thesis exploit kit traffic analysis
TRANSCRIPT
UNIVERSITYOFPIRAEUS
SchoolofInformation&CommunicationTechnologies
PostgraduateStudiesDIGITALSYSTEMSSECURITY
THESISExploitKitTrafficAnalysis
PostgraduateStudent:KAPIRISSTAMATISStudentIDnumber:MTE14040SupervisorProfessor:CHRISTOFOROSDADOYAN
DEPARTMENT OFD IGITAL SY S TE M S
Piraeus,June2017
Keywords:ExploitKit,PCAPNetworkTrafficAnalysis,MalwareAnalysis,Ransomware,CyberThreat,AnglerEK,RIGEK,SecurityOnion,Python
UniversityofPiraeus DigitalSystemsSecurity1
TABLE OF CONTENTSTableofContents.........................................................................................................................................................1Prologue..........................................................................................................................................................................3CHAPTER1:Introduction.......................................................................................................................................4
RelatedWork.......................................................................................................................................................5Motivation.............................................................................................................................................................6
CHAPTER2-CharacteristicsofExploitKits....................................................................................................7Whatisanexploitkit?.....................................................................................................................................7Incidentsofthepast.........................................................................................................................................7Howdoyougetcompromised.....................................................................................................................9EKInfrastructure............................................................................................................................................11Propagation.......................................................................................................................................................13
EKCampaigns.........................................................................................................................................13SpamCampaigns...................................................................................................................................14Malvertising.............................................................................................................................................14
EK&UndergroundEconomy.....................................................................................................................15BackgroundonExploitKits........................................................................................................................18
EK’sAdversarialActivity....................................................................................................................18AttackCharacteristics...................................................................................................................................18
NatureofEK............................................................................................................................................18Redirections............................................................................................................................................19302Cushioning......................................................................................................................................20DomainShadowing..............................................................................................................................20VictimProfiling......................................................................................................................................21FingerprintingTactics.........................................................................................................................21TrafficDistributionSystems.............................................................................................................24
Self-defenseCharacteristics.......................................................................................................................24IPBlocking...............................................................................................................................................25User-AgentEvasion..............................................................................................................................25BlacklistLookup....................................................................................................................................26SignatureEvasion.................................................................................................................................26Cloaking....................................................................................................................................................26DomainGenerationAlgorithm........................................................................................................27HidingReferrer......................................................................................................................................28Encryption/Encoding..........................................................................................................................28Obfuscation..............................................................................................................................................29FilelessInfection...................................................................................................................................31
FinalPhase........................................................................................................................................................32Post-InfectionPhase......................................................................................................................................33LandingPages..................................................................................................................................................33WebBrowsers..................................................................................................................................................35
UniversityofPiraeus DigitalSystemsSecurity2
Droppers.............................................................................................................................................................37Malwarefamilies.............................................................................................................................................38
Ransomware...........................................................................................................................................39Botnets......................................................................................................................................................44
TechnicalIntroductiontoknownExploitKits....................................................................................46ANGLEREK.......................................................................................................................................................46
GeneralCharacteristics......................................................................................................................46AnglerInAction.....................................................................................................................................49ObfuscationofAngler..........................................................................................................................53HostProbing...........................................................................................................................................54Malvertising.............................................................................................................................................56
RIGEK..................................................................................................................................................................56RigInfrastructure.................................................................................................................................57RigInAction............................................................................................................................................58Customer’sPerspective......................................................................................................................63
EKcomparison.................................................................................................................................................65CHAPTER3-MalwareTrafficAnalysisExample........................................................................................67CHAPTER4-AttackPathScript.........................................................................................................................77CHAPTER5-Recommendations,FutureWork&Conclusions............................................................80
Recommendations.........................................................................................................................................80FutureWork......................................................................................................................................................82Conclusions.......................................................................................................................................................83
Abbreviations/Acronyms......................................................................................................................................85TableOfFigures........................................................................................................................................................86References...................................................................................................................................................................88Appendix......................................................................................................................................................................89
UniversityofPiraeus DigitalSystemsSecurity3
PROLOGUE
ExploitkitshavebecomeoneofthemostwidespreadanddestructivethreatthatInternet users face on a daily basis. Since the first actor, which has beencategorizedasexploitkit,namelyMPack,appearedin2006,wehaveseenaneweraonexploitkitvariants compromisingpopularwebsites, infectinghostsanddeliveringdestructivemalware, followinganexponentiallyevolvement todate.Withthegrowingthreatlandscape,largeenterprisestodomesticnetworks,havestartedtoadoptmultiplesecuritysolutionstoguardtheirperimeteragainstthem.
Anexploitkit isactually a typeofmalicioustoolkit that isusedto identifyandexploitsecurityholesfoundinwebbrowserpluginsinstalledonvictim’scomputer,forthepurposeoffacilitatingtherealaimofspreadingandinfectingthecomputerwith a type of malware. Exploit kit authors have been proven quite skilledprogrammers of crimeware which embodies sophisticated code andcharacteristicsconsideredaschallenging intermsofanalysisanddetection, forbothsecuritycontrolsandanalysts.
In this thesis,wewill try toexamine theexploitkitphenomenonandcoverallperspectives.Firstof all,wewillexplain themotivating factorof studying thissubjectandrefertocybersecurityresearchers’previousworkregardingexploitkitanalysis.Wewillalsorefertocybersecurityincidentsofthepasthavingasmainactor an exploit kit anddescribe their infrastructure andbusinessmodel theyusually follow forprofiting from theirunderground activity.To familiarize thereaderwiththeexploitkits,wewilldiscussthewaysofpropagatingthemselvesanddescribeandanalyze theirmain characteristics that canbe categorizedasattackcharacteristicsandself-defensecharacteristics.Wehavealsocoveredtheprocedureofanalyzingnetworktrafficcapturesthatcontaintrafficproducedbyexploitkits,soastogiveawalkthroughtotheresearcherswhowillbeinterestedinperformingabasicmalwaretrafficanalysis.
Finally,wedesigned asimplecommand linescript that takesas input apacketcapturefilethatcontainsnetworktrafficcapturedduringliveinfectionbyexploitkit,parsesthepacketsaccordingtotheexploitkittheorythatisdescribedinthisthesis, to indicate in turn, the potential attack path the actor followed tocompromisethevictim.Ourcodeisbasedontheresultsofourresearchandourobservationsbyanalyzingmanymalwaresamples.Itwouldbepossiblyusefulforaresearcherwhowantstoaquicklyidentifyastartingpointtobeginhisanalysisofsamplescontainingexploitkittraffic.
UniversityofPiraeus DigitalSystemsSecurity4
CHAPTER1:INTRODUCTION
Forsure,exploitkits(a.k.a.exploitpacks)constitutethemostdestructivecyberthreatoftherecentyears.Theyaredesignedtocausearangeofdamagebetweenmakingtheinfectedcomputerpartofabotnet,installingatrojanhorseorspywareorevenblock theuser fromoperating theaffected computerordestroyusers’personalfilesbyencryptingthem.Establishingthevictimcomputeraspartofabotnetorinstallingaspyware,targetsdirectlyusers’privacy.Thebotnetcanlikelyhostresourcesthroughwhichpunishablecriminalactivitiescanbeservedinfavorofbotadministrators,harmingalsotheuserwhohasunintendedlybeeninfected.Anequallybadscenarioistogetinfectedbyransomwarethatblockstheaccesstocomputer,encryptspersonalandvaluablefilesandrequiresaransomtobepaidin order for the victim to restore its files.Most of the times the infection hasdevastatingresultsandvictimslosetheircomputerfiles.
Exploitkitsareaseriouscyberthreattoday,estimatedtoberesponsibleforthevast percentage ofmalware infectionsworldwide.They are distributedmostlythroughbothpublicandundergroundsourcessuchastheDarkWeb,wheretheycan eitherbepurchased or rentper severaldayswith a relatively low cost incomparisonwiththedamagetheycancause.Customersappeartobeawiderangeof potentially criminal audiences, from inexperienced hackers to seasonednotoriouscybercriminals.Althoughinthepastthefirstinfectionshadstartedasademonstrationorproofofpowerandhackingskillsofunconsciousattackersorsomethinglikeagamebetweenprogrammers,thephenomenonevolvedthroughtheseyearstotaketheshapeofamassivecyberthreat.Themoderncybercrimeiswellorganizedlikeawell-structuredretailenterprisewithdirectors,employeesandsalesnetworkofferingitsservicesallovertheworld,gettingthename“exploitkit-as-a-service”whichtotallydescribesitsmassiveprofitandproliferation.
Asfarasthisthesisisconcerned,wetriedtokeepacomprehensivestructuresoastofacilitatethereadertofollowthesubject,mainlyunwrappedinthesecondchapter. The level of technical detail in our descriptions escalates graduallychapterbychapterforbetterunderstanding.Toputthereaderintocontext,wewillmentionatfirstthepreviousresearchconductedinacademiclevelregardingthemainthemeofthisthesis.Alotofsecurityresearchersfromallovertheworldcooperatedinordertoworkonandexamineindetailtheexploitkitphenomenon.Multipledifferentapproacheshavebeenfollowedinaattempttounderstandhowthismassivethreatgainedsomuchspaceinglobalcyberthreatlandscape,howevolvesthroughtheyearsofactionandwhatnewcharacteristicshasadoptedtofollow thealsorapidtechnologicalevolvement,whatresourcescurrentlyneedsandhow itmanages them inorder topropagate itself and,of course,how theaverageuser is able toprotecthimself. A lotof efforthasbeenputby knownsecurityresearchlaboratories,securitypioneersandotherindividualsinupdating
UniversityofPiraeus DigitalSystemsSecurity5
therulesofthealreadypopularcommercialandfreesecurityproducts,toembodyexploitkitdetectionandpreventionmechanismsordesigningfrom-scratchnewproductsthatwouldperformindeepanalysisofthethreatbehavior,inanattempttobeasproactiveaspossible.Thisthesisisbasedonthepapersdiscussedinthenextsection,onsystematicreviewofmultiplereportsandotherresourcesthroughInternetsearches,aswellaslotsofhoursofmanualanalysisofmalicioussamplesacquiredfrompublicsecurityrepositories[5][6].Furthermore,wewilldiscussthemotivation of conducting this study on exploit kits and its characteristics thatexplainwhythisthesishasbeenwritten.
