Skip to main content
SpringerLink
Log in

Dazzle-attack: Anti-Forensic Server-side Attack via Fail-Free Dynamic State Machine

  • Conference paper
  • First Online:
Information Security Applications (WISA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13720))

Included in the following conference series:

  • 418 Accesses

Abstract

Server-side malware is one of the prevalent threats that can affect a large number of clients who visit the compromised server. In this paper, we propose Dazzle-attack, a new advanced server-side attack that is resilient to forensic analysis such as reverse-engineering. Dazzle-attack retrieves typical (and non-suspicious) contents from benign and uncompromised websites to avoid detection and mislead the investigation to erroneously associate the attacks with benign websites. Dazzle-attack leverages a specialized state-machine that accepts any inputs and produces outputs with respect to the inputs, which substantially enlarges the input-output space and makes reverse-engineering effort significantly difficult. We develop a prototype of Dazzle-attack and conduct empirical evaluation of Dazzle-attack to show that it imposes significant challenges to forensic analysis.

B. Lee and K. Lim—Co-first authors and listed in alphabetical order.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The name Dazzle-attack is originated from Dazzle camouflage which is a family of ship camouflage consisted of complex patterns of geometric shapes [67].

  2. 2.

    The assumption on the compromised servers in cyber attacks is typical [12, 29, 48].

  3. 3.

    www.cnn.com, www.npr.org, www.gnu.org, 19hz.info, techtonic.fm, earthquaketrack.com, news.ycombinator.com, www.kimbellart.org, lite.poandpo.com, chromereleases.googleblog.com.

  4. 4.

    https://twitter.com/houstonrockets, https://www.trinitychurchboston.org, https://www.nasa.gov/multimedia/imagegallery/iotd.html, https://www.ebay.com, https://www.theoaklandarena.com.

References

  1. Best PHP Obfuscator (2018). http://www.pipsomania.com/best_php_obfuscator.do

  2. A text file containing 479 k English words (2019). https://github.com/dwyl/english-words

  3. Joomla: Content Management System (CMS) (2019). https://www.joomla.org/

  4. Linux Malware Detect (2019). https://www.rfxn.com/projects/linux-malware-detect/

  5. NPR: National Public Radio (2019). https://npr.org/

  6. NPR: News and National Top Stories (2019). https://npr.org/sections/national/

  7. PHP: Pspell Functions (2019). https://www.php.net/manual/en/ref.pspell.php

  8. Shellray: A PHP webshell detector (2019). https://shellray.com/

  9. VirusShare (2019). https://virusshare.com/

  10. WordPress (2019). https://wordpress.com/

  11. Dazzle-Attack: Supplementary Materials (2020). https://sites.google.com/view/dazzle-attack-additional/home

  12. Agency, C.I.S.: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets (2020). https://us-cert.cisa.gov/ncas/alerts/aa20-296a

  13. Anderson, H.S., Kharkar, A., Filar, B., Evans, D., Roth, P.: Learning to evade static PE machine learning Malware models via reinforcement learning. arXiv preprint arXiv:1801.08917 (2018)

  14. Aqil, A., et al.: Detection of stealthy TCP-based dos attacks. In: MILCOM 2015–2015 IEEE Military Communications Conference, pp. 348–353. IEEE (2015)

    Google Scholar 

  15. van Arnhem, B.: PHPScan: symbolic execution inspired PHP application scanner for code-path discovery (2017). https://github.com/bartvanarnhem/phpscan

  16. Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (S &P), pp. 387–401. IEEE (2008)

    Google Scholar 

  17. Bart, P.: PHP-backdoors: a collection of PHP backdoors

    Google Scholar 

  18. BDLeet: public-shell: Some Public Shell (2016). https://github.com/BDLeet/public-shell

  19. Becchi, M., Crowley, P.: A hybrid finite automaton for practical deep packet inspection. In: Proceedings of the 2007 ACM CoNEXT Conference, p. 1. ACM (2007)

    Google Scholar 

  20. BlackArch: webshells: Various webshells (2019). https://github.com/BlackArch/webshells

  21. Cadar, C., Dunbar, D., Engler, D.R., et al.: Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol. 8, pp. 209–224 (2008)

