information technology a shellcode is a small piece of machine code that is used as payload and used to exploit software vulnerabilities. The name “shellcode” is derived because the exploitation can result in a command shell that the attacker can connect and control the compromised machine. Attackers normally use shellcode to exploit zero-day vulnerabilities. There are two common types of shellcode. First, a local shellcode which an attacker exploits a vulnerability and the shellcode can download and execute malware on the machine. Second, an attacker or a compromised machine (Bot) wants to target a vulnerable process on a remote machine. The attacker injects shellcode in various protocol and input fields to gain remote access (shell) of the target machine. There are two ways the attacker wants to establish connections with compromised machine (a) The attacker exploits and drops a shellcode known as bindshell where the shellcode binds to a certain port the attacker can connect to (b) The attacker exploits and drops a shellcode known as reverse shell which connects back to attacker's machine. FIG. 7A explains shellcode attacks on remote machines. For the shellcode attack to be successful attackers must execute shellcode on unpatched machines. If the machines are patched or are not running the intended application then it is not possible to run shellcode on target machines. Honeypots are decoy systems that are deployed within production environment to lure attackers and learn their malicious behavior. Honeypots can be used to detect shellcode attacks and learn the intent of the attacker by engaging the attacker. In order for honeypots to be successful they must host vulnerable services across multiple applications and services. There are number of protocols (FTP, SSH, SMTP, HTTP etc.) and various applications that are available and deployed within an enterprise (ex: There are multiple flavor's of FTP servers ProFTPd, Pure-FTPd, vsftpd, wu-ftpd, Glftpd etc and multiple versions of FTPd servers (1.9, 2.0, 2.1, 2.2 etc) that are deployed). Some of these may be vulnerable to shellcode attacks.
The systems and methods disclosed herein provide an improved approach for characterizing and preventing shellcode attacks.