On the detection of malicious web shells and compromised websites

For my first blog post on the Cyber Investigator, I would like to show an example of academia research on a cybercrime related topic with elements of security measurements. It does not require enormous resources and collaborations but just understanding the technology and connecting dots. Hopefully, it will encourage young security researches to brainstorm other ways of investigating and preventing cybercrimes.

Closer to the point, today we are going to search for compromised websites and servers around the globe, by detecting malicious web shells on them that are uploaded and used by attackers. Web shells are special scripts that hackers usually use to maintain access to victim machines after successful exploits. Those pieces of software run on compromised servers, providing adversaries with ability to execute remote commands, browse file systems, upload files, elevate privileges, send spam emails, etc. More precisely, our goal is to monitor victim websites and ongoing attacks as shown on the map below. The discussed method gives ability to provide early warning of compromised websites, all the way to remotely disarming a shell and evicting the attacker.

victim_attacker_pairs_main
Top 10 compromised websites (black points) by the number of unique remote IP addresses, from which attackers access the detected malicious web shells (shown with arrows)

For the technical part, we need to understand the risks of inclusions from stale domains, so I will start with explaining it…

Continue reading “On the detection of malicious web shells and compromised websites”