PHP WebShell Malware using Image Files

WebShell is a file that is uploaded to a web server which runs file navigation or system shell commands. The attacker can use the web browser to navigate through the files of the server system and issue shell commands. Certain file extensions for uploaded files can be restricted to prevent malicious WebShell files from being uploaded to the server; however, the attacker can bypass such actions with the following method:

  • Upload a file that bypasses the Server-Side Script’s file extension filtering.
  • Upload a file by inserting a malicious script to a file with an uploaded file extension such as GIF, PNG, and JPEG images.

This report is about the second method mentioned above and will explain the WebShell malware inserted in a GIF image file. The GIF file may or may not be a valid image file. The attacker inserts behind the server-side script GIF magic value (GIF87a/GIF89a) like PHP or ASP, or behind TRAILER(3B), which is the last of the file. Normally, the server determines whether the image file format is valid or not by checking at the magic value only. Using this principle, the attacker inserts a malicious script behind the magic value by a few bytes so that the file can be recognized as an image file.

Figure – PHP WebShell using image files

Below is the signature version with the YARA rule (The actual detection method by the V3 product is different).

The ASEC analysis team analyzed different types of WebShell files and updated the detection so that these cases can be detected. If a WebShell malware is detected in the web server, additional malware or breaches may exist, therefore users must conduct an intense scan.

[File Detection]
WebShell/GIF.Backdoor.GEN (2020.12.02.03)


5 3 votes
Article Rating
Notify of

Inline Feedbacks
View all comments