Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

Exploit Kit

135-8671 3 3-9

{mashikoh,ootanihs,shigetam}@nttdata.co.jp

Exploit Kit Drive-by Download

Exploit Kit

Exploit Kit

MWS2015

Improving Cyber Attack Detection System To Adopt

The Changing Of Exploit Kit

Hiroki Mashiko Hisamichi Ohtani Masayoshi Shigeta

NTT DATA Corporation.

Toyosu 3-3-9, Koto-ku, Tokyo 135-8671, JAPAN

{mashikoh,ootanihs,shigetam}@nttdata.co.jp

Abstract We have developed the cyber attack detection system, which is monitoring

logs of network appliances. The system captures characteristics of Exploit Kits, and has

advantages in detection of Drive-by Download Attack. Therefore, if the characteristics of

Exploit Kits are changing, the system needs updating. So, not only we have improved the

system to catch up the changing of Exploit Kits, but also we implemented a new method

which capture another characteristics of Drive-by Download Attack. In this paper, we

describe the detection rate of this system by using MWS2015 Datasets, and discuss

about the advantages of a new method which we implemented to improve the system.

1 Exploit Kit

Drive-by Download

DbD

2014 Exploit Kit

Computer Security Symposium 2015 21 - 23 October 2015

24

Exploit Kit

Exploit Kit

2

2.1

[1]

Exploit Kit

DbD 1 5

1 Exploit Kit DbD

Redirect

pre-Exploit

pre-Exploit

Exploit

pre-Exploit

Exploit Exploit

pre-DL

Downloader

Downloader

pre-DL Exploit

malware-DL

Expolit

pre-DL

malware-DL

Nuclear Exploit Kit DbD

1

1 DbD

1 (1)

(2) Redirect (3) pre-Exploit

(4) Exploit (5)

pre-DL

(3)pre-Exploit (5)pre-DL

h**j.c**r.pw

suffix

UserAgent 2

2 DbD

2 (3) Javascript

HTML HTML

iframe

Web UserAgent

Internet Explorer

suffix html HTML

25

Javascript

Java

JRE

(4) (4) JRE

CVE-2013-2423 Exploit

Exploit (3)

JRE

Web UserAgent

JRE suffix jar

Exploit

(5) (5)

Windows Zbot

JRE

UserAgent JRE

JRE

JRE

suffix

UserAgent

Nuclear Exploit Kit

Java

6

pre-Exploit

pre-DL

Exploit Kit DbD

2.2

Tokyo SOC [2][3] 2013

DbD 90% JRE

2014

DbD 65%

Adobe Flash Player

DbD 2013 10%

2014 34%

Cisco 2014 Midyear Security Report

[4] FlashPack Angler, Fiesta, RIG

JRE Exploit

Exploit Kit

Exploit Kit

JRE

2014 Exploit Kit

2.3

Exploit Kit

Exploit Kit

2014

JRE Adobe Flash Player

JRE

Exploit Kit

Exploit Kit

Exploit Kit

3

3.1

2.1 Exploit Kit

pre-Exploit pre-DL

3

Redirect

malware-DL Exploit

Kit

2

Exploit Kit

2014 8 9

26

DbD

DbD 69 Redirect

malware-DL

Exploit Kit

3.2 Redirect

Redirect

8 47

Exploit Kit

Redirect

5

2

A)

2014 8 TrendMicro

FlashPack Exploit Kit

[6]

DbD

URL 2

2 FlashPack

2 (3) (4) Redirect (5)

pre-Exploit / Exploit

(5) FlashPack Exploit Kit

2014 9 3

3 RIG

3 (3) (4) Redirect

2014 8 2

(5) URL RIG

Exploit Kit

DbD

Redirect pre-Exploit

Redirect

Windigo

[5]

B) r**k.ru

2014 9 1

4

4 RIG

4 (2) Redirect (3)

pre-Exploit / Exploit

(3) RIG Exploit Kit

Redirect

r**k.ru

DbD

9 5

5 NullHole

5 (2) Redirect (3)

pre-Exploit / Exploit

Redirect URL 4

(3)

NullHole Exploit Kit

Redirect pre-Exploit

DbD

Exploit Kit

27

pre-Exploit pre-DL

Redirect

Redirect

Exploit Kit

3.3 malware-DL

malware-DL

4 Exploit

Kit malware-DL

malware-DL

pre-DL

malware-DL

Downloader

DbD

malware-DL

4

4.1 Redirect

Redirect

Redirect Proxy

1 2 Web

DbD

URL

URL

4

4 (3) {base64}

Web

URL Web

DbD Redirect

URL Web

Redirect Web

Redirect

Web Web

DbD

DbD

5 DbD

(i)

302

DbD

(ii) Movable Type

DbD

(iii) Flash

DbD

(iv) Wordpress

Internet Explorer

28

DbD

(v)

DbD

4.2 Exploit

Redirect

Exploit Kit

pre-Exploit pre-DL

Exploit

Exploit Kit

DbD

JRE Exploit

7 Exploit Kit

(a)

RIG, Fiesta, Angler, FlashPack

(b)

Nuclear, Neutrino, Magnitude

5 D3M Datasets

5.1

D3M(Drive-by Download Data by

Marionette) Datasets 2015 2

A) Web

(Marionette) URL

DbD

B) Marionette

(Botnet Watcher)

C&C

DbD

(A)

pcap

pcap

HTTP

Proxy

(A)

pre-Exploit, Exploit, pre-DL

Proxy

283

5.2

3

3

2011 55.2% 2012

2013 80%

2013 95.2%

2014 2015

1

D3M

Datasets 2014

[7]

2015

Angler Exploit Kit

URL

Angler Exploit Kit

Proxy

pcap 3

2 Exploit

29

0byte byte

Exploit

1 Exploit

Internet Explorer

DbD

6

D3M Datasets Redirect

6.1

2015 4 7

30

Redirect

Redirect

Redirect

Redirect

Redirect

Exploit

Exploit

Redirect

Exploit

6.2

Redirect

24

80%

Exploit

6 5

Exploit

Exploit

6

Redirect

5 Exploit

6

Exploit

Redirect

7

2015 6 1 6 30

5 4,915 Proxy

10

0.018%

1

0.011%

[7]

8

Redirect

Exploit

Redirect

Exploit

30

Exploit

JRE

9

Exploit Kit

Exploit

Redirect

Redirect

Exploit

Exploit

Redirect

Redirect

JRE

Exploit

malware-DL

malware-DL

Downloader

Exploit Kit

Downloader

C&C

[1] , , ,

Drive-by Download

, MWS

2013

[2]2013 TokyoSoc ,

https://www-935.ibm.com/services/multime

dia/tokyo-soc-report2013-h2-jp.pdf

[3]2014 TokyoSoc ,

https://www-304.ibm.com/connections/blog

s/tokyo-soc/resource/PDF/tokyo_soc_report

2014_h1.pdf

[4]Cisco 2014 Midyear Security Report,

http://www.cisco.com/web/offers/lp/midyear

-security-report/index.html

[5]Olivier Bilodeau, Operation Windigo,

http://www.welivesecurity.com/wp-content/

uploads/2014/03/operation_windigo.pdf

[6]Walter Liu, Website Add-on Targets

Japanese Users, Leads To Exploit Kit,

http://blog.trendmicro.com/trendlabs-securi

ty-intelligence/website-add-on-targets-japa

nese-users-leads-to-exploit-kit/

[7] , , ,

,

MWS2014

31