Top Banner
TIRED OF PLAYING EXPLOIT KIT WHACK-A-MOLE? LET’S AUTOMATE
26

Tired of playing exploit kit whack-a-mole? Let's automate

Feb 21, 2017

Download

Data & Analytics

Anjum Ahuja
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Tired of playing exploit kit whack-a-mole? Let's automate

TIRED OF PLAYING EXPLOIT KIT WHACK-A-MOLE? LET’S AUTOMATE

Page 2: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

SYN

Anjum Ahuja (@jack8daniels2) Threat Researcher at Endgame Background in network security and large-scale data analysis

Page 3: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

ACK

Joe Desimone (https://github.com/endgameinc/Maxwell) Chris Donaher & Chan Kim Brad (@malware_traffic) Kafeine (@kafeine)

Page 4: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

ATTACK STAGES

INFECTEXPLOITREDIRECT

Malvertising

Compromised

Discover & exploit

vulnerabilities

Drop payload

Page 5: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

ATTACK CHAIN

Malvertising

Compromised

One or more Gates

EK landing page

Page 6: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

EXISTING APPROACHES

Sandbox based solution• Cost of VM management

JavaScript debugging & DOM inspection• Manual

Can we do better?

Page 7: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

AUTOMATE THE BREAKPOINTS(?)

Headless browsers• PhantomJS (Webkit Qt 5.5)• SlimerJS (Firefox 50)

page.injectJs(filename) page.onResourceRequested(requestData, networkRequest) page.onResourceReceived(response) page.settings.userAgent = ”whatever"

Page 8: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

JS FUNCTION HOOKING

Page 9: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

REDIRECT

• Injected iframe• 302 redirect• window.location redirect

Malicious Ad

Compromised

Page 10: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

GATE

Filter out unwanted traffic Hosted at throw away domains - link shortener, dynamic DNS Client side checks – browser/OS fingerprint, detect AV, sandbox, headless

browsers(!) Server side checks – Geo, IP, cookies Obfuscated and/or encrypted code

One or more Gates

Page 11: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

GATE

Page 12: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

BROWSER FINGERPRINTING

Page 13: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

DECRYPTION

Page 14: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

BROWSER FINGERPRINTING (RIG-V)

Page 15: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

DON’T PANIC

Replicate IE’s window object• Expand function hooking to Function prototype, DOM Manipulation, String

manipulation, Event handlers• Override the navigator, navigator.plugins & navigator.mime_types

Page 16: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

ATTRIBUTE ACCESS HOOKS

Page 17: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

CALLSTACK

Page 18: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

PLUGINS

CVE-2013-7331The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes

Page 19: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

PROXY OBJECTS

The Proxy object is used to define custom behavior for fundamental operations (e.g. property lookup, assignment, enumeration, function invocation, etc.).

target = new Proxy(target, handler);

Page 20: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

ACTIVEX USING PROXY OBJECTS

Page 21: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

FOR GOOD MEASURE

Inject Mouse eventspage.sendEvent(mouseEventType[, mouseX, mouseY, button='left'])

Inject Keyboard events page.sendEvent(keyboardEventType, keyOrKeys, [null, null, modifier])

Page 22: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

FINAL OUTPUT

Call stack with function calls with arguments and responses Attribute access Plugins and ActiveX interaction Cookies Contents of DOM (iframes, objects) Navigations requests

Page 23: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

POST PROCESSING Signatures

• Navigation requests• DOM objects• Arguments to document.write and function prototypes• Decryption keys (?)

But we can do better

Page 24: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

POST PROCESSING

Invisible/off-screen text blocks with weird entropy data Alternate calls to string.charCodeAt() and string.fromCharCode() Function constructors! ActiveX objects looking for AVs XMLDOM ActiveX objects looking for file paths Bigram analysis on JS code to detect obfuscation

• Convolutional neural nets should work even better

Page 25: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

SUMMARY

Fast Low interaction honeypot Ability to spoof its way through gates Understand Exploit Kit TTP Gather exploit artifacts Match signatures for known EKs

Page 26: Tired of playing exploit kit whack-a-mole? Let's automate

BSidesSF 2017

FIN/RST

Questions?