Title :
Towards a sandbox for the deobfuscation and dissection of PHP malware
Author :
Wrench, Peter M. ; Irwin, Barry V. W.
Author_Institution :
Dept. of Comput. Sci., Rhodes Univ., Grahamstown, South Africa
Abstract :
The creation and proliferation of PHP-based Remote Access Trojans (or web shells) used in both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. Current malware tools disguise themselves by making use of obfuscation techniques designed to frustrate any efforts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave differently if it detects that it is not running on the system for which it was originally targeted. To combat these defensive techniques, this paper presents a sandbox-based environment that aims to accurately mimic a vulnerable host and is capable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code.
Keywords :
Internet; authoring languages; invasive software; PHP code; PHP malware; PHP-based remote access Trojans; Web platforms; Web shells; advanced code engineering; malware tools; sandbox-based environment; semi-automatic semantic dissection; syntactic deobfuscation; Arrays; Databases; Decoding; Malware; Process control; Semantics; Software; Code deobfuscation; Reverse engineering; Sandboxing;
Conference_Titel :
Information Security for South Africa (ISSA), 2014
Conference_Location :
Johannesburg
Print_ISBN :
978-1-4799-3383-9
DOI :
10.1109/ISSA.2014.6950504
