Exploit Zoo: The Evolution of Exploit Kits - RSA … · #RSAC Definition 2 Exploit Kit/Pack, (EK): A set of resources that facilitate the distribution of malware by exploiting client-side

SESSION ID:

#RSAC

Jordan Forssman

Exploit Zoo: The Evolution of Exploit Kits

TTA1-R09

Sr Director, ProductProofpoint, Inc.Twitter: @Jordan4z

#RSAC

Definition

2

Exploit Kit/Pack, (EK): A set of resources that facilitate the distribution of malware by exploiting client-side software.

#RSAC

Anatomy of a Drive-by-Download

3

<iframe src=“www.evil.org”>

Redirect

#RSAC


4

Redirect

EK Landing Page


#RSAC


5

Redirect

EK Landing Page

Malware Server


#RSAC


6

Redirect

EK Landing Page

Malware Server


#RSAC


7

Redirect

EK Landing Page

Malware Server

C2 Server


#RSAC


8

Redirect

EK Landing Page

Malware Server

C2 Server

0 Distribution

1 Exploitation

2 Deployment

3 Escalation


#RSAC

A Perfect Storm

9

• Wordpress/Joomla

• Online Advertising

• Scripting Languages

Lowering Tech Barriers

• Adobe Flash

• Internet Explorer

• Java

• Silverlight

Proliferation of Vulnerable Apps • Exploit Development

• Malware Creation

• Targeting Technology

• Organized Crime

Division of Labor

• Clickfraud

• Payloads for Sale

• Botnets

• Exploit Kits

The Underground Economy

#RSAC

The EK Zoo

10

Image Sources:contagiodump.blogspotmalware.dontneedcoffee.comkrebsonsecurity.comxylibox.com

kahusecurity.comblog.malwaremustdie.orgmalekal.com

#RSAC

Targeting Vs Evasion

11

#RSAC

Stage 0: Distribution - Targeting Vs Evasion

12

Phishing

Injection

Watering Hole

Long-Lining

Dynamic DNS

Fast-Fluxing

Targ

etin

gEvasio

nObfuscation

SEO Poisoning

#RSAC

Dynamic DNS & Fast-Fluxing

13

Dynamic DNS

Constantly reset DNS records to point to new IP address

Available as a service, IPs limited to within a specific ASN

Fast-Fluxing

Constantly reset DNS records to point

to a new IP address

Custom built, access to global IPs

www.evil.org 202.53.190.1124.136.12.181114.218.9.123202.53.190.1124.136.12.181114.218.9.123202.53.190.1124.136.12.181114.218.9.123202.53.190.1124.136.12.181114.218.9.123

#RSAC

Stage 0: Targeting Vs Evasion

14

Phishing

Injection

Watering Hole

Long-Lining

Dynamic DNS

Fast-Fluxing

Domain Shadowing

Targ

etin

gEvasio

nOpen RedirectDomain Rotation

Obfuscation

Encryption

SEO Poisoning

#RSAC

Domain Shadowing

15

Creating sub-domains on compromised legit servers to redirect to illicit pages

162.244.33.179

http://aleksandryn.car-ledlights.com/farm_microseconds_bodice_heaves/726966984312851711

http://aleksandryn.car-ledlights.com/acquisitiveness_loners_nostalgia_deadlocks/987509513944626652

http://aleksandryn.car-ledlights.com/hared-steeds-unsaddled-worthier/817449604617897447

http://prajakirk.car-ledlights.com/…

http://medimnmidtpunktoformulen.car-ledlights.com/...http://lawyeress.4banadult.net/…

http://chensu.cariddeancom.jp/…

http://machinerquefluentness.7716e.tv/…

http://pidtyistachtbaarst.4banadult.net/…

http://corralseaantvir.indiacypher.com/…

http://kyttyrisell.vasic.ws/…

http://komiteanmietintjen.10musumee.com/…

http://nheader.c0930c.com/…

#RSAC

Stage 0: Distribution - Targeting Vs Evasion

16

Phishing

Injection

Watering Hole

Long-Lining

Traffic Direction

Systems (TDS)

