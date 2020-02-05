Image: Microsoft

In a blog post promoting the capabilities of its commercial security platform – the Microsoft Defender ATP – Microsoft said the company’s security team detects and tracks an average of 77,000 active webshells daily, spread across 46,000 infected servers.

But while the Microsoft blog post promotes the industry-recognized detection capabilities of Defender ATP, the daily statistics of 77,000 and 46,000 are at the core of Microsoft’s recent marketing material.

These two figures are huge in size, and especially the 77,000 figure, which is much larger than previous reports on the prevalence of webshell.

For example, earlier this month, GoDaddy’s Sucuri reported cleaning up around 3,600 webshells of hacked websites during the past year, in 2019, a number overshadowed by Microsoft’s daily detection count.

What is a web shell

The figures from Microsoft emphasize the prevalence of these tools in the arsenal of today’s hackers – where web shells are considered a must for every threat actor, from modest hacktivist groups that deface websites to government-sponsored cyber espionage groups.

Web shells are crucial because of their functions. For non-technical ZDNet readers who have not seen the term to date, a “web shell” refers to a malicious program or script installed on a hacked server.

They offer a visual interface that hackers can use to communicate with the hacked server and file system. Most webshell contain basic functions for renaming, copying, moving and even editing or uploading new files on a server. They can also be used to change file and folder permissions or to archive and download (steal) data from the server.

Hackers usually install web shells by using vulnerabilities in internet-oriented servers or web applications (such as CMS, CMS plug-ins, CMS themes, CRMs, intranets, etc.).

Web shells can be written in any programming language, from Go to PHP. This allows hackers to hide web shells in the code of any website under generic names (such as index.asp or uploader.php), making detection by a human operator virtually impossible without a web firewall or web malware scanner.

If a web shell is discovered, there is often a backdoor script nearby. Web shells and backdoor scripts are often used together. Hackers usually breach a server, plant a web shell to allow them to communicate with the file system, and then install a backdoor – an automated script that regularly re-installs the web shell or keeps a way for the hacker to live reinfect the server if the webshell is ever discovered and removed.

Today’s most popular web shell is by far a tool called China Chopper. Spotted for the first time in 2012, this small but versatile webshell is the work of Chinese hackers. It was released on a Chinese hack forum, where it was universally adopted by almost every threat actor around the world.

In his blog post yesterday, Microsoft warned system administrators to take web shells seriously. Based on their previous investigations, Microsoft says hackers often used web shells to upload other hack tools to victim’s systems, tools that were later used for reconnaissance operations and lateral movements across the victim’s internal network, making simple web server hacks much larger security incidents .