A Case Study in Webserver Malware for Admins and Users Alike – CF033
Subscribe to the TAG Weekly Update (Be in the know!)
Come On! You know you want to!
Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future Through an Academic Perspective! Christian Johnson, a student at the University of Maryland will bring fresh and relevant topics to the show based on the current work he does.
Please leave a REVIEW (iPhone or iPad) – https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewContentsUserReviews?id=857124890&type=Podcast&ls=1&mt=1
Support the Average Guy Tech Scholarship Fund: https://www.patreon.com/theaverageguy
You can contact us via email at email@example.com
Full show notes and video at http://theAverageGuy.tv/cf033
This week on Cyber Frontiers Christian is joined by Jim to walkthrough new and exciting malware that had a real-world impact recently on the Maplegrove network. Christian describes the forensic process of identifying the manifestation, reverse engineering the foreign code, putting defenses in place, and triaging potential impacts. We discuss the ways in which malware like this becomes an issue for many blogger enthusiasts on extensible platforms like WordPress, and we discuss what users can do about it in addition to administrators protecting the hosting companies that run and manage your websites and data. It’s a great show that highlights real-world malware in the wild with learning points throughout.
We discussed this being a common technique for attackers to evade signature detection by encoding their PHP files multiple times. This site will help you untangle that spider web.
WSO is the Web Shell that eventually ends up getting deployed when the malware is successful for future command and control operations. Here’s a pretty close example of what the malware looks like unpaced from the decoder:
If you aren’t inclined to view the code, checkout a user tutorial of what the actual page looks like once its loaded and in the attacker’s’ hands. (Access to security info, file manager, terminal/console, SQL, etc.).
Point of Entry
The subject plugin that exposed the vulnerability on a customer container:
Google Analytics Counter Tracker v. 3.4.0
WordPress Security Plugin Resources
Here are some of the common solutions we discussed for tracking file system changes, detecting vulnerable versions of plugins, and more:
- All in One WordPress Security
- Centrora Security
- Google Authenticator (for 2FA)
Jim’s Twitter: http://twitter.com/#!/jcollison
Contact Christian: firstname.lastname@example.org
Contact the show at email@example.com
Find this and other great Podcasts from the Average Guy Network at http://theaverageguy.tv