Malvertising

Finger-printing

Dynamic DNS

Fast-Fluxing

Domain Shadowing

Targ

etin

gEvasio

nOpen Redirect

Domain Rotation

Obfuscation

Encryption

SEO Poisoning

#RSAC

Stage 0: Distribution

17

Redirect

EK Landing Page

Malware Server

C2 Server


#RSAC


18

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…

#RSAC


19

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…

#RSAC


20

T

Referrer OK?

Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…

#RSAC


21

T

IP OK?

D

Referrer OK?

End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…

#RSAC


22

T

IP OK?

D

Referrer OK?

S

Browser OK?

End End Endeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while…

#RSAC


23

T

IP OK?

D

Referrer OK?

S

Browser OK?


#RSAC

Stage 1: Exploitation – Exploits 1

24

Multiple Exploits

“Exploit Kit/Pack”

#RSAC


25

Multiple Exploits

Chained Exploits

Each performing necessary functions

#RSAC


26

Multiple Exploits

Chained Exploits

Fingerprinting Exploits

Source: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/Capabilities.html

#RSAC


27

Multiple Exploits

Chained Exploits


Evasive Exploits

#RSAC


28

Multiple Exploits

Chained Exploits


Evasive Exploits

Code Execution\Memory Corruption Exploits

#RSAC


29

Multiple Exploits

Chained Exploits


Evasive Exploits

Code Execution\Memory Corruption Exploits

Local Privilege Escalation Exploits

#RSAC

Stage 1: Exploitation - Example

30

#RSAC

Stage 1: Exploitation -Example

31

#RSAC


32

#RSAC


33

#RSAC


34

#RSAC


35

#RSAC


36

CVE-2015-8651CVE-2015-8446CVE-2015-7645

#RSAC


37

CVE-2016-0034

#RSAC

Stage 1: Exploitation

38

T

IP OK?

D

Referrer OK?

S

Browser OK?


#RSAC

Stage 2: Deployment - Dropper

39

#RSAC

Stage 2: Deployment

40

T

IP OK?

D

Referrer OK?

S

Browser OK?


#RSAC

Stage 2: Deployment

41

T

IP OK?

D

Referrer OK?

S

Browser OK?


#RSAC

Stage 0/1/2/3: Signature Evasion

42

Scan4You

Antivirus Checker

URLs, Exploits, Droppers, Payloads

#RSAC

Stage 2: Deployment - Payloads

43

Ransomware

Backdoor\RAT

Infostealer

Botnet

Banking Trojan

Rootkit

#RSAC

Stage 2/3: Deployment – VM Evasion

44

Human Specific

• Mouse Mvmt• CAPTCHA• Zip

Config. Specific

• Sleep Calls• CPU Cycles• SSDT De-

Hooking• File-less

Malware

Environ. Specific

• Vrsn Checks• PHP Preg

Replace• IP Checks

VM Specific

• System Service • File-based entropy• CPU Core/RAM• Registry Keys• UUIDS

#RSAC

Stage 3: Escalation - Evasion

45

Dynamic DNS

Fast Fluxing

Domain Generation Algorithms (DGA)

Open C2 Channels

Gmail

Twitter

Other…

#RSAC

Stage 3: Escalation

46

T

IP OK?

D

Referrer OK?

S

Browser OK?


#RSAC

Stage 3: Escalation

47

T

IP OK?

D

Referrer OK?

S

Browser OK?


