Last-minute paper: The shell in the web

Thursday 5 October 11:30 - 12:00, Red room

Simon Roses Femerling (VULNEX)

Web shells are post exploitation scripts used by different actors on the Internet as a mechanism to maintain access to and persistence in an organization once compromised. In short, they are powerful remote management tools.

Despite the mythical US-CERT alert (TA15-314A) published in November 2015 on the increased use of the web shells by attackers and how to detect them, the problem not only continues but has increased. In July 2016, IBM X-Force published several blogs on the rising use by attackers of powerful web shells known as C99 and B374K, but the reality is that there are hundreds of different web shells with all kinds of offensive capabilities. MITRE ATT&CK keeps a list of known APTs that use web shells to maintain access.

This talk is a vision of the current state of web shells: what they are, the different types, how to detect them and how to mitigate their impact on an organization, based on the study of hundreds of web shells in different programming languages such as PHP, ASP, Perl and Python to determine their offensive capabilities and obfuscation methods, perform attacker profiling and establish reliable methods of detection.

Attackers have used web shells for decades, but even today many security experts are not familiar with these post exploitation tools, much less how to detect and analyse them.

Given the proliferation of the use of web shells by attackers, knowing these tools and how to mitigate them is of vital importance from a defensive point of view.


Simon-Femerling-web.jpg Simon Roses Femerling
Simon Roses holds a B.S. from Suffolk University (Boston), a postgraduate degree in e-commerce from Harvard University (Boston) and an Executive M.B.A. from IE Business School (IE, Madrid). Currently he is the CEO at VULNEX, driving security innovation. Formerly he worked at Microsoft, PricewaterhouseCoopers and @Stake. Simon has authored and cooperated in several open-source security projects such as OWASP Pantera and LibExploit. He has also published security advisories in commercial products. Simon was awarded with a DARPA Cyber Fast Track (CFT) grant to research on application security. Simon is a requent speaker at security industry events including Black Hat, DEF CON, RSA, HITB, OWASP, SOURCE. DeepSec and Microsoft Security Technets. Simon blogs at






Other VB2017 papers

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.