Top Banner
Exploit Kit 135-8671 3 3-9 {mashikoh,ootanihs,shigetam}@nttdata.co.jp Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit Hiroki Mashiko Hisamichi Ohtani Masayoshi Shigeta NTT DATA Corporation. Toyosu 3-3-9, Koto-ku, Tokyo 135-8671, JAPAN {mashikoh,ootanihs,shigetam}@nttdata.co.jp Abstract We have developed the cyber attack detection system, which is monitoring logs of network appliances. The system captures characteristics of Exploit Kits, and has advantages in detection of Drive-by Download Attack. Therefore, if the characteristics of Exploit Kits are changing, the system needs updating. So, not only we have improved the system to catch up the changing of Exploit Kits, but also we implemented a new method which capture another characteristics of Drive-by Download Attack. In this paper, we describe the detection rate of this system by using MWS2015 Datasets, and discuss about the advantages of a new method which we implemented to improve the system. 1 Exploit Kit Drive-by Download DbD 2014 Exploit Kit Computer Security Symposium 2015 21 - 23 October 2015 -24-
8

Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

Oct 04, 2018

Download

Documents

hoangdieu
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

Exploit Kit

135-8671 3 3-9

{mashikoh,ootanihs,shigetam}@nttdata.co.jp

Exploit Kit Drive-by Download

Exploit Kit

Exploit Kit

MWS2015

Improving Cyber Attack Detection System To Adopt

The Changing Of Exploit Kit

Hiroki Mashiko Hisamichi Ohtani Masayoshi Shigeta

NTT DATA Corporation.

Toyosu 3-3-9, Koto-ku, Tokyo 135-8671, JAPAN

{mashikoh,ootanihs,shigetam}@nttdata.co.jp

Abstract We have developed the cyber attack detection system, which is monitoring

logs of network appliances. The system captures characteristics of Exploit Kits, and has

advantages in detection of Drive-by Download Attack. Therefore, if the characteristics of

Exploit Kits are changing, the system needs updating. So, not only we have improved the

system to catch up the changing of Exploit Kits, but also we implemented a new method

which capture another characteristics of Drive-by Download Attack. In this paper, we

describe the detection rate of this system by using MWS2015 Datasets, and discuss

about the advantages of a new method which we implemented to improve the system.

1 Exploit Kit

Drive-by Download

DbD

2014 Exploit Kit

Computer Security Symposium 2015 21 - 23 October 2015

-24-

Page 2: Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

Exploit Kit

Exploit Kit

2

2.1

[1]

Exploit Kit

DbD 1 5

1 Exploit Kit DbD

Redirect

pre-Exploit

pre-Exploit

Exploit

pre-Exploit

Exploit Exploit

pre-DL

Downloader

Downloader

pre-DL Exploit

malware-DL

Expolit

pre-DL

malware-DL

Nuclear Exploit Kit DbD

1

1 DbD

1 (1)

(2) Redirect (3) pre-Exploit

(4) Exploit (5)

pre-DL

(3)pre-Exploit (5)pre-DL

h**j.c**r.pw

suffix

UserAgent 2

2 DbD

2 (3) Javascript

HTML HTML

iframe

Web UserAgent

Internet Explorer

suffix html HTML

-25-

Page 3: Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

Javascript

Java

JRE

(4) (4) JRE

CVE-2013-2423 Exploit

Exploit (3)

JRE

Web UserAgent

JRE suffix jar

Exploit

(5) (5)

Windows Zbot

JRE

UserAgent JRE

JRE

JRE

suffix

UserAgent

Nuclear Exploit Kit

Java

6

pre-Exploit

pre-DL

Exploit Kit DbD

2.2

Tokyo SOC [2][3] 2013

DbD 90% JRE

2014

DbD 65%

Adobe Flash Player

DbD 2013 10%

2014 34%

Cisco 2014 Midyear Security Report

[4] FlashPack Angler, Fiesta, RIG

JRE Exploit

Exploit Kit

Exploit Kit

JRE

2014 Exploit Kit

2.3

Exploit Kit

Exploit Kit

2014

JRE Adobe Flash Player

JRE

Exploit Kit

Exploit Kit

Exploit Kit

3

3.1

2.1 Exploit Kit

pre-Exploit pre-DL

3

Redirect

malware-DL Exploit

Kit

2

Exploit Kit

2014 8 9

-26-

Page 4: Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

DbD

DbD 69 Redirect

malware-DL

Exploit Kit

3.2 Redirect

Redirect

8 47

Exploit Kit

Redirect

5

2

A)

