20;) alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell-jspx online"; flow:established,to_client; pcre:"/[^\w\s><=\-'"\:\;\,\!\(\)\{\}][\w]{2}[^\w\s><=\-'"\.\:\;\,\!\(\)\{\}][a-zA-Z\d]{2}/";content: "200 OK"; content: "Content-Type: text/xml";fast_pattern; flowbits: isset, bx_req_jspx; classtype:web-attack; sid:3000027;rev:1; metadata:created_at 2019_11_20, updated_at 2019_11_20;)