#RSAC

Sweet Orange

48

PayloadsAndromedaDarkshellKovterQbotRerdomRevetonRovnixTeslacryptTSPY_BANKERZemot

Exploits

1

7

2

11

1

1

Prevalence

Features• Iframe Cyptor• Scan4You

Integration• TDS

Price$2,500 or $1,400/month

Traffic Rate150,000/day

Infection Rate10-15%

Source: Google Trends

#RSAC

Sweet Orange

49

Image Source: http://malware.dontneedcoffee.com/2013/10/flimrans-affiliate-borracho.html

Dashboard

Image Source: https://www.virusbulletin.com/virusbulletin/2013/03/what-are-browser-exploit-kits-look-sweet-orange-and-propack

#RSAC

Nuclear

50

PayloadsAndromedaBoaxxeCaphawCerberCryptowallCovertonGluptebaGootkitKazyKelihosKovterLockyRovnixShadeSpyeyeTeslacryptVawtrakViknokWaldek-GZemotZeus

Exploits (v3)

1

15

2

7

2

1

Prevalence

Features• Infecting Domain

Rotator• Domain & Payload

Detection check• Payload & Exploit

Update• LP Obfuscation• XMLDOM AV

Check (cve-2013-733)

• Sub-leasing Service

PriceWMZ 500/week WMZ1,600/month


Infection Rate10%

#RSAC

Nuclear

51

Image Source: https://blog.checkpoint.com/wp-content/uploads/2016/04/Inside-Nuclear-1-2.pdf

Dashboard

#RSAC

Magnitude

52

PayloadsAleuronCerberCryptodefenseCryptolockerCryptowall 1, 2, 3CutwailDorkbotKelihosNecursNymaimRedymsSimdaStiturTepferTinbaTracurUrausyVawtrakWinwebsecZeroAccessZeus

Exploits

1

3

5

2

1

Prevalence

Features• Exploit

Obfuscation• Scan4you

Integration• PluginDetect• Domain Rotator• TDS (Blocks

countries with Russian extradition Treaties)

• Traffic Share (Biz model)

Price15-20% of Infected Machines


aka “Top-exp”, “Deathtouch”, “Popads”

3

16

#RSAC

RIG

53

PayloadsCryptodefenseCryptowall 1, 2, 3CutwailDyrangesDyreOphionLockerPonyQbotTinbaTofseeZeus

Exploits

6

2

2

Prevalence

Features• Obfuscated LP• Virtual Dedicated

Server for Exploits• XOR Encoded

Shellcode• Scan4You

Integration• Domain Rotator• PluginDetect• XMLDOM AV Check• Cloudflare Anti-

DDOS Protection• Only targets IE• Hosted @ Eurobyte

Price$60/day$300/week


9

1

#RSAC

Angler

54

PayloadsAlphaCryptAndromedaAsproxBedepBloCryptBunituCaphawCryptowall 1, 2, 3, 4CryptXXXCTB LockerCutwailDridexDynamerDyre[Fileless Infection]GameoverZeusGluptebaGootkitKolerKovterNecursPonyPoweliksRevetonRombertikShifuTeslaCryptThreatFinderTinbaTorrentlockerTrapwotVawtrakZeus

Exploits

4

2

4

Prevalence

Features• Domain & Payload

AV check• AV Detection• Dropper

encryption• Sandbox

Detection• Exploit

obfuscation• Domain

Shadowing• Dynamic DNS• DGA• File-less Malware• TDS with IP

recording• 302 Cushioning

Price


1

1

1

23

Infection Rate40%

$ ???

#RSAC

Blackhole

55

Most prevalent

Author, “Paunch”, arrested 2013

BlackholeAngler


#RSAC

The Future of Exploit Kits?

56

Vulnerable applications are key

http://arstechnica.com/information-technology/2016/05/html5-by-default-googles-plan-to-make-chromes-flash-click-to-play/

http://krebsonsecurity.com/

#RSAC


57

#RSAC


58

Source: http://virusguides.com/exploit-generator-kit-links-three-cyber-espionage-campaigns-originate-china/

#RSAC


59

Successful at evading signature & reputation defense as well as newer behavioral sandboxes

Frequently updated at low cost

Cross-platform & un-patchable as the attack relies on end-user & social engineering to bypass automated defenses

Low up-front & maintenance cost increases ROI

https://www.proofpoint.com/MaliciousMacrosSource: The Cybercrime Economics of Malicious Macros

Malicious Macros

#RSAC


60

https://www.proofpoint.com/MaliciousMacrosSource: The Cybercrime Economics of Malicious Macros

#RSAC

Update: June 2016

61

The end of Angler?

