Friday, April 20, 2007

A Compilation of Web Backdoors

The other day I came across to a nice compilation of web backdoors only, and decided to verify how well are various AVs performing when detecting them :

"I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities and others. I think a library like this may be useful in a variety of situations. Understanding how these backdoors work can help security administrators implement firewalling and security policies to mitigate obvious attacks."

Here are some results listing the AVs that detected them -- as they should :

* name: cfexec.cfm
* size: 1328
* md5.: cce2f90563cb33ce32b6439e57839492
* sha1: 01c50c39e41c6e95262a1141dbfcbf9e8f14fc19

_No AV detects this one

* name : cmdasp.asp
* size: 1581 bytes
* md5: d0ef359225f9416dcf29bb274ab76c4b
* sha1: 9df3e72df372c41fe0a4d4f1e940f98829b752e1

Authentium 4.93.8 04.14.2007 ASP/Ace.G@bd
Avast 4.7.981.0 04.16.2007 VBS:Malware
BitDefender 7.2 04.16.2007 Backdoor.ASP.Ace.C
ClamAV devel-20070312 04.16.2007 ASP.Ace.C
DrWeb 4.33 04.16.2007 BackDoor.AspShell
Ewido 4.0 04.16.2007 Backdoor.Rootkit.10.a
F-Prot 04.13.2007 ASP/Ace.G@bd
F-Secure 6.70.13030.0 04.16.2007 ASP/Ace.G@bd
Kaspersky 04.16.2007 Backdoor.ASP.Ace.q
Microsoft 1.2405 04.16.2007 Backdoor:VBS/Ace.C
Symantec 10 04.16.2007 Backdoor.Trojan
VBA32 3.11.3 04.14.2007 Backdoor.ASP.Rootkit.10.a#1
Webwasher-Gateway 6.0.1 04.16.2007 VBScript.Unwanted.gen!FR:M-FW:H-RR:M-RW:M-N:H-CL:H (suspicious)

* name: cmdasp.aspx
* size: 1442
* md5.: 27072d0700c9f1db93eb9566738787bd
* sha1: 2c43d5f92ad855c25400ee27067fd15d92d1f6de

_No AV detects this one

* name: simple-backdoor.php
* size: 345
* md5.: fcd01740ca9d0303094378248fdeaea9
* sha1: 186c9394e22e91ff68502d7c1a71e67c5ded67cc

_No AV detects this one

* name: php-backdoor.php
* size: 2871
* md5.: 9ca0489e5d8a820ef84c4af8938005d5
* sha1: 89db6dc499130458597fe15f8592f332fb61607e

AhnLab-V3 2007.4.19.1/20070419 found [BAT/Zonie]
AntiVir found [PHP/Zonie]
Authentium 4.93.8/20070418 found [PHP/Zackdoor.A]
AVG found [PHP/Zonie.A]
BitDefender 7.2/20070419 found [Backdoor.Php.Zonie.B]
F-Prot found [PHP/Zackdoor.A]
F-Secure 6.70.13030.0/20070419 found [PHP/Zackdoor.A]
Ikarus T3.1.1.5/20070419 found [Backdoor.PHP.Zonie]
Kaspersky found [Backdoor.PHP.Zonie]
McAfee 5013/20070419 found [PWS-Zombie]
Microsoft 1.2405/20070419 found [Backdoor:PHP/Zonie.A]
NOD32v2 2205/20070419 found [PHP/Zonie]
Norman 5.80.02/20070419 found [PHP/Zonie.A]
VBA32 3.11.3/20070419 found [Backdoor.PHP.Zonie#1]
Webwasher-Gateway 6.0.1/20070419 found [Script.Zonie]

* name: jsp-reverse.jsp
* size: 2542
* md5.: ebf87108c908eddaef6f30f6785d6118
* sha1: 24621d45f7164aad34f79298bcae8f7825f25f30

_No AV detects this one

* name: perlcmd.cgi
* size: 619
* md5.: c7ac0d320464a9dee560e87d2fdbdb0c
* sha1: 6cd84b993dcc29dfd845bd688320b12bfd219922

_No AV detects this one

* name: cmdjsp.jsp
* size: 757
* md5.: 3405a7f7fc9fa8090223a7669a26f25a
* sha1: 1d4d1cc154f792dea194695f47e17f5f0ca90696

_No AV detects this one

* name: cmd-asp-5.1.asp
* size: 1241
* md5.: eba86b79c73195630fb1d8b58da13d53
* sha1: 22d67b7f5f92198d9c083e140ba64ad9d04d4ebc

Webwasher-Gateway 6.0.1/20070419 found [VBScript.Unwanted.gen!FR:M-FW:M-RR:M-RW:M-N:H-CL:H (suspicious)]

Rather interesting, there have been recent targeted attacks aiming at gullible admins who'd put such web shells at their servers, thus opening a reverse shell to the attackers. As always, this compilation is just the tip of the iceberg, as Jose Nazario points out having variables means a different checksum, and considering the countless number of ASP, PHP and PERL based reverse backdoors, the threat is here to remain as silent and effective as possible. Grep this viruslist, especially the ASP, PHP and PERL backdoor families to come up with more variants in case you want to know what's already spotted in the wild. Here's a very well written paper by Gadi Evron on Web Server Botnets and Server Farms as Attack Platforms discussing the economies of scale of these attacks.