October 6, 2016

HUNTING FOR EXPLOIT KITS

Joe Desimone

ABOUT ME

§ Joe Desimone - @dez_

§ Malware Researcher at Endgame

§ BS/MS RIT; > 5 years info sec experience

§ Interested in: RE, malware, threat intelligence, endpoint hunting, and today’s talk: exploit kits

2

OVERVIEW

§ Quick Primer on exploit kits

§ Maxwell high level design

§ Virtual machine configuration

§ Anti-researcher issues

§ Exploit detection

§ Post processing, signatures

§ Demo / Code

3

EXPLOIT KITS

§ Second only to malspam as an infection vector [1]

§ Lower user interaction

§ Business model – Malware as a Service.

§ Lurk example – good money when other sources dry up [2]

§ The big names: Angler, Nuclear, Neutrino, RIG, Magnitude, Sundown

§ Traffic distribution service or gates – afraid gate, psuedo darkleech, EITEST

4

INFECTION PROCESS

§ Highly recommend reading [3] and [4]

5

Image Credit: [A] [B] [C] [D]

34

5

6 2

1

PROBLEM: COLLECTION ON EXPLOIT KITS

§ Large enterprise – easy• Snort/other at boundary

§ AV/endpoint company – easy• telemetry

§ Thrifty researcher - ???• Maxwell!

6

MAXWELL

§ Automated exploit kit collection and detection

§ Crawls the web autonomously and finds evil stuff

§ Automated analysis to determine metadata• What kit is responsible?• What domains and IPs are involved

7

MAXWELL ARCHITECTURE

§ Components• VM agent scripts

• Instrumentation library

• Controller

• Result collection

8

MAXWELL ARCHITECTURE

9

VMs

Controller +Results py

RabbitMQ

ElasticSearch

MAXWELL ARCHITECUTRE

VM AGENT SCRIPTS

§ Written in Python

§ Named pipe server

§ Message filtering

§ Forwards to RMQ

10

WHITELIST EXAMPLE

11

MAXWELL ARCHITECUTRE

INSTRUMENTATION (FLUX)

§ DLL written in C

§ User mode hooks

§ Dropped files, registry writes, exploit detection, shellcode capture

12

MAXWELL ARCHITECUTRE

CONTROLLER

§ RMQ queue for new jobs

§ Spin up VM

§ Send job info

§ Repeat

13

MAXWELL ARCHITECUTRE

RESULTS SERVER

§ RMQ queue for VM data

§ ElasticSearch backend

§ Post processing routines

§ Notification

14

VIRTUAL MACHINE CONFIG

§ Follow the market share• Windows 7, Internet Explorer, Flash, Silverlight

§ Remove virtual machine tools or extensions• Delete any drivers left behind

§ Patch levels• What is the latest flash version commonly exploited? [5]

§ Disabled WPAD, disable all updates, disable IE protected mode

15

ANTI-RESEARCHER

§ Javascript file detection – res://, ActiveX, etc [6]

§ IP filtering

§ Replay protection [7]

§ Payload detection routines

16

EXPLOIT DETECTION

§ ROP Detection – used to be great, not so much anymore• Call stack walking, stack pivot

§ EAF++• Improves upon EMET EAF+ techniques to catch evasions [8]

• Guard pages on (MZ header, EAT, IAT)

• Catch shellcode and memory disclosures (read primitives)

17

EXPLOIT DETECTION cont.

§ Behavioral• File and registry writes

• New process creation

• Researcher evasion detection

§ Turn this into high confidence data• Customizable whitelisting of benign activity

18

POST PROCESSING

§ PCAP – execute tcpflow

§ Regex across GET/POST requests

§ All files scanned with yara• From traffic, dropped in VM, and shellcode

§ Signature tips:• Compare samples over time• Focus on exploits; use JPEX FFDEC• Follow @kafeine, @malware_traffic, and @BroadAnalysis

19

PUTTING IT ALL TOGETHER

§ Setup your infrastructure• vSphere, RabbitMQ server, ElasticSearch server

§ Websites to browse• Top websites • Sites previously compromised• User submitted

20

DEMONSTRATION

22

23

SUMMARY

§ Maxwell - Fully automated exploit kit discovery and analysis

§ For the Red guys in the audience• Something to be said for the efficiency of exploit kits for gaining access• There is use learning from their techniques• Adversary emulation

§ Code: https://github.com/endgameinc/Maxwell • MIT license

24

REFERENCES

1. http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/

2. https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/3. https://blog.checkpoint.com/wp-content/uploads/2016/04/Inside-Nuclear-1-2.pdf4. https://blog.checkpoint.com/wp-

content/uploads/2016/08/InsideNuclearsCore_UnravelingMalwarewareasaService.pdf5. http://malware.dontneedcoffee.com/6. https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fingerprinting-implications-and-

mitigations/7. http://blog.trendmicro.com/trendlabs-security-intelligence/how-exploit-kit-operators-are-misusing-diffie-hellman-

key-exchange/8. https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html

§ @kafine, @malware_traffic, @BroadAnalysis

25

IMAGE CREDIT

A. http://eclipse-saitex.deviantart.com/B. http://findicons.com/icon/185515/emblem_web#C. http://code.google.com/u/newmooon/D. http://mazenl77.deviantart.com/

26

QUESTIONS