#RSAC

Update June 2016

62

Blackhole

RIG

Angler

Nuclear

Magnitude


#RSAC


63

Source: http://www.blog.geoedge.com/#!New-Security-Report-HTML5-Susceptibility-to-Malware-in-Video-Ads/c193z/576789860cf2a84be5a0205e

#RSAC


64

Source: http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/

#RSAC

Mitigation – The Obvious Stuff

65

Patch!

Secunia Personal Software Inspector

Windows Update

Lock-down

Limit Javascript (NoScript, ScriptSafe)

Disable Flash/Silverlight/ActiveX

MS EMET

Back-ups

Use Anti-Virus

Train Users

#RSAC

Mitigation – Get Informed

66

Follow these sites/blogs:

malware.dontneedcoffee.com

malware-traffic-analysis.net

blog.malwarebytes.net

proofpoint.com/us/threat-insight

blog.malwaremustdie.org

contagiodump.blogspot

malwaresigs.com

kahusecurity.com

blog.talosintel.com

trustwave.com/Resources/SpiderLabs-

Blog/

Use these resources

Recorded Future Cyber Daily

CVE Details RSS Feed

#RSAC

Mitigation – Open Source Tools

67

For your Network

NIDS

Suricata/Snort/Bro

Leverage ETOpen & Snort Rules

SecurityOnion

Includes above tools & other network analyzers:

Sguil & SqertXplicoNetwork Miner

For your Endpoints

AntiVirus

Microsoft EMET

OSSECHIDS

Sysinternals (Sysmon)Process CreationNetwork connectionFile creation time changesLogs event from early boot

#RSAC

What Next?

68

Over the next week:

Start to audit the Obvious, find out where you stand

Over the next month:

Get Informed, fix any holes in the obvious

Over the next 6 months:

Evaluate and deploy necessary tools and training programs

#RSAC

The EK Zoo

69

AnglerNeutrino

Blackhole

Nuclear

Sweet Orange

Crimepack

Magnitude

RIG

Phoenix Whitehole

Sakura

FiestaGoon

Infinity

LightsOut

Flashpack

Archie

Astrum

Zuponcic

Hanjuan

Kaixin

NiterisNull Hole

CK

Snet

Styx

Ramayana

Crime Boss

HiManKein

Impact

Grandsoftx2o

Impact

White Lotus

RSPandorasBox

Glazunov

KaiXin

Silence

RedKit

NoMatch

BestPack

Nice Pack

Pro Pack

BleedingLife

Neosploit

NucSoft

AlphaPack

Eleonore

ANRAM

Techno

Yang

Siberia

Heirarchy

Zhi Zhu

YesSavage

Arabella

Lupit

Intoxicated

NapoleoniPack

JustExploit

MetapackK0de

Shaman’s Dream Singer’s

Deathpack

FlooP

Demonpack

UnderwaterEK

MaxImpossible Sploit

PDF Xploit

sprEaDEr

FSPack

Zombie

Kameleon

Clean Pack

Lucky Sploit

Web Attacker

IcePack

Cry217

eCore

FirePack

Prime

n404

Mpack

MassInfectTarget

Merry Christmas

My Poly Sploit

Liberty

Infector Sploit25

sPack Apache ExploitIEKit

Tornado

Papka

Sphere

Exploit Zoo: The Evolution of Exploit Kits - RSA … · #RSAC Definition 2 Exploit Kit/Pack, (EK): A set of resources that facilitate the distribution of malware by exploiting client-side

Documents