China Chopper is a 4KB Web shell first discovered in 2012. It is widely used by Chinese and other malicious actors, including APT groups, to remotely access compromised Web servers. It consists of two parts, the client interface (an executable file) and the file on the compromised web server. The latter file is so small that the client communicates directly with it. A 2012 report from a security researcher detailed that the shell worked against a fully patched Windows 2008 R2 server with default configurations. It can infect servers capable of running JSP, ASP, ASPX, PHP, or CFM and both Windows and Linux operating systems. It can be delivered through cross-site scripting (XSS), SQL injection, vulnerabilities in applications/services, file processing vulnerabilities, remote file include (RFI) and local file include (LFI) vulnerabilities, and exposed admin interfaces. The trojan contains a “Security Scan” feature to give the attacker the ability to use brute-force password guessing against authentication portals. A successful attacker can bypass security restrictions and gain unauthorized system access. The attacker can upload and download files to and from the victim devices and can edit, delete, modify time stamps, copy, and rename them. China Chopper provides example connection syntaxes and SQL commands to the attacker.

Technical Details

• FireEye provides technical analysis of the China Chopper trojan, here.