RelatedWork
EsheteandVenkatakrishnan[1]presentedacomprehensiveworkregardingdrive-by-download attacks and specifically they analyzedmalicious URLs of knownexploit kitswhich play the crucial role in triggering the infection chain.Afterdescribingindetailthecorecharacteristicsofexploitkits,theydesignedasystem,namelyWebWinnow, that is capable of parsingmaliciousURLs, supplied to ahoney-clientinfrastructurethroughwhichamachinelearningclassifieristrainedcontinuouslyleveragingthemosteffectivemachinelearningalgorithmstodecideinturnifthesampleissuspiciousandtowhichknownexploitkitresemblesto.TheWebWinnowsystemtakesasinputdatafromlocallyinstalledexploitkitsfromsourcecodethatresearcheshadinpossession,liveexploitkitsontheWeb,aswellaslegitimateURLstoincreasetheentropyofthesamplesandsimulaterealtraffic.The overall implementation scored good results according to their systemevaluationyieldinglowfalsepositives.Besidesthis,wewouldliketohighlightthevaluablecontributionoftheauthorsincollectingthemajorityofattackandself-defensecharacteristicsofexploitkits.
Cova,KruegelandVigna[2],alsoworkedondrive-by-downloadattacks,presentingadifferentapproachonparsingmalicious JavaScript codewithinweb content.Theydesignedasystem,theJSAND,thatdetectsanomalousbehaviorinJavaScriptsamples by training a machine learning classifier provided with predefinedmalicious(“known-good”),benign(“known-bad”)anduncategorizeddatasets.Thesystem analyzes the samples, extracts exploit features, identifies anomalousparameters,andperformsdynamicanalysisviahigh-interactionhoneypotclientsespecially set up for parsing the samples. The researchers focused much onevaluatingtheirsystemandcompareitwithtoolsofdifferentdetectionphilosophysuchassignature-basedtools,low-interactionhoneyclientsandhigh-interactionhoneyclients. Overall, the system achieved better results and identified moreanomaliesthantheothertools,havingafewfalsenegatives.
UniversityofPiraeus DigitalSystemsSecurity6
Taylor et al. [3], also used machine learning algorithms to classify exploit kitinstancesbasedonsubtreesimilaritymethod.Theirsystem indexessamplesofHTTPtrafficincludingclientbrowserinteractionandconvertthemintotree-likerepresentations.Then,theclassifierwastrainedwiththeserepresentationsthatwere craftedbasedonknown tobemalicious structuralpatternsofexploitkittraffic.Thesystemhasdeployedinalargeenterpriseenvironmentandachievedtoidentifyagoodamountofexploitkitswithoutanyfalsepositives.
Shindo, Satoh, Nakamura and Iida [4], proposed a lightweight approach ondetectingpotentialattacksofexploitkits,basedon theanalysisof the file typetransitionsofwebsessions.Theirsystemtakesasinputlegitimateandmaliciousdatasets which will be broken into sessions and subsequently analyzed andfiltered based on file type extensions that are known to often get involved inexploitkitactivities.Inthismanner,thesystemwascapabletojudgeifthesamplecommunicationwasmaliciousorbenign.TheresultsforJavaScriptandFlashfileswasasgoodastheyexpected.
Motivation
Themainmotivatingfactorforwritingthisthesisisthewilltostudyindetailthemostprevalentcyberthreatofrecentyears,discoverthemaincomponentsofitsecosystemandanalyzeitspatternsandattackcharacteristics.Itwasalsothewilltoscratchthesurfaceofthecybercrimesceneanditsundergroundeconomywhichisnowadaysgrowingbigger.Becoming familiarwithexploitkit’s techniques intermsofinfectionandlearningtheirtactics,offerstotheresearchertheadvantageof takingproactivemeasuresagainst compromiseandbeing ready in caseof asecurityincidentoccurs.Forsure,author’spersonalexperienceofinteractingwitharansomwareinthepast,wasanadditionalmotivationforstudyingthisthreatbetter.
-Knowyourenemy-
SunTzu,“TheArtofWar”
UniversityofPiraeus DigitalSystemsSecurity7
CHAPTER2-CHARACTERISTICSOFEXPLOITKITS
Whatisanexploitkit?
Anexploitkit(hereinafterEK)issoftwarethatautomatestheidentificationandexploitationofvictim’scomputer(typicallyviatheirwebbrowser),tothendeliveramalwarepayloadandinfectthetargetmachine1.
Inanutshell,theexploitkitisthevehicletoinfectaremotehostwithmalware.
Incidentsofthepast
Themassiveproliferationofmalwareinfectionaroundtheworldhasdrawntheattention of threat intelligent vendors and organizations, who have issuedcorrespondinginformationnotesandalertsinanattempttopreventfromthesethreats.From2006todate,numerousincidentsinvolvingexploitkitshavetakenplaceinthewild,targetingfromsimplehomecomputersandsmartphonestobankinstitutions and large enterprise networks. The severity of the incidents alsovaried from simple computer disruptions easily fixed with system restore topreviousbackup,tomoreseriousconsequencessuchastotalaccessblock fromcriticalsystemsandreputationallossduetosensitivedataleakage.Fortunately,securityexpertsininternationalinformationsecurityorganizations,companiesofthe private sector, as well as individuals - security researchers, continuouslyinvestigatethesetypesofattacks,performanalysis,designsecurityproductstofightagainstthem,providepreventioncontrols,warn,andtrainthepublicagainstthecybercrime.
Inthissection,wearegoingtomentionsomeofthemostknowncybersecurityincidentsregardingattacksbyEKsthatcameinthelimelightinthepastfewyears.The first incidentdescribed in following,alsomotivated theauthor tostudy indetailtheEKsandconstitutesthereasonofwritingthisthesis.
Perhaps,thereaderhasbeenvictiminthepastorhasheardaboutsomeoneinhisenvironment who has been attacked by any of the popular exploit kits,butdidn’treallyknowwhatitwas.Forinstance,in2012inGreece,thesocalled“GreekPoliceVirus”malwareinfectedthousandsofcomputers,raisingawindowafter infection,pretendingtobeoriginatedby theGreekPoliceAuthoritiesthat
1 https://www2.trustwave.com/rs/815-RFM-693/images/2015_TrustwaveGlobalSecurityReport.pdf, page 68
UniversityofPiraeus DigitalSystemsSecurity8
wasactually freezing thecomputer’sscreenandwas informing theuser that afictionalvirushadbeeninstalledinhiscomputer,requiringanamountofmoney(about100€)tobepaidinorderforthevictimtohavethecomputer’scontrolandpersonaldocuments and filesback.Of course, continuous incidents raised theattentionoftheGreekPoliceAuthoritiesthathadtoissuetechnicalguidelinesonhow the computer owner could remove the notorious malware. Theaforementionedmalwarewas avariantofRevetoncrypto-ransomware (or just,ransomware)equippedwiththecapabilitytolockthescreenoftheaffectedhosts,deliveredbyexploitkitsthroughbrowsercompromiseorspamemails.
Themessagedisplayedonthelockedscreenisillustratedbelow:
Figure 1 - Greek Police Virus screen message
Atthetimetheuserfacesthispop-upwindow,isnotabletocloseitornavigateelsewhereinhiscomputer;themalwarepersistsevenafterrebootofthecomputer.This type of ransomware enforces the display of a country-specific message,translatedtothelanguagetheuserhassetasdefault,showingrealbadgesfromthenationalPoliceAuthority,aswellasapictureofthePresidentofthecountry,therealIPaddressandunderlyingoperatingsystem,toconvincethevictimthatthe authorities have blocked the access to his computer and so proceedwith
UniversityofPiraeus DigitalSystemsSecurity9
payingtheransomas aresultofhis fault.There isalsoamessageaccusingthevictim for criminal offense and displaying the corresponding law excerptsregardingthisact,aswellas informingthatall fileshavebeenencryptedandaformtopaybyusingUKashorPaySafeCard.Although,fortechnicalpeoplethiswasobviouslyascam,theaveragecomputeruserbelievedthattheGreekPolicelockedtheirscreen,demandingtopayafineforafakelawinfringementtheysupposedtohavedone.
Commonly,thiskindof infectionswithroguescreen lockersandothermalwaredeliveredbyexploitkitsingeneral,areaconsequenceofpoorPCsecurity.Attheendofthedocument,wegivesomesimpleguidelinesonhowtoprotectagainstEKs.
InFebruary2016,theHollywoodPresbyterianMedicalCenterlostthecontrolofits computer systemsdue to cyber-attack.Theattackersmanaged to infect thesystemswithavariantofransomwarethatblockedtheaccesstohospitalstaffandwon’treleasetheattackuntiltheamountof$17,000inbitcoinswouldbepaid.Thereal attack path has not been identified yet, but it could probably have beenconductedbyEKadversarialactivitiesastheattackpathisprettymuchthesameastheEK’s.Sincethehospitalcouldnotafforddelayingitscrucialoperationsonwhichpeople’slivesrelyandcouldnotwaitthebackuprestoreprocess,thechiefexecutivedecidedtopaytheransom.Theresultoftheassaultisunclearafterthedecision topay off the cyber criminals.Typically, authorities thatperform theinvestigationsdonotencouragepeoplefrompayingthehackers,outoffearthatitencourages cybercrime to launchmore attacks andmakemoremoney againstvictims.
Howdoyougetcompromised
Exploitkitscompromisevictimsviaaprocesscalleddrive-by-downloadattack.ThecommonscenarioisthevictimthatbrowsestoacompromisedwebsiteandisredirectedtotheEKgatewithout interactingatallwiththewebsite’scontent–simplybynavigatingtothevulnerablewebsite.Theinfectioncanhappeninvisiblywith theuse of an IFRAME,unbeknownst to the victim.The victim’shost andespecially the browser is probed for vulnerabilities. If it is vulnerable, thecorrespondingexploitisdeliveredviamaliciouspayloadstothehostandexecutedtohelpdownloadtherealmalwarethatisstoredtodiskorinjecteddirectlyintothememory.Atthattime,thevictimisfullycompromised.Thelevelofdamageonthevictim’shostdependsontheinstalledmalware.
UniversityofPiraeus DigitalSystemsSecurity10
Figure 2 - Infection chain
Mostofthetimes,infectionoccurswithoutneedingvictim’sinteraction;thereisnopop-upwindowsorwindowstoclickthrough.Allittakesis justbrowsingtocompromisedwebsitetogetinfected.However,itispossiblefortheinfectiontodemandvictim’sinteraction,forinstance,byclickingonamaliciousadvertisementoralinkwithinaspamemailsoastotriggerthewholeprocess.
ThemalwaredeliveredbytheEKwillnotbeapparentfromtheuser,unlesstheEKhappenstobeavariantofransomwarewhentheuserwillbenoticedtopayanamountofbitcoinstodecrypthissensitivedocuments.
Finally,theEKmaintainsitshealthandthestatisticsofinfection,publishingthemtotheEKadministrator.
Forreader’sconvenience,wewillsummarizethechainofinfectionasfollows:
UniversityofPiraeus DigitalSystemsSecurity11
Step1Victim host navigates to a compromisedwebsitewithmaliciousinjectedscript
Step2The injectedscriptgeneratesanHTTP request foranEK landingpage
Step3TheEKlandingpagedeterminesifthecomputerhasanyvulnerablebrowser-basedapplications
Step4 TheEKsendsanexploitforanyvulnerableapplication
Step5Iftheexploitissuccessful,theEKsendsapayloadandexecutesitasabackgroundprocess
Step6 Thevictim’shostisinfectedbythemalwarepayload
EKInfrastructure
Exploitkitsaredesignedtosupportundergroundbusinessthatnetsmoneyfromunsuspectingvictims.Obviously,an infrastructurethatearnsmillionsofdollarsperyear,cannotbeasimplenetworkcountingoneortwosimplewebservers.Theinfrastructuremustbe solid, functional andmust ensure the availability of itsoperationsatanytime,since itshouldbeservingthousandsofconnectionsperhour, because potential loss of availability due to bottlenecks or other systemdelaysmeanslossinmoney.WearegoingtodepictbelowthecoreinfrastructurecomponentsofAnglerEK,becauseithasarepresentativearchitectureandappliesmore or less to other EKs too. Furthermore, we will describe the how corecomponents talkwitheachothersoas tohave abetternotionofEK’s internalprocesses.
UniversityofPiraeus DigitalSystemsSecurity12
Figure 3 - EK indicative infrastructure
According to thedepictedmodel,after thevictimnavigateson acompromisedwebsitedictatedbyanEK,heusuallystumblesuponarogueIFRAMEthatredirectshim to the Proxy Server. The Proxy Server is the only component of the EKarchitecturethatinteractsdirectlywiththevictimandisusedtoredirecttotheEKgate(landingpage)andgenerally,routethetrafficbetweenallinstancesthroughthemsafely,actuallyhidingtheirmaliciouscommunication.Typically,EKsutilizemorethanoneproxyserver.Then,theProxyServerretrievesthelandingpages,exploitstailoredtobrowser’svulnerabilitiesandpayloadsfromtheExploitServerwhichisresponsibleforstoringthemcentrallyanddeliveringittovictim,similarlythrough proxies. The vast majority of EKs utilize a Linux distribution as theoperatingsystemofExploitServerandaversionofNGINXserverastheunderlyingHTTPwebserver.Duringallinternalcommunications,aStatusServercorrelateslogs from all instances in order to maintain the health status of the system.Specifically, acting asmonitoring interface, submits in a timelymannerHTTPrequests to the proxy servers and receives special responses from whichdeterminesthehealthstatusoftheproxyandifsomeonehascompromiseditorhastamperedwithitscontents.Inadditiontothesechecks,theStatusServerisabletocollectallaccesslogsandinformation,e.g.victimIPaddresses,User-Agents,etc.inordertopushthemtotheMasterServer.TheMasterServeraggregatesandcorrelatesalldataretrievedfromeachStatusServer,handlesthetradewiththecustomerswhorentorbuytheserviceandprovidesstatisticalinformationsuch
UniversityofPiraeus DigitalSystemsSecurity13
ascompromiserate,transactions,etctoEKowners.
Theabovementioneddistributedmanagementfacilitatestheoveralloperationtoflow fast,without harming the availability of the service neither towards thevictimsnor thecustomers.AsingleExploitServercollaborateswith aseriesofProxyServersinordertoconfusethetraffic,hardenthetraceability,andinturnprotectitfromdetection.Thesegregationofexploitshelpsthebusinessmodeltoputtingintoproductionthenewerexploitswithoutinterruptingatalltheon-goingprocess,aswellaseffectivelyallowschargingseparately (regularly,higher) thenewestexploits,suchaszero-days.
Propagation
Inthissection,wewillmentionthewaysEKsleverageinordertospreadthroughtheInternetandpropagatethemselvestothepotentialvictims.Higheramountofcompromisedhostsistranslatedintohigherrevenuesforcybercrime,explainingwhyEKmastermindsinvestmanyresourcesandtimeindevelopingtheoptimaltechniquesfordeliveringmalware.
Security researchershave categorized the campaignsofEKsaccording to theircharacteristics,attackvectors,andthemalwaretheyusuallydrop.Wearegoingtodiscuss about several campaigns along with the main technical analysis insubsequentchapterforbetterunderstanding.
EKCAMPAIGNSThiskindofcampaignsaimtoredirectthevictimtotheEK’slandingpageeitherdirectlyorleadingtoagatebeforereachingtheactuallandingpage.ThemeansareinfactIFRAMEredirectorsandscriptsinjectedinpopularyetcompromisedwebsiteshavingasgoaltoredirectthevictimtotheEK’slandingpage.AnotherwayisthemaliciousmodulethatinserthiddenIFRAMEswithcertainresponsesinto Apache (Linux) web servers at the beginning and NGINX and some IISversions at the end. The malicious module injected the redirection via theLoadModulemoduleintotheconfigurationfileofserver,harmingitattherootlevel.This infectionwasdifficulttodetectbecausethemalwarewasonlyactivewhenboththeserverandsiteadminsarenotloggedinandtheIFRAMEwasonlyinjectedonceaday(oronceaweek)perIPaddress.Itiseasilyunderstood,thatsuch a kind of server-level infectionwas not able to reproduce andwas verydifficulttoreveal.
Popular campaigns are EITest, Darkleech, Pseudo-Darkleech, Afraidgate, 302
UniversityofPiraeus DigitalSystemsSecurity14
redirect, gonext, randphp, trk, vollumne, customredir, IPredir, IPredirvariant,Malshadowandmore.
SPAMCAMPAIGNSOneofthemosteffectivewaysEKsusetopropagatethemselves,istheelectronicmailserviceviaadversarialphishingcampaigns.Attackersusuallydesignaneye-catchingmessage to raise thevictim’sattention,withinwhichhasembodied afalsified link targeting to the compromised web pages they control or viaattachmentswithinthismessage.TheusercangetcompromisedbyfollowingthelinkswithinanAdobeAcrobatdocument(format.pdf)or justbyopeningtheattached document (most often a Microsoft Word Document, format .docx)containingembeddedmacrosthatwillbeexecutedtostarttheinfectionprocess.
MALVERTISINGFurthermore,anotherwayofdeliveringEKstomanyvictimsisthemalvertisingcampaigns.Weusethetermmalvertisingtodescribetheonlineadvertisementonawebsitethathasbeentamperedwithafalsifiedobjectorpieceofcode,soastoperformunintendedredirectionstoEK’sserversuponvisitor’s interaction.Theforegroundvisualizationisusuallyatextmessage,ananimation,avideo,aGIF,etcthat tend to raise the visitor’s attention to click on it,with the expectation toredirect them to the corresponding online store or offered service website.However, theunderlyingcode iscarefullydesigned tobypasscommonsecurityfiltersandredirectthevisitortoEK’sgateinordertoexploithishost.Usually,theadvertisementnetworkcompaniesandoperatorsthemselvesarethefirstvictimsofcybercriminalsbecauseEKslaunchtheirattacksviatheircompromisedservers.Thishappenswhen theEKmastermindshavealreadyhacked, forexample, theweb hosting service and then they have found theway to inject scripts in itswebsites.
UniversityofPiraeus DigitalSystemsSecurity15
EK&UndergroundEconomy
InthecontextofCyberSecurity,theEKphenomenonisnothingelsethanbusinessofitsowners.CybercriminalsbehindthemostprevalentEKs,taketheirbusinessseriouslytomaximizetheirprofit.That’swhytheyputsomucheffortinadoptingnewmethodsandtechnologicaltrends,alwaysactingfromthebadsidebymeansofbypassingthenewestsecuritypoliciesanddetectionmethods.ThetermsEK-as-a-Service (EKaaS)orMalware-as-a-Service (MaaS)arenotnew tosecuritycommunitywhocloselywatchestheundergroundeconomygrowingfast,mostlyroutedthroughthesocalledDarkWeba.k.a.DeepWeb.
InDarkWeb,whichamongotherlawbreakingterritories,itcountsasheeramountofmoneystemmedfromoutlawactivities,cybercriminalsfindhospitableareatooffertheirservicesandtradeanonymously.ThepriceofrentingoneoftheleadingEKsisoftenafewhundreddollarspermonth;approximately$500/month.SomeEKscanalsobesold in theirentirety forapproximately$20-30k.BuyercanbeanyonewhowantstohidehiscriminalactivitiesbehindtheanonymitythatTorandotherencryptednetworksoffer,suchasdesperateindividuals,enterprises,orgovernments.TheEKsaretypicallysoldviaunderground forumswhichusuallyoperateonaninvitation-onlybasistoavoidinfiltrationbylawenforcementandsecurityresearchers.TheauthorcannotdistinguishthosewhopurchaseEKs,fromcyber criminals that designed them. Additionally, the EK owners provide thebuyers with a management console to oversee the malicious activities of theemployedEKs,aswellashavingafullviewoftheireffectiveness,status,andcostofrentingtheservice.Thebuyerfromhispart,mustprovidehisequipmentandinfrastructureforthisservice.Oncetherentispaid,thebuyerhasfullaccesstothemonitoring interfaceandadditional featuresthattheEKmayhasbeenshippedwith, to attack at will. The cyber security community has defined the termcampaign as an attack or a series of attacks launched from a distinctinfrastructureleveraginganEK.
Ontheotherhand,buyersofcrimeware,theydonotdifferfromthenormalbuyershaving theirowndemandsandspending theirmoneytoproducts thatdeservethem.Asaconsequence,cybercriminalsthatwanttoincreasetheirrevenue,tendtofollowbuyers’preferences.WehavesummarizedbelowwhatcrimewarebuyersdemandfromEKdesignersandwhatEKdesignersactuallytrytofixsoastoofferamoreattractiveproduct:
§ Betterhit-rateoftheEK
because from buyers’ aspect, the most important thing is to have as manyinfections as possible, and from designers’ point of view,meansmoremoneyespeciallyiftheychargebysuccessfulhits
§ Attractivepricing
UniversityofPiraeus DigitalSystemsSecurity16
The“pay-per-install”EKsissignificantlymoreattractiveoffer,asthebuyerhavetopayonlyforthesuccessfulmalwareandnotfortheythatmiss
§ Bettermarketingname
Indeed,EK“superstars”,whichmeansfamousEKs,tendtobemoreattractivetobuyers.
§ Numberofzero-days
Complementarytomarketingname,salesalsodependontheamountofzero-dayexploitstheEKsareclaimingtohaveintopossession.
§ Flowoftraffic
EKdesignersthatmaintainahighrateandsteadyflowontheirlandingpages,earnhigherincomes.
§ Userfriendly
Besides technically confident buyers, EKs also refer to non-technicalcybercriminals.For this reason,designersdevelopedniceuser interfaces,webpanelsandfunctionsthatfacilitatetheadversarialactivities.
§ Extrafeatures
EKdesignerstendtoincludeadditionalfeaturessuchascombinationsofdifferentmalwaretypes,configurationoptionsandadd-onfunctionsforskilledbuyerswhowanttomakethemostoftheirpurchase.
§ Incorporateundetectabledroppers
In addition to extra features, buyers prefer the EKs that possess stealthierdroppers, likeTrojandroppersthatevolve inaregularbasissoastoeffectivelyevadeupdatedsecurityproducts,thantheonesnothavingthisoption.
§ Up-to-dateEKs
Last featurethatmatters intermsofsales, is iftheEKkeepsupwiththe latestdevelopments,integratesfreshvulnerabilitiesassoonastheydiscoveredandnewexploitsassoonastheypublished.
Thatsaid,itismorethanobviousnowthatEK-as-a-serviceislikeatruebusinessbased on real business models, with owners that worry about and strive forincreasing their sales, having also demanding customers. Cyber criminals aremovingfastinadoptingnewtechniques,becausemostofthetimes,theiraimistomakemoney.
EKssuccessreliesheavilyonthepopularityofthewebsitestheycompromise.Thehighertheprofileandnumberofvisitorsofthevulnerablewebsite,thegreaterthe
UniversityofPiraeus DigitalSystemsSecurity17
volumeoftraffictowardstheEKserversandgreatertheprobabilityfortheEKtoinfectvictimhosts.
Bytargetingadultsitesorgamblingsites,chancesareitprobablywillnotgoingtohit enterprise users because constantly enterprise networks filter this type ofwebsites.
Thefollowingfiguredisplaystheannualrevenueanditscorrespondingresourcesofthemostdominantexploitkitof2015ascitedonCisco’sAnnualSecurityReport(2016).
Figure 4 - Revenue and resource of Anger EK (2015)
Accordingtothesestatistics,itwasestimatedthatAngleraveragelytargeted90thousand hosts per day via approximately 147 active redirection servers permonth.Fromthosehosts,40%werefinallycompromisedandabout62%ofthemhadfinallyinfectedwithvariantsofransomware.Bytakingintoconsiderationthataveragely2.9%ofthevictimsfinallypaytheransomofabout$300perinfection,AnglerEKseemstoreachingthesurprisinglylargeamountof34milliondollarson2015.
UniversityofPiraeus DigitalSystemsSecurity18
BackgroundonExploitKits
EK’SADVERSARIALACTIVITYRecallthatanEK isbasicallyaweb-basedplatform forcompromisinghostsviasomekindofmalware.Thechainofinfectioninmostcasesisthefollowing:
Oneormoreredirectionsleadingtothegatewithoccasionalprobingofthesystem.Ifavulnerabilityisidentified,theydeliveralandingpagetoprobethebrowseranddeterminetheunderlying technologyofplugins. If theyfind amatchwith a suitable exploit from their arsenal, they deliver apayload to the host, containing the dropper which is responsible ofdownloadingandexecutingthemalware.
TheexploitationphaseduringtheEK’sactivityincludestheexecutionofexploitcodevia installerscripts,triggeringofthepubliclyavailableorzero-dayexploitcode,executingpayloadstoregistertheaffectedhostaspartofabotnet,storingTrojansandspyware,aswellasperformingseveraladministrationtasksreflectingtheirstatustotheEKadministrationpanel.
AttackCharacteristics
NATUREOFEKThemajorityofEKsaremostlyconstructedbyopen-sourcecomponentsbecausetheyare freeofcost.Theyareusuallywritten inHTMLandPHP languageandusually embody third-party code excerpts in JavaScript and CSS. EK authorsusuallyrelyonApacheandNginxwebserversforservingtheirlandingspages.ThesheermajorityofdroppersandlaunchersareFlashfileswhicharemostprobablysupportedbycommonwebbrowsers.IncasetheEKisdeliveredviaspamemailcontainingamaliciousattachment,usuallythatattachment,e.g.aMicrosoftWorddocument,containsaVBScriptscriptfordownloadingandlaunchingthemalware.Sometimes, the Powershell language is used for executing shellcode and thedownloadedspecimen.Also,theyareusuallyemployMySQLdatabasesforstoringtheirarsenalofexploitswithintheExploitServer.
Asfarasthemalwaredeliveredinthefinalphaseoftheinfectionisconcerned,isusuallywritteninC/C++languagetoensureinteroperabilitywitharangeoftargetsystems and because it is faster than the other languages. For instance, aransomwarewhichiswritteninClanguage,containingcodeexcerptsinassembly,executesmuchfastertheencryptionroutines.EKauthorstendtonotprefertheC#languageformalwarebecauseisslightlyslowerandbecausetherearemanyfree
UniversityofPiraeus DigitalSystemsSecurity19
toolsthathelpresearchersonperformingreverseengineeringonthespecimen.
Aswewill discuss in subsequent section, the used JavaScript and other codeexcerptsinEKs,tendtobeobfuscatedtosomeextendinordertoofferself-defenseservicesagainstanti-malwareinstallationsthatthevictim’shostmayhasinplace.In order to obfuscate their code, EK programmers are likely to purchasecommercialobfuscatorstodothejobeffectivelyandbypassdetectionproducts.
Inthefollowingtwosections,wearegoingtodescribethemaincharacteristicsofEKsseparatedintwocategories.Thefirstcategoryreferstothepatternsandtrickstheyleverageinordertoachievetheirmaliciousintentions.Thesecondcategoryrepresentsthemechanismstheyleverageinordertostaystealthagainstsecurityproducts.
REDIRECTIONSRecallthatthefirststepofinfectionisforausertoaccidentallyvisitthevulnerablewebpageleadingtothelandingpageofadversarialhoststhatserveEKs.Thechainofredirectionsisacrucialparttosucceed,otherwisethevictimwillneverreachtheEK’slandingpage.Theycanbeperformedserversideorclientsideaswewillseeinfollowing.
RedirectionsusuallyutilizedbythevastmajorityofEKsforthefollowingreasons:
§ Theyareactually thestartingpointofEK’smaliciousactivitybecause theyfacilitatetheopeningofacommunicationchannelbetweenthevictimandtheexploit servers.Without them itwould be harder for the EK to reach thevisitor’shost.
§ They obscure the network traffic so as the sourcewebsite that has beencompromisedbytheEKwillbekeptunnoticedforlongtime.
§ Theyincommodetrackingprocessandautomatedanalysis§ Theypreventmalicious server frombeing floodedbymultiple connections
renderingitunabletoofferitsservice.TheytrytokeeptheExploitServersequallybusy.
§ They direct the EK to specific regions according to their operators’instructions.
Redirections towards the malicious gate can be achieved via injection tovulnerablewebpagesinseveralways:
§ By simplyusing JavaScriptwindow.open(url) function targeting the
UniversityofPiraeus DigitalSystemsSecurity20
maliciousdomain.Thisisaclientsidetypeofredirection.§ ByinjectinginvisibleIFRAMEs(practicallyhavingzeroheightandwidth)
or too large IFRAMEs (difficult for one to distinguish them from thelegitimatepage)embodyingtheredirectiontomaliciousdomain.Thisthemostpopularclientsidetypeofredirection.
§ By injecting specially crafted HTML code that leverages normal serverredirectionofHTTPcode3XXanduseittotargettothemaliciousdomain(302Cushioning)whichisusuallyassignedtothe“Location”header.
§ By invoking Java applets orAPIswhichperform remote connections orinvokinganalreadyinfectedJavaScriptlibrary
§ By falsifying the.htaccess file, in caseofApache server,by injectingredirectionrulestowardsthelandingpage
§ ByusingtheHTMLfunctionHREFtargetingtomaliciousdomain§ Bypresentingafakemessageorwarningcontainingascriptthatperforms
theredirectswhenthevisitorpressesanoptionorclosesit
Theoverallprocessistotallyinvisibletotheaverageuserandveryquicksoastonot raise suspicions.Evenwhen theEKdoesnot achieve to exploit the victimbrowser, itwillrespondwithanabstractorblankwebpage inorder tonotbenoticedbytheuser.ItisworthnotingthatitispossibletointeractwithdifferentEKeverytimeyounavigatetothesamewebpage.
302CUSHIONINGThisisaserversidemethodofredirectingthevictimtotheattacker’swebserverbydisplayingafake“302 Found”serverresponsestatuscodeandprovidetheURLpointingtotheEK’sgatethroughthe“Location”header.ThetermiscoinedbyCisco,alsoknownas“Rogue302Redirectors”.Normally,the302redirectionislegitimate and is constantlyusedbydevelopers tonavigate the visitors of thewebsitetoanotherwebpage.ManyEKstakeadvantageofthistypical featureofwebapplicationstoredirectvisitorstotheirmaliciouswebsites.
Of course, the prerequisite for the attackers is to have already identified andexploitavulnerabilitywithinthewebapplicationorthewebapplicationprovider,inordertoinjectthemaliciousredirection.
DOMAINSHADOWINGThistechniqueinvolvescompromisingtheparentdomainandcreatingmultiplesub-domainswithsimilarnamethatuponclickingonthemredirectthevisitortoEK’slandingpage.Victimscannotdistinguishtherealwebsiteoradvertisement(e.g. legitdomain.com) from the fake (e.g. ads.legitdomain.com) and
UniversityofPiraeus DigitalSystemsSecurity21
thereby is luredtocommunicatewiththemaliciousserver.EKmaintainerscangenerate fraudulent sub-domains, mostly by stealing legitimate domain’scredentials, anddelete themveryquickly soas tonotbe capturedby securitysystems andURL blocklists. For instance, if the attackersmanage to steal thecredentialsofthevictim’saccountonhisdomainregistrar,theywouldbeabletogeneratethemalicioussub-domains.
Thedomainshadowingcampaignsprovetobeaveryeffectivetechniquesinceit’sverydifficult tobe stoppedordetected.This ismostlybecausemalicious sub-domainsusuallyhaveaveryshortlifespan.Furthertobeingactiveonlyforafewhours,theyarealsoreachedafewtimes,decreasingthepossibilitytogetnoticed.Blacklisting falsified domains won’t help either because not only the victims’domainsarebeingrotatedbutalsotheirIPaddresses.Furthermore,blacklistingtherootdomainposesalossinregistrar’sprofit.
VICTIMPROFILINGTheEK’sprimaryconcernistogainasmuchknowledgeasitcanfromthevictimhostsoastoproceedinexploitationphase.Theweakestlinkinthischainisthewebbrowserwhichissuccessfullybeingprobedbytheattackersunbeknownsttouser.
