Analyzing and detecting web shells

Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i’ve been asked by others to do a write up on web shells, so here it is ;).

For those new to web shells, think of this type of malware as code designed to be executed by the web server — instead of writing a backdoor in C, for example, an attacker can write malicious PHP and upload the code directly to a vulnerable web server. Web shells span across many different languages and server types.

Web shells 101