FireEye Stories Blog

FireEye Adds Web Shell Detection to Protect Servers

Threat actors are constantly looking for new ways to exploit weaknesses in an ever growing attack surface. Workstation endpoint machines are a common target because those machines have humans sitting behind them on keyboards that can be tricked into clicking on malicious links or opening malicious files. Not all attacks start on workstation endpoints, however; in some cases attackers will target internet-facing servers directly such as web servers. Once on the web server there's the opportunity for the attacker to harvest or scrape data, as well as use that access as a persistence mechanism for entry and a starting point to move to other parts of the network. As a result, network security products need visibility against advanced threats in multiple areas of the network. Traditional file-based sandboxing solutions are far cry from what's needed to stop today's advanced attacks.

Most sandboxes are not inline to traffic flows and receive only individual files to analyze. Those files are carved out of network traffic from devices such as proxies or firewalls, which do have the visibility of the full network traffic flow. Having visibility reduced to only specific files that are handed to you from other devices is architecturally limiting. FireEye Network Security was architected differently. It is designed to sit inline seeing all traffic, which gives it considerable capabilities beyond what would be found in a conventional file-based sandbox.

MVX: Virtual Execution EngineMulti-Vector Virtual Execution™ (MVX) engine detects zero-day, multi-flow and other evasive attacks with dynamic, signature-less analysis in a safe, virtual environment. It stops infection and compromise phases of the cyber attack kill chain by identifying never-before-seen exploits and malware. Most sandboxes will detonate file types such as EXE, DOCX, PDF and JAR on a windows system. MVX goes far beyond this, detonating types such as FLV, CHM, SWF, MSI and others on Windows; DMG, MACH-O and others on OS X; and PL, ELF and SH and others on Linux.

Callback Detection EngineFireEye Network Security detects more than just malicious files coming into the network. It also recognizes traffic that is a callback communication to an attacker’s server. Detection of such an event would mean that an endpoint machine on the inside of a victim’s network has been successfully compromised, and the malware installed on that machine is now trying to communicate back to an attacker’s server for further instructions. At this point the victim is just one stop away from a remote attacker having access to and the ability to control victim machines.

IPS EngineTo optimize network security and enable compliance, FireEye Integrated Intrusion Prevention System (IPS) features can be run on FireEye Network Security. The combination of signature-based and signatureless technologies protects against known and unknown threats, reduces false alerts, and highlights attacks hidden within the noise.

SmartVision: Post Exploitation Detection Engine: FireEye Network Security needs to be concerned with more than just observing traffic between workstation endpoints and the internet. We know that once attackers achieve “Initial Compromise” on an endpoint they will use post exploitation techniques to move laterally to higher value assets in the network such as the servers that hold the data they aim to steal and/or monetize.

*NEW* Web Shell Detection Engine: Aside from attacks targeting endpoints, network security solutions need to have visibility into attacks on servers. Web shells are a common tool used to target web servers (see MITRE ATT&CK Technique 1100). MITRE ATT&CK defines a web shell as:

Web Shell: A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). Web shells may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.

Web shells can be hidden in images that are presented as content on web pages, or hidden in 404 error pages. Web shells can be used to cause disruption or steal sensitive information. For example, we previously observed suspected Chinese APT actors steal more than 300,000 e-mail addresses using China Chopper Web shell injected into an IT company's resume submission site. Web shell access is sometimes bought and sold in underground forums, meaning that one threat actor is successful in deploying a web shell, and then sells access to the web shell to a different threat actor who plans to use it to access the victim organization's network and data.

FireEye Network Security now protects internet facing web servers by detecting web shell activity in multiple phases.

  • Web Shell Upload: The first stage of web shell detection is detecting the upload of the web shell to the web server. Solutions such as a web application firewall (WAF) may help to some extent, but those controls are typically signature based. FireEye Network Security leverages the MVX engine to detonate samples and find unknown web shell variants based on suspicious behavior rather than on signature. To accomplish this, we detonate files such as PHP, JSP, ASPX and others, and have incorporated web server software into the MVX Virtual Execution Engine, where traditionally most sandboxes only have client-side applications such as PDF Readers and Office Suites.
  • Web Shell Interaction: The second stage of web shell detection is the interaction with a web shell that is already installed on the web server. FireEye Network Security adds additional SmartVision correlation rules to recognize this activity. The rules are automatically updatable and part of FireEye’s “Innovation Cycle” where lessons learned of attacker techniques on the front lines through Incident Response Services are brought back as product detections.

FireEye web shell detection, as well as all the other aforementioned capabilities, are available in the 8.3.0 release of FireEye Network Security. Using all of these capabilities together, FireEye Network Security provides visibility from workstation to internet, workstation to server, and internet to server. All of this is possible because of FireEye Network Security's architecture, which has full traffic visibility and performs a much deeper and broader analysis than a simple out of band file-based sandbox.

FireEye solutions are more powerful when they work together. The ability to protect clients with FireEye Network Security is amplified when combined with FireEye Endpoint Security. When a web shell attack is detected by Network Security, the indicators of compromise can be shared with FireEye Endpoint Security. Using Endpoint Security, clients can perform a full investigation on Windows Server or Linux based servers, and then quickly remediate any incident.

With FireEye, administrators are able to reduce the time to detection from months to minutes and resolution from days to minutes.