Effectiveness of Antivirus in Detecting Web Application Backdoors

February 8, 2011, by | Start Discussion

This paper gives detailed idea of the effectiveness of Antivirus software’s in detecting various Web Application backdoors that widely affect Web Servers. The analysis would prove the inefficiency of current Antivirus techniques in detecting Web application backdoors and its consequences.

considering the increased number of attacks on Web Applications and defacement statistics on Web Servers, it’s high time to review the security of Web Servers and protection mechanism aided to prevent them. Zone-H report at http://www.zone-h.org/news/id/4735 says that the deface¬ments count gets doubled every year. They also add that the methodologies used to gain access are still the same “Application Layer Vulnerabilities”. Let’s not go into application vulnerabilities but instead take a look at the very common web application Backdoors that are commonly used by hackers and how Antivirus being used widely on many Web Servers is incapable of detecting them.

Diagram – 001

Normally an attack goes like Diagram 001, where attacker finds vulnerability in a hosted web application and he manages to upload a malicious application backdoors in one of the servers supported languages, like ASP, PHP, ASP.NET, JSP etc. And this gives him control over the entire Web Server. Firewalls and Antivirus softwares are always part of a network. Firewalls are mostly not asked to monitor web traffic. So the only security measure the Web servers depend upon for this is the Antivirus. And we will go in detail analysis of common web application backdoors and how AVs lack in catching them.

Antivirus Detection Mechanisms and Where They Lack

Signature Based Detection
In this technique the Antivirus software’s need to have the signature of the Backdoor, and for that the companies should already have a copy of the backdoor for analysis.
Reasons behind ineffectiveness of “Signature Based” detection of Web Backdoors
1)    Signature based detection works fine with self propagating worms as there mass spreading mechanism will some way make it to the AV companies too. But that’s not the case with web backdoors they don’t have any self spreading mechanism and as they are only targeted on a particular server and thus the most common Backdoors signature remains unknown

2)    The signatures are not built based on instructions like in PEs, but instead using strings and function calls. Simply renaming a function call, string or changing the order of the program can prove to be enough to bypass “Signature Based Detection” approach
Note: Given below are some samples analyzed for example purpose. All the samples analyzed were downloaded form a collection of common web backdoors archive found on internet a few years back, Virus Total was used for this analysis.

Test # 1.1
Objective: Test on an old and popular backdoor which proves that popularity matters for detection
Backdoor / File name: C99.php
Description: A very old and widely used backdoor having. Great numbers of options. Born some 12 years ago, signatures are available with most of the Antivirus software’s.
Analysis: Shows that 81% AVs detect the old man

Test # 1.2
Objective: Prove that Signature based detection is very easy to bypass when it comes to detect a web application backdoors as it’s based on strings.
Description: Web backdoor’s built-in scripting languages are easy to bypass, the signatures are not build based on instructions like in PEs, but instead using strings and function calls. Simply renaming a function call or changing the order of the program would be enough to bypass the AV. A second test was done by simply removing the Change logs (Authors name and update logs) from the top of the script and the reanalysis showed that only 27 AV detected it now.

Test #2.1
Objective: Test on an old and not so popular backdoor to prove that it’s really hard for web application backdoors to reach AV vendor for signature building
Description: Another pretty old sample was taken from the same web backdoor collection but with less functionality, although enough to deface a site
Analysis: Shows that only 2 AV detects the backdoor.

Test # 3.1
Objective: Signature based detection of Web Application backdoors are easy to bypass
Description: A test on another old and popular backdoor detected by all Av’s. The aim is to try to make it undetectable by the AVs. An Active Server Page’s simple command execute backdoor named cmdasp.asp was obtained from a very old archive http://michaeldaw.org/projects/web-backdoor-compilation 
Analysis:  81% of the AVs detected the script because of its popularity and availability of signature

Test #3.2
Objective: Signature based detection on Web Application backdoors are easy to bypass
Description: The above mentioned sample which contained some HTML CODE (just for formatting output) was edited in notepad and the HTML contents were stripped off leaving the actual backdoor code unhampered. Also functions were renamed and then backdoor was subjected to analysis