    Google Scholar 

  22. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (S &P), pp. 32–46. IEEE (2005)

    Google Scholar 

  23. Dahse, J., Schwenk, J.: Rips-a static source code analyser for vulnerabilities in PHP scripts (2010). Accessed 28 Feb 2012

    Google Scholar 

  24. Designsecurity: progpilot: a static analysis tool for security (2016). https://github.com/designsecurity/progpilot

  25. Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel bloom filters. In: 11th Symposium on High Performance Interconnects, 2003. Proceedings, pp. 44–51. IEEE (2003)

    Google Scholar 

  26. Erdődi, L., Jøsang, A.: Exploitation vs. prevention: the ongoing saga of software vulnerabilities. Acta Polytech. Hung. 17(7) (2020)

    Google Scholar 

  27. Fauth, M.M.: phpMyAdmin: a web interface for MySQL and MariaDB (2019). https://github.com/phpmyadmin/phpmyadmin

  28. Filaretti, D., Maffeis, S.: An executable formal semantics of PHP. In: Jones, R. (ed.) ECOOP 2014. LNCS, vol. 8586, pp. 567–592. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44202-9_23

    Chapter  Google Scholar 

  29. FIREEYE: APT41: Double Dragon, a dual espionage and cyber crime operation (2019). https://content.fireeye.com/apt-41/rpt-apt41

  30. Fonk, M.: PHP-obfuscator: a parsing PHP obfuscator (2019). https://github.com/naneau/php-obfuscator

  31. Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: TriggerScope: towards detecting logic bombs in android applications. In: 2016 IEEE symposium on security and privacy (SP), pp. 377–396. IEEE (2016)

    Google Scholar 

  32. Grimes, H.Y.: Eir–static vulnerability detection in PHP applications (2015)

    Google Scholar 

  33. Hauzar, D., Kofroň, J.: WeVerca: web applications verification for PHP. In: Giannakopoulou, D., Salaün, G. (eds.) SEFM 2014. LNCS, vol. 8702, pp. 296–301. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10431-7_24

    Chapter  Google Scholar 

  34. Jensen, T., Pedersen, H., Olesen, M.C., Hansen, R.R.: THAPS: automated vulnerability scanning of PHP applications. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 31–46. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34210-3_3

    Chapter  Google Scholar 

  35. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy (S &P), p. 6. IEEE (2006)

    Google Scholar 

  36. Jovanovic, N., Kruegel, C., Kirda, E.: Static analysis for detecting taint-style vulnerabilities in web applications. J. Comput. Secur. 18(5), 861–907 (2010)

    Article  Google Scholar 

  37. Jung, C., et al.: Hiding critical program components via ambiguous translations. In: 2022 IEEE/ACM 44rd International Conference on Software Engineering (ICSE). IEEE (2022)

    Google Scholar 

  38. Jung, C., Kim, D., Wang, W., Zheng, Y., Lee, K.H., Kwon, Y.: Defeating program analysis techniques via ambiguous translation. In: 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 1382–1387. IEEE (2021)

    Google Scholar 

  39. Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Presented as part of the 22nd USENIX Security Symposium, pp. 637–652 (2013)

    Google Scholar 

  40. Kasturi, R.P., et al.: TARDIS: rolling back the clock on CMS-targeting cyber attacks. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, 18–21 May 2020, pp. 1156–1171. IEEE (2020). https://doi.org/10.1109/SP40000.2020.00116

  41. Kim, K., et al.: J-force: forced execution on JavaScript. In: Proceedings of the 26th international conference on World Wide Web, pp. 897–906. International World Wide Web Conferences Steering Committee (2017)

    Google Scholar 

  42. Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 174–187. Springer, Heidelberg (2005). https://doi.org/10.1007/11506881_11

    Chapter  Google Scholar 

  43. Kissian, P.: YAK Pro: PHP Obfuscator (2019). https://www.php-obfuscator.com/

  44. Kneuss, E., Suter, P., Kuncak, V.: Phantm: PHP analyzer for type mismatch. In: FSE 2010 Proceedings of the Eighteenth ACM SIGSOFT International Symposium on Foundations of Software Engineering, No. CONF (2010)

