The State of Web Exploit Kits
Transcript of The State of Web Exploit Kits
![Page 1: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/1.jpg)
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Jason Jones, HP DVLabs
The State of Web Exploit Kits
![Page 2: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/2.jpg)
Who Am I?
• Team Lead, ASI • Malware Analysis • IP Reputation • Malicious content harvesting
2
![Page 3: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/3.jpg)
What Are Web Exploit Kits?
![Page 4: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/4.jpg)
Web Exploit Kits Are…
4
Pre-packaged software that consists of • Installers (usually) • Typically PHP-based • Number of Exploits
• Rarely 0-day • Control Panel
• Installer • Statistics • Configuration
• Install malicious payload • Botnet • Trojan • Fake AV
![Page 5: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/5.jpg)
Exploit Kit Economy
5
• Cost up to thousands of dollars • Rentals also offered on daily/weekly/monthly basis • Bullet-proof hosting options • Contain “EULA”-like agreements • Marketing & competitiveness between kits • Regularly issue updates
– Bug-fixes – Exploit reliability updates – Aesthetic changes
![Page 6: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/6.jpg)
Active Exploit Kits
6
* Image courtesy of Kahu Security
![Page 7: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/7.jpg)
How Exploit Kits Typically Work
7
![Page 8: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/8.jpg)
Black Hole Exploit Kit
![Page 9: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/9.jpg)
What is Black Hole Exploit Kit?
9
• Launched in late 2010 • Currently most popular exploit kit • Version 1.2.3 • Contains many recent Java exploits • Contains exploit for CVE-2012-1889 (MS XML)
– 0-day at the time
• Good JavaScript obfuscation
![Page 10: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/10.jpg)
Black Hole in the News
10 Enterprise Security – HP Confidential
![Page 11: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/11.jpg)
Black Hole Events in 2011
11
![Page 12: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/12.jpg)
Black Hole Spam Campaigns
12
• Spam is easy • Target users with
– Fake delivery notices – Fake IRS notices – Fake orders from online retailers
• User clicks the link – Owned!
![Page 13: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/13.jpg)
Black Hole Control Panel
13
*Image courtesy of Xylit0l
![Page 14: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/14.jpg)
Black Hole Control Panel (cont.)
14
*Image courtesy of Xylit0l
![Page 15: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/15.jpg)
83%!?!??!
15
![Page 16: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/16.jpg)
Black Hole Control Panel (cont.)
16
*Image courtesy of Xylit0l
![Page 17: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/17.jpg)
Black Hole Exploit URL Schemes
17
• Predictable • Typically ending in .php
– Main.php and showthread.php most common
• One URL parameter – Normally 1-5 characters – Value is 16 valid hex characters
• Malware payload URL normally w.php – 3 parameters
![Page 18: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/18.jpg)
Black Hole JavaScript Obfuscation
18
• Changes a lot • Typically consists of
– Text blob in HTML tag or parameter – Deobfuscation routine
• Loads malicious iFrame for bulletproof site – More obfuscated JavaScript – Detects browser/plugin versions – Launches exploit to load malware
![Page 19: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/19.jpg)
Black Hole JavaScript Obfuscation (cont.)
19
![Page 20: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/20.jpg)
Black Hole PDF Obfuscation
20
• Slightly different obfuscation than JavaScript • ASCII Character replacement
– a for “a” – Still uses giant text blobs – Characters separated by ‘@@@’
• Once deobfuscated follows the same pattern as JavaScript in HTML
![Page 21: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/21.jpg)
Black Hole JavaScript Shellcode
21
• Most exhibits the same behavior – Standard JMP / CALL to obtain address – Patches bytes of shellcode using XOR with 0x28 – VOILA! Junk ASM code now valid – URL now visible near the end of the shellcode – Easily detected by many shellcode detection libs
![Page 22: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/22.jpg)
Black Hole JavaScript Shellcode (cont.)
22
![Page 23: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/23.jpg)
Phoenix Exploit Kit
![Page 24: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/24.jpg)
Phoenix Exploit Kit History
24
• Started in 2007 • Current version 3.1 • Offers full and mini versions
– Mini version only allows one affiliate – Full allows for multiple
• Tracks visitors, only launches exploit once per IP • Large number of exploits available
![Page 25: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/25.jpg)
Phoenix Exploit Kit Statistics
25
*Image courtesy of Xylit0l
![Page 26: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/26.jpg)
Phoenix Exploit Kit Exploit Statistics
26
*Image courtesy of Xylit0l
![Page 27: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/27.jpg)
PEK JavaScript Obfuscation
27
• Uses multiple <script> tags – 2 <script> tags – <textarea> tag – Final <script> tag
• Deobfuscated code still not obvious • No
– “getShellcode” routine – “heap spray” references
![Page 28: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/28.jpg)
PEK Obfuscated JavaScript
28
![Page 29: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/29.jpg)
PEK PDF Obfuscation
29
• Resembles Black Hole JS obfuscation • Large array of integers • Run through deobfuscation routine, launch exploit • Deobfuscation routine simpler than Black Hole
![Page 30: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/30.jpg)
Other Exploit Kits
![Page 31: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/31.jpg)
Lots of New Kits
31
• Large number of new kits in 2012 • Multiple kits have popped up from China • Many more popping up from Eastern Europe • Some kits pop-up and then disappear • Too many to keep up with!
![Page 32: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/32.jpg)
Yang Pack
32
• Surfaced in late 2011 / early 2012 • Based out of China • 3 exploits, very low detection rates • Like many kits from China
– No PHP files – No database backend – Consist only of static HTML files
![Page 33: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/33.jpg)
Sweet Orange Exploit Kit
33
• Surfaced in 2012 • Aims to keep small footprint • Authors only give information to established
cybercriminals • Costs $2500 • Rents for $1400 • Observed in the wild?
![Page 34: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/34.jpg)
Sweet Orange Exploit Kit (cont.)
34
*Image courtesy of Webroot / Dancho Danchev
![Page 35: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/35.jpg)
Sweet Orange Exploit Kit (cont.)
35
*Image courtesy of Webroot / Dancho Danchev
![Page 36: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/36.jpg)
Nuclear Pack v2
36
• Been dormant for a few years • Resurfaced in 2012 with 4 exploits • Introduced anti-honeyclient feature
– Difficult to automate collection of exploits – More interactive honeyclients/sandbox required
![Page 37: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/37.jpg)
Nuclear Pack Anti-Crawling
37
![Page 38: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/38.jpg)
Conclusion
• Exploit kits are only getting more sophisticated – Newer exploits – Changing evasions / obfuscations – This is a business for the authors, they are invested in staying one-step ahead to make money
• Detecting new techniques takes work • Patch Java!
38
![Page 39: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/39.jpg)
Many Thanks to…
• Marc Eisenbarth, Joanna Burkey • Alen Puzic, Mike Dausin, Jen Lake • Jorge Mieres, Steven K/Xylit0l, Mila, Dancho Danchev, SpiderLabs guys, Kahu Security
39
![Page 40: The State of Web Exploit Kits](https://reader036.fdocuments.us/reader036/viewer/2022062413/58a2cde41a28abf0458bc0bc/html5/thumbnails/40.jpg)
THANK YOU
QUESTIONS?