hunting for exploit kits
TRANSCRIPT
ABOUT ME
§ Joe Desimone - @dez_
§ Malware Researcher at Endgame
§ BS/MS RIT; > 5 years info sec experience
§ Interested in: RE, malware, threat intelligence, endpoint hunting, and today’s talk: exploit kits
2
OVERVIEW
§ Quick Primer on exploit kits
§ Maxwell high level design
§ Virtual machine configuration
§ Anti-researcher issues
§ Exploit detection
§ Post processing, signatures
§ Demo / Code
3
EXPLOIT KITS
§ Second only to malspam as an infection vector [1]
§ Lower user interaction
§ Business model – Malware as a Service.
§ Lurk example – good money when other sources dry up [2]
§ The big names: Angler, Nuclear, Neutrino, RIG, Magnitude, Sundown
§ Traffic distribution service or gates – afraid gate, psuedo darkleech, EITEST
4
PROBLEM: COLLECTION ON EXPLOIT KITS
§ Large enterprise – easy• Snort/other at boundary
§ AV/endpoint company – easy• telemetry
§ Thrifty researcher - ???• Maxwell!
6
MAXWELL
§ Automated exploit kit collection and detection
§ Crawls the web autonomously and finds evil stuff
§ Automated analysis to determine metadata• What kit is responsible?• What domains and IPs are involved
7
MAXWELL ARCHITECTURE
§ Components• VM agent scripts
• Instrumentation library
• Controller
• Result collection
8
MAXWELL ARCHITECUTRE
VM AGENT SCRIPTS
§ Written in Python
§ Named pipe server
§ Message filtering
§ Forwards to RMQ
10
MAXWELL ARCHITECUTRE
INSTRUMENTATION (FLUX)
§ DLL written in C
§ User mode hooks
§ Dropped files, registry writes, exploit detection, shellcode capture
12
MAXWELL ARCHITECUTRE
RESULTS SERVER
§ RMQ queue for VM data
§ ElasticSearch backend
§ Post processing routines
§ Notification
14
VIRTUAL MACHINE CONFIG
§ Follow the market share• Windows 7, Internet Explorer, Flash, Silverlight
§ Remove virtual machine tools or extensions• Delete any drivers left behind
§ Patch levels• What is the latest flash version commonly exploited? [5]
§ Disabled WPAD, disable all updates, disable IE protected mode
15
ANTI-RESEARCHER
§ Javascript file detection – res://, ActiveX, etc [6]
§ IP filtering
§ Replay protection [7]
§ Payload detection routines
16
EXPLOIT DETECTION
§ ROP Detection – used to be great, not so much anymore• Call stack walking, stack pivot
§ EAF++• Improves upon EMET EAF+ techniques to catch evasions [8]
• Guard pages on (MZ header, EAT, IAT)
• Catch shellcode and memory disclosures (read primitives)
17
EXPLOIT DETECTION cont.
§ Behavioral• File and registry writes
• New process creation
• Researcher evasion detection
§ Turn this into high confidence data• Customizable whitelisting of benign activity
18
POST PROCESSING
§ PCAP – execute tcpflow
§ Regex across GET/POST requests
§ All files scanned with yara• From traffic, dropped in VM, and shellcode
§ Signature tips:• Compare samples over time• Focus on exploits; use JPEX FFDEC• Follow @kafeine, @malware_traffic, and @BroadAnalysis
19
PUTTING IT ALL TOGETHER
§ Setup your infrastructure• vSphere, RabbitMQ server, ElasticSearch server
§ Websites to browse• Top websites • Sites previously compromised• User submitted
20
SUMMARY
§ Maxwell - Fully automated exploit kit discovery and analysis
§ For the Red guys in the audience• Something to be said for the efficiency of exploit kits for gaining access• There is use learning from their techniques• Adversary emulation
§ Code: https://github.com/endgameinc/Maxwell • MIT license
24
REFERENCES
1. http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/
2. https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/3. https://blog.checkpoint.com/wp-content/uploads/2016/04/Inside-Nuclear-1-2.pdf4. https://blog.checkpoint.com/wp-
content/uploads/2016/08/InsideNuclearsCore_UnravelingMalwarewareasaService.pdf5. http://malware.dontneedcoffee.com/6. https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fingerprinting-implications-and-
mitigations/7. http://blog.trendmicro.com/trendlabs-security-intelligence/how-exploit-kit-operators-are-misusing-diffie-hellman-
key-exchange/8. https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html
§ @kafine, @malware_traffic, @BroadAnalysis
25
IMAGE CREDIT
A. http://eclipse-saitex.deviantart.com/B. http://findicons.com/icon/185515/emblem_web#C. http://code.google.com/u/newmooon/D. http://mazenl77.deviantart.com/
26