    Google Scholar 

  45. Kolosnjaji, B., et al.: Adversarial malware binaries: evading deep learning for malware detection in executables. In: 2018 26th European Signal Processing Conference (EUSIPCO), pp. 533–537. IEEE (2018)

    Google Scholar 

  46. Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: ACM SIGCOMM Computer Communication Review, vol. 36, pp. 339–350. ACM (2006)

    Google Scholar 

  47. Lie, R.: Simple online PHP obfuscator: encodes PHP code into random letters, numbers and/or characters (2019). https://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php

  48. Magazine, C.: New Report Reveals Chinese APT Groups May Have Been Entrenched in Some Servers for Nearly a Decade Using Little-Known Linux Exploits, CPO Magazine (2020). https://www.cpomagazine.com/cyber-security/new-report-reveals-chinese-apt-groups-may-have-been-entrenched-in-some-servers-for-nearly-a-decade-using-little-known-linux-exploits/

  49. Mao, J., et al.: Detecting malicious behaviors in JavaScript applications. IEEE Access 6, 12284–12294 (2018)

    Article  Google Scholar 

  50. Masters, L.: CakePHP: The Rapid Development Framework for PHP (2019). https://cakephp.org/

  51. Medeiros, I., Neves, N.F., Correia, M.: Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: Proceedings of the 23rd International Conference on World Wide Web, pp. 63–74. ACM (2014)

    Google Scholar 

  52. Microsoft: Microsoft Defender Advanced Threat Protection (2019). https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection

  53. Mirtes, O.: PHPStan: PHP Static Analysis Tool (2019). https://github.com/phpstan/phpstan

  54. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: 2007 IEEE Symposium on Security and Privacy, pp. 231–245. IEEE (2007)

    Google Scholar 

  55. Naderi-Afooshteh, A., Kwon, Y., Nguyen-Tuong, A., Razmjoo-Qalaei, A., Zamiri-Gourabi, M.R., Davidson, J.W.: MalMax: multi-aspect execution for automated dynamic web server malware analysis. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1849–1866 (2019)

    Google Scholar 

  56. Nathan, P.: Pytextrank, a python implementation of textrank for text document nlp parsing and summarization (2016). https://github.com/ceteri/pytextrank/

  57. Nguyen, H.V., Nguyen, H.A., Nguyen, T.T., Nguyen, T.N.: Auto-locating and fix-propagating for html validation errors to PHP server-side code. In: Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering, pp. 13–22. IEEE Computer Society (2011)

    Google Scholar 

  58. nixawk: fuzzdb: Web Fuzzing Discovery and Attack Pattern Database (2018). https://github.com/nixawk/fuzzdb

  59. Nunes, P.J.C., Fonseca, J., Vieira, M.: phpSAFE: a security analysis tool for OOP web application plugins. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2015)

    Google Scholar 

  60. Olivo, O.: TaintPHP: Static Taint Analysis for PHP web applications (2016). https://github.com/olivo/TaintPHP

  61. OneSourceCat: phpvulhunter: A tool that can scan php vulnerabilities automatically using static analysis methods (2015). https://github.com/OneSourceCat/phpvulhunter

  62. Papagiannis, I., Migliavacca, M., Pietzuch, P.: PHP Aspis: using partial taint tracking to protect against injection attacks. In: 2nd USENIX Conference on Web Application Development, vol. 13 (2011)

    Google Scholar 

  63. Peng, F., Deng, Z., Zhang, X., Xu, D., Lin, Z., Su, Z.: X-force: force-executing binary programs for security applications. In: 23rd USENIX Security Symposium, pp. 829–844 (2014)

    Google Scholar 

  64. Piantadosi, V., Scalabrino, S., Oliveto, R.: Fixing of security vulnerabilities in open source projects: a case study of apache http server and apache tomcat. In: 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 68–78. IEEE (2019)

    Google Scholar 

  65. Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantics-based approach to malware detection. ACM SIGPLAN Not. 42(1), 377–388 (2007)

    Article  MATH  Google Scholar 

  66. Ridter: Pentest (2019). https://github.com/Ridter/Pentest

  67. Ruslan Budnik: The Fantastic Idea of Dazzle Camouflage (2019). https://www.warhistoryonline.com/instant-articles/dazzle-camouflage.html

