Difference between revisions of "OWASP AppSec DC 2012/Old Webshells New Tricks How Persistent Threats haverevived an old idea and how you can detect them"

From OWASP
Jump to: navigation, search
(Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == rightWeb shells _ malicious scripts that provide an a...")
 
Line 2: Line 2:
 
__NOTOC__
 
__NOTOC__
 
== The Presentation  ==
 
== The Presentation  ==
[[Image:Owasp_logo_normal.jpg|right]]Web shells _ malicious scripts that provide an attacker with the ability to upload files, execute commands, conduct reconnaissance, and perform other command-and-control activities on a compromised web server _ are nothing new.  Theyve been in the wild ever since the first web server and application exploits reared their ugly heads over a decade ago.  Modern application security and server hardening processes have rendered them all but obsolete tools for desperate script-kiddies, right?  Wrong.  In this presentation we will discuss how web-based backdoors continue to be leveraged by sophisticated, targeted attackers and the challenges that they pose to forensic analysts conducting large-scale investigations.  In particular, we will focus on the usage of web shells as a post-exploitation mechanism for maintaining persistence in an environment _ a backup method of remote access _ rather than a tool utilized in the initial entry vector.  We will focus on the forensic artifacts that usage of such malware leaves behind on the host and on the network, and discuss techniques for rapidly identifying unknown web-based malware across servers.
+
Web shells _ malicious scripts that provide an attacker with the ability to upload files, execute commands, conduct reconnaissance, and perform other command-and-control activities on a compromised web server _ are nothing new.  Theyve been in the wild ever since the first web server and application exploits reared their ugly heads over a decade ago.  Modern application security and server hardening processes have rendered them all but obsolete tools for desperate script-kiddies, right?  Wrong.  In this presentation we will discuss how web-based backdoors continue to be leveraged by sophisticated, targeted attackers and the challenges that they pose to forensic analysts conducting large-scale investigations.  In particular, we will focus on the usage of web shells as a post-exploitation mechanism for maintaining persistence in an environment _ a backup method of remote access _ rather than a tool utilized in the initial entry vector.  We will focus on the forensic artifacts that usage of such malware leaves behind on the host and on the network, and discuss techniques for rapidly identifying unknown web-based malware across servers.
 
== The Speakers  ==
 
== The Speakers  ==
Ryan Kazanciyan
+
<table>
 +
<tr>
 +
<td>
 +
===Ryan Kazanciyan===
 +
[[Image:Owasp_logo_normal.jpg|left]]Bio TBA
 +
</td>
 +
</tr>
 +
</table>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>

Revision as of 19:55, 11 March 2012

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

Web shells _ malicious scripts that provide an attacker with the ability to upload files, execute commands, conduct reconnaissance, and perform other command-and-control activities on a compromised web server _ are nothing new. Theyve been in the wild ever since the first web server and application exploits reared their ugly heads over a decade ago. Modern application security and server hardening processes have rendered them all but obsolete tools for desperate script-kiddies, right? Wrong. In this presentation we will discuss how web-based backdoors continue to be leveraged by sophisticated, targeted attackers and the challenges that they pose to forensic analysts conducting large-scale investigations. In particular, we will focus on the usage of web shells as a post-exploitation mechanism for maintaining persistence in an environment _ a backup method of remote access _ rather than a tool utilized in the initial entry vector. We will focus on the forensic artifacts that usage of such malware leaves behind on the host and on the network, and discuss techniques for rapidly identifying unknown web-based malware across servers.

The Speakers

Ryan Kazanciyan

Owasp logo normal.jpg
Bio TBA

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

SPL-LOGO-MED.png

Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg