Location>code7788 >text

WebShell Traffic Characterization_IceScorpion

Popularity:40 ℃/2024-09-04 09:40:40

III. Ice Scorpion

1、Behinder v2.0

(1) Principle of realization

When connecting to the webshell for the first time, the client first initiates a GET request to the server.

② The server side randomly generates a16-bitkey, reveals the key back to the client, and writes the key to the server-side Session

③ After the client obtains the key, the binary payload will first beAES encryption(local openssl module), and then sent to the server side via POST

④ After the server receives the data, it takes out the key from the Session and performs AES decryption, and after decryption, it gets the binary payload data

⑤ The server parses the binary payload file, executes arbitrary code, and returns the results encrypted.

The client decrypts the results returned by the server

(2) Code Analysis

The communication process of the ice scorpion can be divided into two stages:key negotiationcap (a poem)encrypted transmission
Phase I - Key Negotiation

Request the server key via the GET or POST method.

The server uses the high 16 bits of the random number MD5 as the key

and stored in the session's $_SESSION variable

Returns the key to the attacker

Phase II - Encrypted Transmission

The client takes the command to be executed as input, encrypts it using the AES algorithm, and sends it to the server

The server accepts the ciphertext and decrypts it with AES operations and executes the corresponding command.

The execution result is encrypted with AES and returned to the attacker.

(3) Packet analysis

Phase I - Key Negotiation

IceScorpion in order to realize can add any content in the webshell (such as gif89a subclass of the file header or other marking characters) IceScorpion in the initialization of the key will be two visits to the webshell, and then compare the difference between the two page returns, the two requests are the same characters recorded in a location, the subsequent encryption will be used in the two locations (beginIndex, endIndex). endIndex)

Phase II - Encrypted Transmission

The AES decryption message using the key is as follows:

(4) Flow characteristics

1. Accept field

IceScorpion's default Accept field has a special value, a feature that exists at any stage of IceScorpion's communication

2. UserAgent field

IceScorpion has 17 built-in UserAgents, one of which is randomly selected each time you connect to the shell.

3, long connection and Content-Length

IceScorpion communication uses long connections by default to avoid the resource overhead caused by frequent handshakes. By default, the request and response headers will have the
Connection: Keep-Alive
Content-Length: 16 ##16 is the characteristic of the IceScorpion 2 connection

Four,URL parameters for key transfer

There is only one URI for key deliverykey-valueParameters
Key is the password that the hacker sets for the shell, usually 10 or fewer letters and numbers
Value is generally 2 to 3 random pure numbers
The extension of webshell is usually an executable script

Five,Transferred keys

The key used for encryption is a random string of length 16, consisting of lowercase letters + numbers
The key delivery phase, where the key exists in the Response Body

2、Behinder v3.0

(1) Code analysis

Compared to IceScorpion 2, IceScorpion 3 removes dynamic key acquisition
The key uses the first 16 bits of the MD5 value of the connection password and is stored in the Session

(2) Packet analysis

Request Request Packet

Response packet

(3) Flow characteristics

1、Accept field

Head features:application/xhtml+xml,application/xml,application/signed-exchange

2、UserAgent field

The latest version of IceScorpion has 14 built-in UserAgents, one of which is randomly selected for use each time you connect to the shell.

(4) Detection rules

alert: logs all matching rules and logs the packets associated with the matching rules, generating an alert

msg: rule name, the first field in the rule, the message displayed on the ids alarm

flow: packets with the same data (5-tuple information) at a given time belong to the same flow

content: detect the presence of this content in the packet

pcre: regular expression

flowbits: ensures that an alert is generated if, for example, two different packets match at the same time

classtype category: categorizes rules based on the type of activity detected by the rule

sid feature identifier: used for unique rule identification, sid cannot be repeated

alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_client; pcre: "/\r\n\r\n[A-Za-z0-9]{16}$/"; content:"200 OK"; content: "Content-Length: 16"; fast_pattern;nocase; flowbits: set, bx_first_get_resp; noalert; classtype:web-attack;sid:3000021; rev:1; metadata:created_at 2019_11_20, updated_at 2019_11_20;)
alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_server; content:"GET"; http_method; pcre:"/\.(php|jsp|asp|jspx|aspx)\?\w{1,8}=\d{1,10} HTTP/1\.1/";flowbits:isset, bx_first_get_resp; flowbits:set, bx_second_get_req; noalert;classtype:web-attack; sid:3000022; rev:1; metadata:created_at 2019_11_20,updated_at 2019_11_20;)
alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_client; pcre: "/\r\n\r\n[A-Za-z0-9]{16}$/"; content:"Content-Length: 16"; fast_pattern; nocase; flowbits: isset,bx_second_get_req; flowbits:set, bx_second_get_resp; noalert;classtype:web-attack; sid:3000023; rev:1; metadata:created_at 2019_11_20,updated_at 2019_11_20;)
alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_server; content:"POST"; http_method; pcre:"/\.(php|jsp|asp|jspx|aspx) HTTP/1\.1/"; flowbits:isset, bx_second_get_resp;flowbits:set, bx_first_post_req; noalert; classtype:web-attack; sid:3000024;rev:1; metadata:created_at 2019_11_20, updated_at 2019_11_20;)
alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell online detected"; flow:established,to_client; pcre: "/[^\w\s><=\-'"\:\;\,\!\(\)\{\}][\w]{2}[^\w\s><=\-'"\.\:\;\,\!\(\)\{\}][a-zA-Z\d]{2}/";content: "200 OK"; content: "Content-Type: text/html";flowbits: isset, bx_first_post_req; classtype:web-attack; sid:3000025; rev:1;metadata:created_at 2019_11_20, updated_at 2019_11_20;)
alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell-jspx online"; flow:established,to_server; pcre:"/\r\n\r\n[a-zA-Z\d\+\/]{10,}\/[a-zA-Z\d\/]{50}/"; content:"Content-Type: application/octet-stream"; fast_pattern; flowbits:isset, bx_second_get_resp; flowbits: set, bx_req_jspx; noalert;classtype:web-attack; sid:3000026; rev:1; metadata:created_at 2019_11_20,updated_at 2019_11_20;)
alert http any any -> any any(msg:"MALWARE-BACKDOOR Behinder webshell-jspx online"; flow:established,to_client; pcre:"/[^\w\s><=\-'"\:\;\,\!\(\)\{\}][\w]{2}[^\w\s><=\-'"\.\:\;\,\!\(\)\{\}][a-zA-Z\d]{2}/";content: "200 OK"; content: "Content-Type: text/xml";fast_pattern; flowbits: isset, bx_req_jspx; classtype:web-attack; sid:3000027;rev:1; metadata:created_at 2019_11_20, updated_at 2019_11_20;)