  68. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: 2010 IEEE Symposium on Security and Privacy, pp. 513–528. IEEE (2010)

    Google Scholar 

  69. Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. ACM SIGCOMM Comput. Commun. Rev. 45(4), 213–226 (2015)

    Article  Google Scholar 

  70. Shu, X., Yao, D., Ramakrishnan, N.: Unearthing stealthy program attacks buried in extremely long execution paths. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 401–413. ACM (2015)

    Google Scholar 

  71. Symantec: Norton\(^{\rm TM}\)–Antivirus & Anti-Malware Software (2019). https://us.norton.com/

  72. Systems, N.: GitHub - nbs-system/php-malware-finder: Detect potentially malicious PHP files (2019). https://github.com/nbs-system/php-malware-finder/

  73. tanjiti: webshellSample: Webshell sample for WebShell Log Analysis (2018). https://github.com/tanjiti/webshellSample

  74. Taylor, T., et al.: Detecting malicious exploit kits using tree-based similarity searches. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 255–266. ACM (2016)

    Google Scholar 

  75. tennc: webshell: A webshell open source project (2019). https://github.com/tennc/webshell

  76. Troon, J.: PHP-webshells: Common PHP webshells (2016). https://github.com/JohnTroony/php-webshells

  77. tutorial0: WebShell: WebShell Collect (2016). https://github.com/tdifg/WebShell

  78. vimeo: psalm: A static analysis tool for finding errors in PHP applications (2019). https://github.com/vimeo/psalm

  79. xl7dev: WebShell: Webshell & Backdoor Collection (2017). https://github.com/xl7dev/WebShell

  80. Yang, Q.: Taint-em-All: a taint analysis tool for the PHP language (2019). https://github.com/quanyang/Taint-em-All

Download references

Acknowledgement

We thank the anonymous referees for their constructive feedback. The authors gratefully acknowledge the support of NSF 1916499, 1908021, 1850392, 2145616, and 2210137. This research was partially supported by Science Alliance’s StART program, National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. NRF-2021R1A4A102 9650), and gifts from Cisco Systems and Google exploreCSR. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor.

Author information

Authors and Affiliations

  1. University of Virginia, Charlottesville, VA, USA

    Bora Lee, JiHo Lee, Chijung Jung & Yonghwi Kwon

  2. The University of Tennessee, Tennessee, USA

    Kyungchan Lim & Doowon Kim

  3. University of Georgia, Georgia, USA

    Kyu Hyung Lee

  4. Soongsil University, Seoul, South Korea

    Haehyun Cho

Authors
  1. Bora Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kyungchan Lim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. JiHo Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chijung Jung
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Doowon Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Kyu Hyung Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Haehyun Cho
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Yonghwi Kwon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yonghwi Kwon .

Editor information

Editors and Affiliations

  1. Soonchunhyang University, Asan-Si, Korea (Republic of)

    Ilsun You

  2. Dankook University, Yongin, Korea (Republic of)

    Taek-Young Youn

A Appendix

A Appendix

1.1 A.1 Payload types

A webshell is malware that enables attackers to access a compromised server via a web browser that acts like a command-line interface. Backdoor is used to provide remote access to an infected machine for attackers. Bypassers are used to avoid detections of local or remote security mechanisms (e.g., firewalls). Uploaders are used to remotely inject additional malware into victim machines. Spammers compose and send spoof/spam emails. SQLShells allows remote attackers to access databases of compromised servers, similar to webshells. A reverse shell is a type of shell that communicates back to the attacker’s machine from a victim’s machine. Flooders are used to launch Denial of Service (DoS) attacks by sending an excessive number of network packets.

Rights and permissions

Reprints and permissions

Copyright information

© 2023 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lee, B. et al. (2023). Dazzle-attack: Anti-Forensic Server-side Attack via Fail-Free Dynamic State Machine. In: You, I., Youn, TY. (eds) Information Security Applications. WISA 2022. Lecture Notes in Computer Science, vol 13720. Springer, Cham. https://doi.org/10.1007/978-3-031-25659-2_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25659-2_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25658-5

  • Online ISBN: 978-3-031-25659-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation