1 / 22

Building Viruses in PHP

The common saying goes u201cYou have to think like a crook to catch a crooku201d, so lets put ourselves in our adversaryu2019s shoes. We are going to (theoretically) infect the well-crafted code of the PHP Joburg Meetup group. What are we after and how will we do it?<br><br>In this presentation Iu2019ll first build a simple threat model of the kind of attacker and virus most commonly targeting our web applications. Then Iu2019ll use our favourite programming language to build said virus in a series of demos. In the (paraphrased) words of Thanos: u201cIu2019ll use the PHP to destroy the PHPu201d ;-)<br><br>Through this weu2019ll cover how, despite rigorously coding with sane security measures, our code may still get infected, but by glimpsing the mindset of our adversary, youu2019ll leave with a fresh perspective that will improve the security of the code you write going forward. At the very least, youu2019ll be better armed to fix the next pwned CMS you encounter.

bradm
Download Presentation

Building Viruses in PHP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building Viruses in PHP Brad Mostert @bsinkwa PHP Joburg Meetup January 2020

  2. Agenda • Build a Threat Model • Flip this Thread Model - characterize ourselves as the Adversary • Iteratively build our Virus • Use this knowledge to improve how we develop our applications

  3. Attribution – Ben Dechrai • Heavily influenced by similar presentation by Ben • Demos plagiarized – theory is my own • Ben is: • Developer Advocate @ Auth0 • PHP Developer • Prolific & Incredibly polished • Kilt-wearing • In the ‘wrong’ timezone • Go check out his stuff @bendechrai bendechrai.com

  4. Why Me? • Maintained my own servers and applications for over a decade • Do the same for a large ISP • Did some academic research into Browser-based JavaScript Botnets • Wearing Black Hoodie and fingerless gloves @bsinkwa b.sinkwa.com

  5. Disclaimer Views and comments are my own and do not represent my employer. Techniques and information in this presentation are intended for educational purposes to aid in building more secure web applications. Virulent code can be dangerous. If experimenting, ensure you have isolated backups. Only execute in a sandboxed environment. Speaker does not assume any responsibility and shall not be held liable for any use of tools and information presented.

  6. Attendee Pledge Please Stand

  7. Attendee Pledge I, {your name}, pledge to use the following information for good

  8. Attendee Pledge If I fail to uphold this pledge

  9. Attendee Pledge If I fail to uphold this pledge I commit to 200 hours of community service

  10. Attendee Pledge If I fail to uphold this pledge I commit to 200 hours of community service doing tech support for other people’s grandparents

  11. Threat Model Frameworks: STRIDE PASTA LINDDUN CVSS Attack Trees Persona non Grata Security Cards hTMM Quantitave Threat Modeling Trike VAST OCTAVE “Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.” -Wikipedia

  12. Threat Model – Easy Version • Assets • Risks • Adversary • Mitigations and Controls

  13. Our Assets – What Are we Attacking/Defending • PHP Web Application • Running in a datacenter / cloud platform • Webserver(s) • Database server(s) • Mail Server(s) • Load-balancers / caching • DNS Infrastructure • One machine or many • May not all be managed by us This presentation is not about a virus for end-user machines. Anyone know if we can get PHP Binary down from 12MB though?

  14. Our Assets – Abstraction • Servers • Capital Outlay / Platform Fees • Compute Power, Bandwidth, Storage • IP Address • Repudiation, Identity • Reputation (Not on Blocklists) • Sensitive Information • Service • Availability • Ransom • Userbase • Acquired market share • People someone else acquired

  15. Adversary Indiscriminately Target Target You Specifically • Advanced Persistent Threat (APT) • Takes skill, time, effort and ‘criminal mindset’ • Unlikely unless you: • Have something very valuable • Are controversial or upsetting to someone • Use known-vulnerability • Scan and infect large numbers in automated fashion • Done as a job. Ongoing – low impact per case • Not necessarily as skilled • Botnet Local Presentation: Dominic White & Marc Peiser (SensePost) - Hacking and Defending Systems at Scale. They hack MyBroadband

  16. Risk – Classification High Our Virus Things we already defend naturally Fly under the radar Profit from Scale Likelihood What security people use in budget meetings Accept as a cost of business Not worth our time Defcon Talks Low Low Impact High

  17. Risk – Vulnerabilities • PHP Version <= 7.1 • Unpatched CMS • Know Vulnerabilities in Composer Packages (CVE) github.com/Roave/SecurityAdvisories security.symfony.com

  18. Mitigations and Controls • Signature-based scanning (ClamAV, Grep) • IO Intensive • Make our virus polymorphic and obfuscated • Firewall / Mail Blocklist • Fit in with regular traffic • Anomaly detection (often manual) • Ramp up slowly. Don’t capitalize systems • Surplus Resources • If we’re benign enough, we may get ignored (cost/benefit) • Automated Dependency Upgrades • If we get in, entrench ourselves • Secure Configuration • Go for low-hanging fruit

  19. Mitigations and Controls • cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html • paragonie.com/blog/2017/12/2018-guide-building-secure-php-software • github.com/guardrailsio/awesome-php-security Sprinkled Throughout the Presentation

  20. Gameplan • Target PHP Web Application • To steal resources and IP reputation • Targeting large numbers of servers via know vulnerabilities • To make money as our fulltime job (Botnet) • Low impact threat per system but high occurrence (automated) • Long-lived entrenched infection

  21. Demo Time!

  22. Questions?

More Related