A Case Study in Webserver Malware for Admins and Users Alike – CF033

Posted on by
Listen Mobile:
Audio Only
Apple PodcastsGoogle PodcastsPlayer EmbedShareLeave a ReviewListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotifyAudioboomSpreakerOther Options

Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future Through an Academic Perspective!   Christian Johnson, a student at the University of Maryland will bring fresh and relevant topics to the show based on the current work he does.

Please leave a REVIEW (iPhone or iPad) – https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewContentsUserReviews?id=857124890&type=Podcast&ls=1&mt=1

Support the Average Guy Tech Scholarship Fund: https://www.patreon.com/theaverageguy

WANT TO SUBSCRIBE? We now have Video Large / Small and Video iTunes options at http://theAverageGuy.tv/subscribe

You can contact us via email at jim@theaverageguy.tv

Full show notes and video at http://theAverageGuy.tv/cf033

This week on Cyber Frontiers Christian is joined by Jim to walkthrough new and exciting malware that had a real-world impact recently on the Maplegrove network. Christian describes the forensic process of identifying the manifestation, reverse engineering the foreign code, putting defenses in place, and triaging potential impacts. We discuss the ways in which malware like this becomes an issue for many blogger enthusiasts on extensible platforms like WordPress, and we discuss what users can do about it in addition to administrators protecting the hosting companies that run and manage your websites and data. It’s a great show that highlights real-world malware in the wild with learning points throughout.

Base-64 Encoder/Decoder

We discussed this being a common technique for attackers to evade signature detection by encoding their PHP files multiple times. This site will help you untangle that spider web.

https://www.base64decode.org/

Malware Payload

WSO is the Web Shell that eventually ends up getting deployed when the malware is successful for future command and control operations. Here’s a pretty close example of what the malware looks like unpaced from the decoder:

https://github.com/tennc/webshell/blob/master/php/wso/wso2.php

If you aren’t inclined to view the code, checkout a user tutorial of what the actual page looks like once its loaded and in the attacker’s’ hands. (Access to security info, file manager, terminal/console, SQL, etc.).

https://www.youtube.com/watch?v=geMNKgAmogw

Point of Entry

The subject plugin that exposed the vulnerability on a customer container:

Google Analytics Counter Tracker v. 3.4.0

https://www.pluginvulnerabilities.com/2016/11/15/vulnerability-details-php-object-injection-vulnerability-in-google-analytics-counter-tracker/

WordPress Security Plugin Resources

Here are some of the common solutions we discussed for tracking file system changes, detecting vulnerable versions of plugins, and more:

  1. All in One WordPress Security
  2. Centrora Security
  3. WordFence
  4. Google Authenticator (for 2FA)

Jim’s Twitter: http://twitter.com/#!/jcollison

Contact Christian: christian@theaverageguy.tv

Contact the show at jim@theaverageguy.tv

Find this and other great Podcasts from the Average Guy Network at http://theaverageguy.tv

Music courtesy of Ryan King. Check out the Die Hard Cafe band and other original works at:
http://diehardcafe.bandcamp.com/http://cokehabitgo.tumblr.com/tagged/my-music