WebShells are an often misunderstood and overlooked form of malware. Yet they continue to be a popular and powerful attacker tool. WebShells can range from extremely simple to elegant and complex. And they are often a favorite tool used by intruders to establish a long term, stealthy presence in a compromised network. Webshells fall into a few distinct categories, and most follow the same common concepts in their design and purpose. This talk will outline the common parts of a WebShell, why they are designed the way they are, and their typical usage. After covering the internal workings of WebShells, we will cover ways to detect them - even when they are dormant, and not being actively used by the intruder.
D0n Quix0te is the author and creator of OMENS: A Windows Web Server intrusion detection and monitoring system. He has more than 25 years of experience in architecting, installing, maintaining, and defending high value targets. And he has been involved in the response and analysis of a number of major security incidents.