• DocumentCode
    147357
  • Title

    Towards a sandbox for the deobfuscation and dissection of PHP malware

  • Author

    Wrench, Peter M. ; Irwin, Barry V. W.

  • Author_Institution
    Dept. of Comput. Sci., Rhodes Univ., Grahamstown, South Africa
  • fYear
    2014
  • fDate
    13-14 Aug. 2014
  • Firstpage
    1
  • Lastpage
    8
  • Abstract
    The creation and proliferation of PHP-based Remote Access Trojans (or web shells) used in both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. Current malware tools disguise themselves by making use of obfuscation techniques designed to frustrate any efforts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave differently if it detects that it is not running on the system for which it was originally targeted. To combat these defensive techniques, this paper presents a sandbox-based environment that aims to accurately mimic a vulnerable host and is capable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code.
  • Keywords
    Internet; authoring languages; invasive software; PHP code; PHP malware; PHP-based remote access Trojans; Web platforms; Web shells; advanced code engineering; malware tools; sandbox-based environment; semi-automatic semantic dissection; syntactic deobfuscation; Arrays; Databases; Decoding; Malware; Process control; Semantics; Software; Code deobfuscation; Reverse engineering; Sandboxing;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Information Security for South Africa (ISSA), 2014
  • Conference_Location
    Johannesburg
  • Print_ISBN
    978-1-4799-3383-9
  • Type

    conf

  • DOI
    10.1109/ISSA.2014.6950504
  • Filename
    6950504
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=147357