Analysis: The analysis showed that striping of useless plain HTML form the ASP code Analysis: The analysis showed that scripting of useless plain HTML form the ASP code and renaming the functions made it Undetectable by all the Avs while still providing full functionality

Heuristics Based Detection
Not many Antivirus vendors depend upon heuristics for Web backdoor detection. Only a few prominent and leading Anti viruses employ this detection.
Why heuristics based detection is not employed when it comes to Web Application?
1)    Heuristics detection is based on dynamic analysis and is always considered risky as the chances of false positives are very high, and when it comes to Web Application, the risk is pretty high
2)    Web Application undergoes updates and changes more frequently as compared to PE files, and the methodologies used for PE detection cannot be fully utilized here
3)    Executables can be added with a legitimate sign in case of PEs but that’s not possible with Web Scripts
4)    Static analysis on PE, based on few critical and exceptional APIs cannot be used for static heuristic detection. But in Web Application, even one flagging on such a function call will make a legitimate code black listed
5)    Dynamic analysis at runtime is not used on scripting languages as the codes are interpreted
6)    Threat classification and Risk Analysis for Web Application is hard to automate

For analyzing the above lets discuss a few common features of Web Application backdoors. As such a Web backdoor would have some or all of the following features –
1)    Execute System Commands On The Web Server
2)    Traverse Directories And View/Edit Files And Programs
3)    Upload Feature – Helpful In Local Privilege Escalation
4)    Download Documents And File
5)    Registry Editing
6)    Execute A Reverse Connect, Bind Shell
7)    Database Management

A Web backdoor with the first feature [Execute commands] will itself be capable enough to perform the rest of the features, in one way or other.  So let’s further discuss on that. Command execution is possible with almost all scripting languages, that is if certain default functions are not disabled on the environment depending upon the language.
Also, and except [1], [6] and [7] are legitimate Web Application behaviors, so there is greater possibility of getting detected.

Test # 4.1
Objective: Testing simple command execution Backdoor in JSP, PHP using default system command execution functions and analyzing the efficiency of Antivirus in static heuristic detection
Command Execution shell in .jsp that can be compiled to .war java web archive format.

Analysis: No Antivirus detected it

Test # 4.2
Objective: Command Execution shell in PHP which can be added to an already existing PHP file and can process request via User-Agent header

No Antivirus detected it

The above analysis shows that even though the getRuntime().exec and passthu() functions were present in the code the static analysis of the AVs were not able to detect those critical function calls.
Threat classification and Risk Analysis for Web Application is hard to automate.  It becomes  hard to detect which piece of code is legitimate and which one is not. Consider the following tests

Test #4.3
Objective:  Classifying a threat. Run time analysis is not possible on Web Backdoors
Description: Given below is a simple program in JSP that can download files from the server. Downloading a file from web server is a legitimate activity and cannot be used as a reason for heuristic detection.  But what if the program tries to download a configuration file or other critical files from the server. These kind of backdoors cannot be detected unless a runtime analysis is performed. And hence lack of detection is observed.
Code: Download File from server

Analysis: No antivirus scanners detected it [Static and heuristics scan] due to inefficiency of detecting web backdoors at runtime. The above program is a threat, and these kinds of backdoors are hard to detect by automated AVs, unless there is a policy created for files and folders regarding accessibility

Web applications and environments hosting is growing rapidly and the necessity of providing improved security is increasing. The in efficiency of current Antivirus software’s in detecting Web Application backdoors is proved to be inadequate. These factors add up to the need of Antivirus vendors becoming apprised of Web Back door and improving specialized detection techniques. Also advises Web Server administrators need to be advised not to fully depend on native AV/Firewalls for preventing Web intrusions.
References and Appendix
Test # 1.1
Test #1.2
Test #2.1
Test #3.1
Test #3.2
Test # 4.1
Test #4.2
Test #4.3

Rahul Sasi is a person highly passionate about Ethical hacking, and is working as a Info Security Consultant.

Leave a Reply