In order to perform host fingerprinting, EKs at first, gain several informationregardingthevisitor’swebbrowserbyanalyzingtheUser-Agentheader,thusthewebbrowsertechnologythevictimusestocommunicateoverthe Internet.Thisinformationistransmittedincleartextoverthenetwork.Obviously,EKswillnotjustrelyonUser-AgentinspectionsinceonecaneasilyutilizetheUser-Agenthewantsandpretendtonavigating,forinstance,viaasmartphonedevice.Theyuse JavaScript code especially designed to perform this kind of checks uponrunningonvictim’sbrowser.
Theytrytodeterminetheversionoftheoperatingsystemandthebrowseraswellas the plugins installed in the browser and their versions. Themost commonchecks target Adobe Flash Player, Microsoft’s Silverlight and Java technologieswhichareusuallyinstalledasservicesonthebrowseroftheaverageuserinorderforthebrowsertodisplaybetterthemodernwebcontentofwebsites.
Infollowing,wearegoingtodescribethemostpopularfingerprintingtechniquesleveragedbyEKsinthewildwithoutdivingintodeeptechnicalanalysis.
FINGERPRINTINGTACTICSIn thisparagraph,wewillattempttodescribe themostknown techniquesand
UniversityofPiraeus DigitalSystemsSecurity22
tricksEKsusetoperformfingerprintchecksonvictim’shost.Itshouldbenoted,thatmostof the times thereasonof leveraging theabovementioned tactics inorder to gain asmuch knowledge as it is possible for the targeted system, istwofold:Firstly,theywillusethisinformationtoenumeratethevictim’ssystemtosubsequently launch a suitable attack for the specific host. Secondly, it isconsidered as an act of self-defense for preventing themselves from securitysystems.Possiblemisunderstandingofthevictim’ssystemcouldleadthemtoatrap,ahoneypotasitiscalled,whichwillprobablyrevealtheircriminalactivity,whichcanbeinterpretedasfinanciallossfortheirundergroundbusiness.
ThefingerprintingphasetakesplacewithinthelandingpageandbeforetheEKunleashesthesuitableexploitfortheunderattackhostandinfectsitwithmalware.
SomeofthepreliminarycheckstheEKsleveragetodeterminethenatureofthevictimhost,arerelativelysimple,andareperformedpriortoreachingthegate.InthiscategoryareincludedtheIPaddressverificationsotoknowitisregisteredtoa security company suchasKasperskyorMalwarebytes,or aknownhoneypotserver, as well as geolocation checks and of course checks of the browsertechnology.Asfarasthebrowserisconcerned,theUser-Agentheaderembodiedintherequestsubmittedtowardsthemaliciousserver,givesanindicationofthebrowser’sandhost’sunderlyingtechnologyandwilljudgetheresultoftheattack.Forinstance,ifabrowserisidentifiedtobeinthelatestversionwhichdoesnotholdatallvulnerabilitiesandthusexploits,ordoesnotholdanyvulnerabilitiesavailable in the EK’s database, then the infection may terminate during thefingerprintingphase.
Theabovementionedtacticsrefertothebeginningofinfectionchainwherethevictim triggers it via clicking on amalvertisement.Getting to the EK gate viavisitingacompromisedwebsite,includesthesetacticsbutalsotriggersadditionalchecksinfollowing.FingerprintingchecksarealsoperformedbythelandingpageitselfbecauseothervictimsmayreachtheEKgateviaothermeanssuchasclickingonthemaliciouslinkembeddedinaphishingemail.
AcommonandsimplecheckperformedbyseveralEKs suchasAnglerEKandMagnitudeEK, is collecting informationabout thedimensionandresolutionofuser’sscreen.Bydeterminingtheresolution,aswellasifvirtualizationsoftwareisinstalledonthehost,theycantellifitisanormalhostoravirtualmachineorahoneypotserver.Buthowexactlyareabletoscanthelocalsystemandverifyifalocalfileexists?
Formanyyears,EKsweretakingadvantageofavulnerabilityinInternetExplorer’sXMLDOMActiveXobject(CVE-2013-7331-CVSSBaseScore5.8Mediumseverity)whichpermittedhost fingerprintingwithaminimumneed foruser interaction.Specifically,
UniversityofPiraeus DigitalSystemsSecurity23
TheMicrosoft.XMLDOMActiveXcontrolinMicrosoftWindows8.1andearlierallowsremote attackers to determine the existence of local pathnames, UNC sharepathnames,intranethostnames,andintranetIPaddressesbyexaminingerrorcodes,asdemonstratedbyares://URL,andexploitedinthewildinFebruary2014.(NVD,CVE-2013-7331)2
Morevulnerabilitiescapableofdoingthesamething,thusenumeratingtheremotemachine’s filenames are registered as “Information Disclosure” vulnerabilitieswiththeidentifiersCVE-2015-2413,CVE-2016-3351andCVE-2016-3298.
The latter (CVE-2016-3298 3 CVSS Base Score 2.6 - Low severity) InternetExplorervulnerabilityallowstheattackertodetermine ifaspecificdirectory ispresent in the victim’s system by invoking the loadXML(string) methodthroughaMS XML DOMobject.Thefigurebelowdepictsasimpleexampleofhowthisistechniquecanbeeffective:
Figure 5 - Fingerprinting via loadXML function
Thismethod,aftersomeotherfunctioncalls,returnstheerrorcode0x800c0015ifthedirectorywearelookingforexistsor0x800c005ifthedirectorydoesnotexist.Via thiserrorcode, asimpleEKroutinecandetermine ifsecurity-relateddirectorieshavebeeninstalledontheunderattacksystem.TheaforementionedvulnerabilityhasbeenpatchedbyMicrosoftonTuesday11thofOctober(PatchDay)ofthatyear.
Typically,allfingerprintingtacticstrytogainknowledgeoftheunderlyingsystem,relatedtothefollowingconcerns:
§ ScansforpresenceofAVorIDS/IPSsoftware§ Checksiffirewallisinstalledinthesystem§ Determinesifthebrowserisrunninginsandbox § Determinesifvirtualizationsoftwareisinstalled§ Inspectsthesystemforpacketcapturesoftware
2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-73313 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3298
UniversityofPiraeus DigitalSystemsSecurity24
§ Proceedindeliveringthespecimenifconfirmsnonearepresentinthesystem
Lateronthenextchapter,wewilldivemoreintotechnicaldetailofchecksthatEKscommonlyperformwhenreachingthe finalphaseofthecompromisewhentheexploitisdownloadedandexecuted.
TRAFFICDISTRIBUTIONSYSTEMSAswehavealreadystated,EKsstrivetoincreasetheirprofitfromtheirmaliciousactivities,carefullypropagatingthemselvestotargetsthatthereisagoodchangetobecompromisedattheend.Forthisreason,theytakeadvantageofcommercialTraffic Distribution/Direction Systems (TDS) by purchasing the service or bycompromisingthevendor,orevendesigningtheirownTDS.
TDSsystems filterthe incomingtrafficandroute ittospecifictargets.Theyareactuallywebgatesthatredirectuserstospecificcontentdependingtowhotheyare.Theyusually includea filteringmechanismwherethescriptsrunbasedoncertain criteria, a database to store and retrieve data, as well as a panel forstatisticsandthecontrolpanelforadministrationpurposes.Theaimistofiltertheincomingconnectionsviascriptsemployingascriteriathe“Referer”headerofthe request, the language via “Accept-language” header and the browserversion and operating system via the “User-Agent” header, as well as ongeolocation,inordertounleashthesuitableexploitattack.Inthisway,thefine-grainedtrafficisdistributedeffectivelytothecorrectreceiver,withoutlettingtheirrelevant traffic consume the system resources, yetpreventingdetection fromredundantrequests.KnownTDSbrandsthathavebeenoccasionallyemployedbyfamousEKs,suchasAnglerEKandothers,areKeitaroTDS,SutraTDS,BalckhatTDS,BossTDS,etc.
Self-defenseCharacteristics
EKs authors have developed their kits through the years so as to avoidunnecessary interactionwith hosts that are known to be protected andmostprobablytheywillnotletthemexpresstheirmaliciousintentions.Inthisway,theymitigate the risk of being trapped and analyzed by researchers. UnnecessaryexposureorpersistentattempttoexploitposesariskfortheEKtobecaptured,analyzed and revealed to the public. Possible analysis of the detected EKwilldirectlyaffectitsfinancialprofitandreputationincybercrimeindustry.
UniversityofPiraeus DigitalSystemsSecurity25
WearegoingtodescribebelowthemaintechniquesEKsleverageinordertoevadetraditional signature-based IPS/IDS engines and to eliminate the chances ofinteractingwithhoneypotsandtherebyavoidcaptureandanalysis.
IPBLOCKINGEKsperformchecksontheIPaddressestheyinteractwithinordertonotattemptamalicious attack against hosts that serve some kind of honeypot. They alsoperform IP blocking techniques to IP addresses assigned to known securityvendors,hostingservices,securityresearchlaboratoriesandaddressesfromTornetworks. Additionally, they try to avoid known addresses from enterpriseenvironments as they most likely implement complex security systems thatpreventfromthesekindsofattacks.
USER-AGENTEVASIONAnothertypicalself-defensecontrolagainstdetectionEKsimplementischeckingtheUser-Agentof the inboundrequests.Since, theUser-Agentheadercontainsbasic information about the underlying systems that is trying to establishconnectionwiththeEKserver,theyparsetheseheadersand filterouttheonesthat are considered risky enough to interactwith.Researchers that constantlystudyEKs,haveidentifiedthatthetechnologieswhichareblacklistedbyEKsaretheuseragentsofknownsecurityproductsthat likelydonothaveanypubliclyknownvulnerability,aswellastheuseragentsofgameconsoles,webvulnerabilityscanners and known honeypots. Some of the blacklisted User-Agents are:MRSPUTNIK, LSSRocketCrawler, CPython, SeaMonkey, NetcraftSurveyAgent,McAfee, fMcAfee Acunetix, massscan, BadaCrawler, facebookexternalhit,BIDUBrowser,andothers.EKauthors,at the timeofwriting,exclude thegameconsolesfromtheirtargetbecauseofitslowpopularity,thusitisnotsopopularwaytonavigatetotheinternetviathewebbrowserthatisshippedwiththegameconsoleandbecausetheyaretechnology-specificdevices,havingnohighvaluetoinvest timeandresources tobreak its technology;recall thatEKsarebuilt in agenericwaysoastotargetwidelyusedwebtechnologies.However,intherecentyears,theexponentialgrowthandusageofsmartdeviceswiththecapabilitytoconnecttotheInternet,likesmartTVs,mediaplayers,smartdomesticdevicesandothers that almost everyone has in his home, raised the attention of cybercriminalswhichhavealreadystartedtocompromisethatkindofeveryday-useddevices.
