Analysis and Installation guide for Cloudwalker

By Yulun Wang

Introduction

What is Cloudwalker

Cloudwalker is an Open Sourced Server Security Management Platform. Currently the open sourced version only contains webshell detection, but it will integrate asset management and baseline measurement in the future.

Why Cloudwalker

Webshell detection is one of the most crucial part for Webserver security scanning, because webshell is usually the first step of an intrusion based on webserver. The earlier an webshell is detected, less damage is done by the intruder. Although it could not prevent an intrusion from happening, it could reduce the loss from the intrusion to the minimum.

Traditionally webshell detection is based on characteristic of webshells researchers found in the past. This scanning mechanism usually produces a lot of false positive, which takes system administrators a lot of time to differentiate. More importantly, intruders with sufficient knowledge about the detection mechanism usually could bypass the detection with relatively small amount of change to the webshell.

Cloudwalker utilizes neural network to reduce false positives and make it hard to bypass. Since result of neural network is usually hard to understand by human being, any intruder who want to bypass the system could only test what is sensitive and what is not. This property makes it harder than the typical webshell detections to bypass. Furthermore, it could respond faster to new webshell. In a word, Cloudwalker is more effective and less likely to be bypassed than regular webshell scanner.

Installation Guide

Platform Requirement

  • Linux with kernel version >=2.6.32
  • MacOS version needs to be compiled manually
  • Currently doesn’t support Windows

Method 1: Run the executables directly

  • (optional) rename the file to webshell-detector.
$mv webshell-detector-* webshell-detector
  • Execute the executable with the file or directory you wan to scan as the argument:
$./webshell-detector DIRECTORY_TO_SCAN

The result will be displayed on the console.

  • You can also specify the result to be saved as html document by adding -html flag and -output flag.
$./webshell-detector -html -output FILE_TO_SAVE DIRECTORY_TO_SCAN

Method 2: compile the sourcecode

You can also complie the sourceode manually if the executable doesn’t work. )

  • Unzip the file, complie the PHP-Asp plugin in the /php folder
$cd webshell-detector-*/tool/webshell-detector/bin
$make
  • Enter /bin folder, compile the main program using “go build”. (You might need to install go)
$cd ../bin
$go buil
  • The executable will be in /bin folder

Test on performance

  • Webshells used

The webshells used to run this test is from a webshell collection tennc.github.io/webshell. The resource contains 758 webshells. Although the collection doesn’t contain the most updated webshells, it is still valuable to test the performance of the webshell scanner.

  • Performance

As shown above, it detected 610/758 shells from this collection. It has an accuracy of 80.4%. This detection rate is not perfect. Considering the neural network it used could be trained to be more accurate overtime as it gains more sample, the accuracy is acceptable.

  • Bypass shell detection

This part used a collection of webshells that makes specific protection against scanning. The result is shown below:

It detected 78/100 shells that is specially designed to bypass scanning. It has an accuracy of 78%. It is only slightly lower than the accuracy on overall webshells. This data indicates bypass mechanisms usually doesn’t work for this scanner, which is its designed purpose.

Conclusion

Cloudwalker webshell scanner is a webshell scanner using neural network as its core to determine what file is webshell. Currently the accuracy is not ideal: 80.4% is not high. However, it is less likely to be bypassed than typical webshell scanner. This characteristic of the scanner makes it a good implementation of traditional webshell scanner.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s