2014 8 TrendMicro

FlashPack Exploit Kit

[6]

DbD

URL 2

2 FlashPack

2 (3) (4) Redirect (5)

pre-Exploit / Exploit

(5) FlashPack Exploit Kit

2014 9 3

3 RIG

3 (3) (4) Redirect

2014 8 2

(5) URL RIG

Exploit Kit

DbD

Redirect pre-Exploit

Redirect

Windigo

[5]

B) r**k.ru

2014 9 1

4

4 RIG

4 (2) Redirect (3)

pre-Exploit / Exploit

(3) RIG Exploit Kit

Redirect

r**k.ru

DbD

9 5

5 NullHole

5 (2) Redirect (3)

pre-Exploit / Exploit

Redirect URL 4

(3)

NullHole Exploit Kit

Redirect pre-Exploit

DbD

Exploit Kit

-27-

Page 5: Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

pre-Exploit pre-DL

Redirect

Redirect

Exploit Kit

3.3 malware-DL

malware-DL

4 Exploit

Kit malware-DL

malware-DL

pre-DL

malware-DL

Downloader

DbD

malware-DL

4

4.1 Redirect

Redirect

Redirect Proxy

1 2 Web

DbD

URL

URL

4

4 (3) {base64}

Web

URL Web

DbD Redirect

URL Web

Redirect Web

Redirect

Web Web

DbD

DbD

5 DbD

(i)

302

DbD

(ii) Movable Type

DbD

(iii) Flash

DbD

(iv) Wordpress

Internet Explorer

-28-

Page 6: Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

DbD

(v)

DbD

4.2 Exploit

Redirect

Exploit Kit

pre-Exploit pre-DL

Exploit

Exploit Kit

DbD

JRE Exploit

7 Exploit Kit

(a)

RIG, Fiesta, Angler, FlashPack

(b)

Nuclear, Neutrino, Magnitude

5 D3M Datasets

5.1

D3M(Drive-by Download Data by

Marionette) Datasets 2015 2

A) Web

(Marionette) URL

DbD

B) Marionette

(Botnet Watcher)

C&C

DbD

(A)

pcap

pcap

HTTP

Proxy

(A)

pre-Exploit, Exploit, pre-DL

Proxy

283

5.2

3

3

2011 55.2% 2012

2013 80%

2013 95.2%

2014 2015

1

D3M

Datasets 2014

[7]

2015

Angler Exploit Kit

URL

Angler Exploit Kit

Proxy

pcap 3

2 Exploit

-29-

Page 7: Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

0byte byte

Exploit

1 Exploit

Internet Explorer

DbD

6

D3M Datasets Redirect

6.1

2015 4 7

30

Redirect

Redirect

Redirect

Redirect

Redirect

Exploit

Exploit

Redirect

Exploit

6.2

Redirect

24

80%

Exploit

6 5

Exploit

Exploit

6

Redirect

5 Exploit

6

Exploit

Redirect

7

2015 6 1 6 30

5 4,915 Proxy

10

0.018%

1

0.011%

[7]

8

Redirect

Exploit

Redirect

Exploit

-30-

Page 8: Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

Exploit

JRE

9

Exploit Kit

Exploit

Redirect

Redirect

Exploit

Exploit

Redirect

Redirect

JRE

Exploit

malware-DL

malware-DL

Downloader

Exploit Kit

Downloader

C&C

[1] , , ,

Drive-by Download

, MWS

2013

[2]2013 TokyoSoc ,

https://www-935.ibm.com/services/multime

dia/tokyo-soc-report2013-h2-jp.pdf

[3]2014 TokyoSoc ,

https://www-304.ibm.com/connections/blog

s/tokyo-soc/resource/PDF/tokyo_soc_report

2014_h1.pdf

[4]Cisco 2014 Midyear Security Report,

http://www.cisco.com/web/offers/lp/midyear

-security-report/index.html

[5]Olivier Bilodeau, Operation Windigo,

http://www.welivesecurity.com/wp-content/

uploads/2014/03/operation_windigo.pdf

[6]Walter Liu, “Website Add-on Targets

Japanese Users, Leads To Exploit Kit”,

http://blog.trendmicro.com/trendlabs-securi

ty-intelligence/website-add-on-targets-japa

nese-users-leads-to-exploit-kit/

[7] , , ,

,

MWS2014

-31-