UniversityofPiraeus DigitalSystemsSecurity26
BLACKLISTLOOKUPManyEKsperformchecksonaregularbasisinoneormorepublicblacklistingrepositoriestoidentifyiftheirURLsareincluded.ThisisacommontechniquetoidentifyiftheirURLsremainsecretandhavenotbeenanalyzedbysecuritytoolsandresearchers.Iftheyhaveindeedbeenblacklisted,theyneedtoknowthat,inordertoavoidspendingresourcestoexploithoststhatmaybehaveimplementedsomekindofprotectionagainst themor stumbleuponhoneypots that seek toanalyzethem further.Moreover, iftheyare included inpublicblacklists,theEKadministratorsimmediatelyrelocateandchangetheURLstoneweronessoastonotstop theiroperations that is translated inmoney loss.Thesameprocedurerepeatsuntiltheyarediscoveredandblacklistedagain.AlargeamountofsecuritywebsitesmaintaindatabasesthatupdatefrequentlywithblacklistedURLs;someof them are threatglass.com, virustotal.com, urlquery.net, andmanyothers.
SIGNATUREEVASIONComplementary to URL blacklist lookup, EKs also check if their exploits andmalware signatures are included in public databases. Checking their ownsignatures against virus-scanning engines allow them to knowwhich of theircomponentsisflaggedbyresearcherandwillprobablynotsucceedininfectingthevictim. In this case, theywillnotbe confident to launch this attackbutpreferanotherway tocompromise thevictim. In the listofmostpopularpublicvirusenginesareincludedthevirustotal.com,scan4you.netandothers.
CLOAKINGMany EKs try to deceive visitors of the compromised website when havesuccessfully exploited their hosts or when exploitation was not successful.Especiallywhentheexploitationisnotpossible,EKsdonotwanttoleavetracesoftheiractivities toavoidbeing further investigated.Therefore, they redirect theuserinalegitimatepagethatwillnotraiseanysuspicions.Inbothcases,itisalsopossiblefortheEKserverstorespondwithanon-foundpage,probablywithHTTPresponsestatuscode404,orevenwithablankpage.ThesameappliestothecasethatanalreadyinfectedhoststumblesuponanotherwebpagethatistrappedbyanotherEKredirector.Inthiscase,theEKdoesnotstartstheexploitationprocessbutjustrespondswithablankpagetosaveitsresources.EveryonewhousestheInternetonadailybasis,mostlikelyhasinteractedwithanEKthatdidnotfindanybrowservulnerabilitiesandinturndisplayedarandomorblankwebpage.
IthasbeenobservedforseveralEKssuchasSava,Fragus,Eleanore,0x88,etcthatplace their lasthope to compromise thevictimon launching a randomexploit
UniversityofPiraeus DigitalSystemsSecurity27
beforequittingtheinfectionprocess,incasetheyarenotabletofindanexploitablevulnerability.Theyjustwanttotaketheirchancesbeforeleavingthetargetedhost.Thereisalsoagoodprobabilitytodothesameiftheyhavealreadycompromisedthevictimandwanttoassessdifferentornewerexploitsformeasuringsuccessandbenchmarkingpurposes.Thus,theyservearelevantexploitjusttomeasureitseffectivenessandreportbacktotheirC2serverforfuturedevelopment.
DOMAINGENERATIONALGORITHMThe technique that leverages Domain Generation Algorithm (DGA), allows thegeneration of multiple domain names with randomly shuffled characters orhashednames.Besidesrandomalphanumericstrings,concatenationofrandomwords can alsoproduce randomdomainnames.The implementation can takeplace on-the-flyduring the victim-server communication,prior to fetching theexploitorduringpost-exploitationphase,whenthemalwarehasbeen installedand needs to communicate with the C&C server. Obviously, EK authors takeadvantageofthistrickinorderfortheircodetostandstrongagainstdetectionbysignature-based security programs that can easily block themselves, theirwebsite’sDNSrecords,aswellasmakethetaskofmanualreverseengineeringharder.Theadvantageofhaving short life span increases its resilienceagainstblacklisting. For instance, according to security community’s observations,BlackholeEKgeneratesuniquesecond-leveldomainsevery12hoursandAnglerEKevery6or12hours.Thetop-leveldomainscanvarybetweenseveralsuffixes,suchas.info,.biz,.ru,.top,.org,.com,etc.
The following figuredepicts aDGA code excerpt thatproducesdomainnamesbasedonthecurrentdate.
Figure 6 - DGA code sample
Theabovelistingcontainsafunctionthatgeneratesdomainsbasedonthecurrentdate, giving a sense of randomness in the final date-based string“ejfodfmfxlkgifuf” that could be used as amalicious domain namewithshortlifespan.
UniversityofPiraeus DigitalSystemsSecurity28
HIDINGREFERRERAnotherwaytheEKsleverageinordertoobfuscatetheirtracesisroutingtheirtrafficovertheencryptedHTTPSprotocol.TheyusuallyutilizevariousHTTPSURLshorteners,suchasbit.ly,goo.glandothers, tomasquerade themaliciouslink thatperforms the redirection. In thisway, theyachieve tokill the referrerchainsoastoperplexthedetectionprocess.
In late 2014, a security researcher discovered a vulnerability in Google’sDoubleClick.netthatwaspermittingtheredirectionstoroguewebsites.Thegoogleads.g.doubleclick.netdomainwas vulnerable to open redirect,meaning that one can be redirected to malicious domains via the vulnerabledomain.Asaconsequence,suchasecurityflawcouldnotbeoverlookedbycybercriminalswhoquickly adopted it for launchingmalvertising campaigns and ofcourseredirectvictimstoEK’s landingpages.Besidestheobviousadvantageofredirection,thisvulnerabilityalsoofferedtotheEKstheopportunitytohidetheirmalicious actions behind Google’s legitimate name and furthermore, hardendetectionduetotheencryptedcommunicationoverHTTPSprotocol.Fortheshakeofcompleteness,on2016thecm.g.double.netdomainalsoidentifiedtosufferingfromthesamevulnerability.
ENCRYPTION/ENCODINGAtypicalfactaboutEKs,isthattheyuseencodingontheirsourcecodeandexploitsbeingintheirinventoryinordertokeepthemprotectedagainstanalysis.Inthismanner, they obfuscate the source code and exploits so as to be difficult forresearchers to parse them, understand themalicious activities and of course,preventfrombeingdistributedbywhomhasmanagedtocapturedthem.
ThepowerfulcommercialencoderofPHPcodeIonCube,aswellastheZendGuardwereheavilyusedbyfamousEKslikeCrimePack,Blackhole,andlessfamouslikeNeon,LifeandFirepack.Forinstance,inthefollowingfigureisdepictedontheleftsidethemaliciouscodewithoutdecodingandontheothersidethecodeencodedwithIonCubeencoder.
UniversityofPiraeus DigitalSystemsSecurity29
Figure 7 - IonCube encoded PHP code
Inanattempttoavoidtheexpensesofcommercialencodersoravoidthefactthattheirmethodsareprobablystudiedbysecurityresearchers,EKauthorstendtodesigntheirownencodersandtoolsappliedontheirpreciouscode.
ResearchershavediscoveredthatseveralEKsuseencryptionincommunicationbetweentheircorenetworkcomponents.EKauthorsusuallypreferXTEA(TinyEncryptionAlgorithm)andRC4encryptionalgorithmsandDiffie-Hellman(DH)algorithm for exchanging keys, as well as simple URL and Base64 encoding.However, inseveralcases, ithasdetermined that theencryptionscheme isnotpreciselyimplementedandissignificantlypoorbydefault.Thishappensbecauseisnottheirfirstprioritytobecryptographicallycorrect.Theyonlycaretokeepsecretthecoreoperationslongenoughuntilnextdev-opscycleincludeschanges.
OBFUSCATIONTypically,EKsimplementvariousobfuscationtechniquesontheirpayloadsservedto the victim’s browser in order to avoid detection by the network securityproducts,aswellasmakeresearchers’livesharder.Theyimplementobfuscationon their landing pages, payloads, exploit and anything it should be copyrightprotected. The aforementioned EK components constitute the assets of theirbusiness and need to be protected in order for their business to increase itsrevenue.
Basically,theirprimarygoalistodelivertothevictimmasqueradedcodethatwillnotbeeasilyunderstandabletohumaneyesandwillgounnoticedbythemajorityof signature-based and emulation security products. They go even moreundetectableifthepagecontentisdynamicallycraftedinauniquewaywhichisalsoacommonweaponintheirarsenal.TheyusuallytrytohideIFRAMEs,SWFfiles and JavaScript code that consist core and sensitive components foraccomplishingtheirmaliciousactivities.
UniversityofPiraeus DigitalSystemsSecurity30
Usually,thefirststepoftheprocessandthefirstlayerofobfuscationisapplyingasimpleBase64encodingonthepayload.So,thelaststepfortheresearcherwhowantstoreversetheprocesswouldprobablybetheBase64decoding.Thepayloadis also possible to be a binary blob or a shellcode or combination of them.ObfuscationcanbealsoappliedtotheJavaScriptcodethatismeanttoperformthefingerprinting of the victim host and wherever malicious data needs to beundetectable.
Fromthispointforward,itisuptoEKauthor’sfantasytoobscureitscodeatwill.Thedeobfuscation isconstantlythemosttime-consumingprocesssince a largenumberofcombinationsofdifferent layersofobfuscationandtechniquesexist.Securityexpertshaveidentifiedandcategorizedseveralcommontechniquesusedin the wild, usually pertaining obfuscation that has been implemented as ofutilizingknowncommercialorfreeobfuscationtoolsandalreadystudiedpatterns,butstilldeobfuscationprocessisinunchartedwaterssinceitheavilyreliesonEKauthor’sprogrammingskills.
Acommonobfuscationtechniqueisthestringreplacementtechniqueinwhichtheencodedchunkofcodeisfragmentedintostringsthatareassignedtomultiplevariables.Then, shuffle routines areused to compile the true code listing.Forinstance,abunchofroutinesdecryptkeypiecesofembeddedvariablesanddatalike binary blobs, to compile the landing page of the EK. The following figureillustratesthatmultiplevariablesaredefinedwithpiecesofcodewhich inturnwillbeconcatenatedtoyieldapartoftheEK’slandingpage.Thefollowingcodeexcerptdemonstratesthismethod.
Figure 8 - String replacement method
After assigning a piece of the encoded code intomultiple variables, usually afunctionisusedtoconcatenateallthevariablestogethersoastocraftabigstring
UniversityofPiraeus DigitalSystemsSecurity31
thatincludesthecodethatwillbedecodedandexecuted.
In an awkward sense ofhumor, severalEK authorsused toutilize snippets offamous verses of literature, stories or fairytails as function, class and variablenamesthatcompiletheirmaliciouscode.
AnothertechniquethatEKsleverageinordertocraftSWFfilesisthearray-basedtechnique.Usually,aByteArray()isinitializedwithinasub-functionandfulfilledwithvariables that takeasparameters functionsorotherparameterswhich inturntheoneinvokestheothersoastooverallcompiletheSWFfile.Inthisshape,SWF’s content is not loaded as a normal code, rendering it undetectable bysecurityproductswhicharenotabletoreaditsmaliciousactivity.
The control flow obfuscation technique refers to the order in which theinstructionsandfunctioncallsofaprogramareexecuted.EKauthorsmanipulateatwillthecontrolflowofafunctionthatcontainspartsofmaliciouscode,soastocraft the fullmalicious codewhen one function or instruction call invokes itsfollowing.
Infact,themosteffectiveactionthatEKauthorsundertakeinordertokeeptheirEKs undetectable for weeks is amending their obfuscation. Once securityresearchers reveal theEK characteristicsvia reverse engineeringandmalwareanalysis, EK authors update their kits bymodifying their obfuscation. This isactuallythemajorupdatetheEKdemonstrateseverytimeitcomesintoplayagainafterdaysofabsenceincybercrimescene.
Nowadays,EKstendtoapplymultiplelayersofcodeobfuscationinaattempttostayprotectedagainstknowndeobfuscation techniques that canbeperformedmanually and known coding tools thatmanage to transform blobs to human-readablecode.
FILELESSINFECTIONEKauthorscannotrelyontraditionalexploitationtechniquesforlongtime,sincesecurityproductswere also evolving.Consequently, as a companywouldhavedoneinordertoincreaseitsrevenue,theyspenttimeonexploitdevelopmentandthedesignofanother,morenotoriousandsignificantlymorestealthsolution,thefilelessinfection.
Aswehavealreadydiscussed,traditionalexploits,followingthenormalprocedure,will be downloaded in victim’s hard drive raising the suspicions of anti-virusproductswhichimmediatelyperformsignature-basedanalysisandiftheyfindamatchtheyblocktheinfectionchain.Inthismanner,thechancesforthemalwaretogetcaughtarehigh.
UniversityofPiraeus DigitalSystemsSecurity32
Thenewtechniqueisabletoinjectmalwareonvictim’shostthatnevertouchestheharddisk,henceisneverbeinganalyzedbytraditionalanti-virusinstallations.Instead,themaliciouscodeisdirectlyinjectedintomemorysegmentssoastonotbe detected by signature-based security products. Technically speaking, theinfectionprocessassignsamemorysegmentforitself,usuallywithinthememorywhichhasbeendedicatedfortheprocessthattheEKsuccessfullyexploited,e.g.iexplorer.exe(processofInternetExplorerwebbrowser),fromwhereitcanperformthemaliciousoperationsthatintendedtodo.
This advanced technique is popular to current cybercrime scene. However,modernsecurityproductscancaptureandpreventthehostfromitbyemployingseveral cutting-edge techniques like pattern matching, behavioral analysis,sandboxingandothers.
FinalPhase
Thefinalstageoftheexploitationwheretheexploithasalreadybeendownloadedinthevictim’ssystem,isnotgoingtobediscussedinthisthesis.Thisisthephaseof static malware analysis that is widely covered by numerous books andresearchersonInternet.
Ourworkwillbrieflymentiontheadditionalchecks-complementarytotheonesmentionedinVictimProfilingparagraph-themalwareperformsuponexecutingonvictim’shost.Inthisphase,themalwareperformsextrafingerprintingcheckstodeterminethehost’sunderlyingtechnologybeforeexecutingthecoremaliciousactivity.Byperforming severalanti-virtualizationandanti-sandbox techniques,triestodetermineifthesystemisavirtualenvironmentordeploysasandbox.Thismeans that itwill check forMAC addresses, registry keys, running processes,servicesandfilesthatcouldindicatethepresenceofavirtualizationenvironmentor sandbox. Furthermore, it normally checks for running processes related tosecurityproducts,suchasAntivirusaswellasintegrityanddatalosspreventiontools.ItwillalsocheckifdebuggingtoolslikeIDA,ImmunityDebugger,OllyDBandothersarepresentonthesystem.
Incaseitidentifiesanyofthem,typicallyquitsbecauseitdoesnotwanttoriskgetting captured and analyzed by security-aware users. Thereby themalwareprocessterminatestheinfection,quitsorevendeletesitselftonotleavetracesandinturnreportsitsstatustotheStatusServer.
UniversityofPiraeus DigitalSystemsSecurity33
Post-InfectionPhase
Typically,afterinfectingthevictimwithmalware,EKsmovefurtheronbeaconingout theC2 server for reporting their statusand foradvancedEKs, forkeepingstatisticsandloadbalance.Priortocallback,itispossibletotrydroppinganothermalwareonvictim’shostforinfectinganotherprocessofmoreinterestorinfectthevictimwithapersistentmalwareinordertohavecontinuousaccesstoitandorderitatwill.Thereisalsothepossibilitytodropanothernewermalwarefortestingpurposes,inordertodeterminehowthevictimrespondsandifitwouldbesuccessfulappliedonnextvictim.
LandingPages
Thelandingpageisthestartingpointtowardsinfection;thewebpageinwhichthevisitor of the vulnerable website is redirected after one or more sequentialredirectionswithoutbeingvisibleonvictim’swebbrowser.
Typically, it is comprised ofHTMLorPHP and JavaScript content that gathersinformationandperformstheidentificationandvalidationofthevictim’sbrowserandhost.So,landingpageURLsusuallyendwith“.php”or“.html”suffixorevenwithout suffix at all, thus ending to a folder, e.g.“http://landingpage.org/pathto/folder/”.
Themainfunctionalityofthelandingpagesistwofold:toretrieveanddecodetheobfuscatedcodeuponloadingonvictim’sbrowserandtoperformfingerprintingof the browser technology. This is also called anti-emulation technique foridentifying if they interactwith a normal computer or an emulator setup fordetection and analysis purposes.One of its priorities is to probe the browserpluginsinstalledinordertoidentifytheirversionsandthenrequestfromExploitServertofindsuitableexploitstoinitiateadrive-by-downloadattack.ThelistoftargetedpluginsandwebtechnologiesconstantlyincludeAdobeFlashPlayer,JavaRuntimeEnvironmentandMicrosoftSilverlight.
Upon finding a security flaw on the targeted browser, the landing page isresponsibleforretrievingfromtheExploitServerthesuitableexploitandserveittothebrowser.IncasethevulnerabilityisonFlash,JavaorSilverlightcomponents,theserverselectsasuitableexploitandsendsitasfiletobeexecutedinbrowser.If there is an exploit on browser version, then it is embedded in the HTMLrenderedbythevulnerablebrowser.Thepayloaddeliveredbythosefilesisasortofmalwarespeciallydesignedtoinfectthehostandmostofthetimesissentasabinary encrypted with simple XOR or RC4 encryption key. Alternatively, the
UniversityofPiraeus DigitalSystemsSecurity34
payload canbe a filedownloader, capable tobe executed on victim’shost andretrievethe finalmalwarethat isgoingto infectthehost.Finally,theencryptedbinary isdecrypted and executed in the victim’shostwith results, in terms ofinfection severity, that vary depending of its nature and intentions. Moreinformationabouttheexploitationphase,namelythephasethatstartsfromthebrowserexploitationpointandafterthat,willbeofferedinfollowingsections.
AtthedawnofEKs,thelandingpagescouldrelativelyeasilybedistinguishedfromthelegitimatewebpagesbythetraditionalsecurityproductsandresearchers,astheir URLs carried a kind of eye-catching characteristics, such as unique andawkwardnames that sooneror later theywouldbe capturedandanalyzed. Inotherwords, a landingpageof thepast,embodied strange characteristics thatmade it lookingobviouslymalicious.Nowadays,thesametask isgettingharderbecause current landing pages with URLs such asmaliciousdomain.com/index.phplooktotallybenigninthechaosofwebpagesas theuseof Internet isgrowing.No securityproduct can tellwithhighprobabilityifsuchaURLpatternismaliciousornotandyieldsmanyfalsepositivesbecausetheaforementionedpatternisfairlycommon.
At the same time, they drastically decreased the URL life span so as to stayundetected. They generate them on-the-fly so as to not get blacklisted andterminatetheirlifeusuallyafteracoupleofinfectionssoasnottobetraced.
Furthermore,thelandingpagesarealsoconsideredthestateofartasfarastheirdesignisconcerned.Theyusuallyincludelargechunksofjunkcodewithinwhichtheyhidetherealmaliciouscode,mostofthetimeswritteninJavaScriptlanguage.Fromanalysisperspective,thegoalhereistounderstandwhichtherealaimofthecode is.Researcher’s communityhasdeveloped several JavaScript interpretersthathelp inthistask;amongothers,thereallyeffective JSDetoxtoolcreatedbySven Taute for statically analyze and deobfuscate JavaScript code, theSpiderMonkey standalone command line JavaScript interpreter by MozillaFoundation, the Google’s Chrome v8 JavaScript engine andMicrosoft InternetExplorerDeveloperTools.
Overall,itshouldbenotedthatEKauthorsputmucheffortindesigningthelandingpageswhichistheoneofthecorecomponentsofEKsanditispubliclyadmittedthattheyhavegottenmoreandmoredifficulttobeanalyzedthroughtheseyears.Theydonothaveobviouscommonalitiesandtheyreleasedindrasticallydifferentversions.
UniversityofPiraeus DigitalSystemsSecurity35
WebBrowsers
RecallthatbrowsersisthegatewaytoaccesstheonlineworldandmilestoneinEKinfectionprocess. Ingeneral,webbrowser is apieceofsoftwarepeopleuse toconductallimportantaffairs,fromenteringtheirsocialnetworkstoperformingonlinebankingtransactions.Assumingthatapproximatelyone-thirdoftheglobalpopulationisusingtheInternet,itisfairlysafetoestimatethataboutthreebillionsofpeopleuseawebbrowsertonavigatetoitonadailybasis,withoutestimatingthewebbrowsersofsmartphonesorotherdevicesthatarebecomingmoreandmoreeachdaypartofourlife.
Figure 9 - Web browser brands
Nowadays, many web browser firms exist with the most popular ones beingMicrosoft’sInternetExplorer,GoogleChrome,MozillaFirefox,Operaandothers,having developed their own technology, characteristics and security features.Someofthemconsiderwebsecurityasofahighimportancetheme,developandadoptsecuritycontrols,mitigatesecurity flaws fasterandhenceenjoypeople’spreferenceandbiggermarketsharethanothersthatevolvewithslowerrhythms.Mostofthem,havefollowedthetrendofdevelopingandadoptingusefulpluginsthatmakethepeople’sdailybrowsingandworkeasier.However,theusabilityandconvenienceofoureverydaytasksviaapluginoradd-onweinstalledinordertoperformasimpletaskonbrowser,maycomewithasecurityvulnerabilityofthatplugin-asofbeingapieceofpoorlytestedsoftware-thatcanbeexploitedbyEKs.Browserpluginsandadd-onscomewithaplethoraofsecurityissuesandshould
UniversityofPiraeus DigitalSystemsSecurity36
beregularlybeupdatedaswewilldiscussattheendofthisdocumentwherewegivesomerecommendationsonhowtopreventfromEKs.
WewillconsultNetMarketShareCompany’sonlinereportregardingthedesktopbrowsermarketsharefromJanuary2016untilFebruary2017,basedonsurveys,ISPdataandothermethods4.
Figure 10 - Web browser statistics
AccordingtothisreportthedominantwebbrowserisGoogleChromewith49.05%of the market share, Microsoft’s Internet Explorer follows with 29.71% andtogetherwithitssuccessorMicrosoftEdge4.86%,Microsoftreachesthetotalof34.57%ofmarketshareandMozillaFirefoxcomesinthirdplacewith10.30%.Theaforementionedstatisticsdonotcomefromareportwithsecurity-drivencriteriabut is based on people’s preference. However, without being stemmed fromsecuritycriteria,itsurprisinglymatchesmoreorlesswiththemostsecurewebbrowserorderandindicatesthatpeopletendtobecomemoresecuritysavvyandtheirbrowserpreferencemayreflectandincludetheirsecurityconcernstoo.
Specifically,accordingtoothersurveysonsecurity-orientedtechnologyforums5,themajorityofuserstrustGoogleChromebecauseitgetssecurityupdatesevery15days-fasterthanallotherbrowsers,becausethediscoveredvulnerabilitiesarequicklyfixedandbecausesupportsthirdpartyadvertisementblockersthatdefendagainstmostoftheadvertisementswhichmaybehidingEKredirectors.Itseemsthat users rely upon add-blockerswhich indeed prevent from themajority of
4 https://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0&qpsp=2016&qpnp=2&qptimeframe=Y&qpct=25 http://sensorstechforum.com/which-is-the-most-secure-browser-for-2016-firefox-chrome-internet-explorer-safari-2/
UniversityofPiraeus DigitalSystemsSecurity37
benignandseveralmaliciousadvertisementsthatcanleadtocompromiseofthebrowserbyanEK.
Forthesecondplace,peoplehavechosenMozillaFirefoxthatupdatesevery28days, has several interesting software versions and supports third party add-blockersandalargevarietyofplugins.Thereleaseofdifferentbrowserversionsdedicatedtodevelopmentoperations,attractsecurity-concernedusersthatwanttohavetheopportunitytotestnewest featuresontheirown.Chancesaretheyprobably identify vulnerabilities andprevent aversion frombeing released topublicandincludeasecurityflaw.
Microsoft’sInternetExplorerisinthethirdplacefollowedbyOperaandSafariwebbrowsers.Thelasttwobrowsersdonotsufferfromasmanyvulnerabilitiesastheothers,theygetupdatesapproximatelyevery54daysandhaveimplementedsomeinterestingsecurityfeatureslikeproprietarysandboxingandblockingtechniquesofharmfulcontent.
Microsoft Edge browser holds the last place of people’s interest which getsupdatesmorefrequentlythatInternetExplorerandalsosupportsadd-blockers.Itwilldrawsecuritycommunity’sattentioninthefuture,astheMicrosoftWindowsversion in which is shipped with, will grow its presence in market. FromMicrosoft’swebbrowsers,InternetExploreristheonethatinterestusmoreduetoitsprevalenceandcharacteristics.
Ofcourse,weintentionallylefttheInternetExplorerfortheend,onwhichwewillfocusmorelateronbecausetypicallyconcentratesEKs’attentionmorethantheothers.Fromonesidethismaybecausedbyitslargepresenceinmarketbecauseisbeingshippedpre-installed inthemostpopularoperatingsystem (MiscosoftWindows OS). For sure, is the favorite browser of EKs due to suffering fromrelativelymorevulnerabilitiesthanotherbrowsertrademarks,whichconstantlyinvest on security research and release updates on more regular basis; itselfadoptsupdatesevery54days.
Fortheabovementionedreasons,thusthewidepopularityandtechnologyvariety,it iseasilydeterminedwhywebbrowser is the targetofEKs,which try to findsecuritybreachesandopportunitiesofexploitation.
Droppers
DroppersareprogramsspeciallydesignedtohelpEKstorun,downloadandinstallthemalwaretovictim’shost.Theyaresmallerprogramscomparedtomalwareexecutables,whichare transferred from themaliciousserver tovictimandare
UniversityofPiraeus DigitalSystemsSecurity38
delivered tohost after thebrowser exploitation.We can considerdroppers assome kind of Trojans because they often evade detection by disguising aslegitimatesoftware.
Modern droppers evolve rapidly in order to evade anti-virus detectionwhichnowadays perform behavioral analysis, pattern matching and other advancedtechniquestoidentifyandcaptureitsfunctionality.Sincetheyarethefirstpieceofmalicious code that is being stored in the victim’s hard drive, are likely to becapturedanddeactivatedbysecurityproductsdeployedonthehost.
Therearetwokindofdroppersregardingtothewaytheypassthemalware:the“twostage”droppersthatarestoredinhostanduponactivated,requestfromthemalicious server to send the malware, and the “single-staged” droppers thatembodythemalware itself.The latterkind isbigger intermsofcapacityand isformed in thatway inorder tobypassvirus scanners.However, thedifferencebetweenthetwokindsarenotdrasticallybigintermsofdetectionbymodernanti-virus.
They are also separated in two categories depending if they require userinteraction.Therearedroppersthatdonotrequireuserinteractioninordertobeactivatedanddroppers thatprompt theuserwith amessage that seems tobebenignandtrytoconvincehimtointeract.Uponuserinteractionthedropperisactivatedandproceedsindownloadingtherealmalware.
Other typesofdroppersare the injectors that infect the computermemory inwhich they inject themalicious code.Thismethod isadoptedprogressivelybymoderndroppersbecauseisreallyeffectiveagainstanti-virusdetectionsincethemaliciousfilenevertouchestheharddiskwheretheanti-virusseeksforknownmalicioussignatures.
Bleeding-edgedroppersaremulti-staged,leveragingzero-dayexploitstoexecuteonthevictimwithoutanynoticeoruserinteractionandbypasstheaverageanti-virusinstallationswhichfacedifficultiesonblockingthem.Sophisticatedattacksarriveinpiecessoastostayundetected,eachofthembeingseeminglybenign.
Malwarefamilies
In the finalphaseof infection chainbyEK, themalware isdownloadedon thevictim’shostasdescribedintheprevioussectionandistriggeredtoexpressitsmaliciousintentions.
Wewillnotdivedeeperineachmalwarefamilyinthisthesisasmalwareanalysis
UniversityofPiraeus DigitalSystemsSecurity39
constitutesahugesubjecton itsown.WearegoingtodiscussthemostknownmalwaretypesthatEKsareusedtodelivertotheunderattackhostsanditsgeneralcharacteristics.AllofthemarewidelydistributedviaEKs,spamcampaignsandmalvertisingtechniquesasdescribedinprevioussections.
RANSOMWARE Nowadays, infection by ransomware (a.k.a. crypto-ransomware) is the mostprevalentattackanEKcandelivertovictimsasofbeingverylucrativesourceintermsofmoney.Forsure,thisfamilyisthemostdamagingkindofmalwareandthemostnotoriouspayloadanEKcandeliveronvictim’shostforthereasonswewilldescribeinfollowing.
Firstofall,let’sdescribewhatransomwareis:
Ransomwareisatypeofmalwarethatpreventsorlimitsusersfromaccessingtheirsystem,eitherbylockingthesystem'sscreenorbylockingtheusers'filesunlessaransomispaid.Moremodernransomwarefamilies,collectivelycategorizedascrypto-ransomware,encryptcertainfiletypesoninfectedsystemsandforcesuserstopaytheransomthroughcertainonlinepaymentmethodstogetadecryptkey6.
In other words, is the type of malware that once executed on victim’s host,preventsusersfromaccessingtheirsystembyencryptingtheirsensitivefilesandlockingthehost’sscreenpresentingamessagethatdemandsaransomtobepaidinorderforthehostownertodecrypthisfiles.Modernransomwarefamilieshavebecomemore sophisticated encrypting only selected files worth paying somemoney toget themback,presenting elegantmessages and offering alternativepaymentoptionstothevictim.Cybercriminalsarefreetochoosethepriceoftheirransomwareatwillandmostofthetimestheydemandtobepaidinbitcoinorsentthroughuntraceableprepaidcards.
Thevictimhasaspecifiedtimewindowtopaytheransom,usuallywithinafewhourssincethe infection,otherwisetheransomware leavesthe filesencrypted,terminatesitsexecutionandthevictimlosesthechancetodecrypttheirfiles.
Typically,ransomwareispropagatedviasocialengineeringattackslikemaliciousspamcampaigns,thusviaelectronicmailsinwhichmaliciouslinksordocumentsare attached.Anotherpopularway to lureusers is conducted viabrowsing toseeminglybenignwebpages that in facthavebeen trappedbyEKs.Forseveralyears, cyber criminals employ ransomware to directly seize money from nonsecurity-savvy people. It is really easy for the average computer user who
6 https://github.com/mauri870/ransomware
UniversityofPiraeus DigitalSystemsSecurity40
navigatestotheInternetorusestheelectronicmailonadailybasistobedeceivedbyransomware.
ThelistofthemostfamousransomwarespeciesservedbyEKs,include:
§ WannaCry§ TeslaCrypt§ CryptoWall(andvariants)§ CryptoLocker§ Spora§ Cerber7§ Locky§ TorrentLocker§ PadCrypt§ CryptMIC§ CTB-Locker§ PayCrypt§ FAKBEN§ Havoc§ VxLock§ Crypto1CoinBlocker§ VirLock§ andmanyothers
Policehighly recommends for thevictims,and it isalsoauthor’sadvice, tonotpayingtheransombecausethisencouragescybercriminalstolaunchmoreattacks.Also, in this way the victim directly contributes to the wellbeing of cybercriminality.However,itistotallyunderstoodthattheaveragecomputeruserthatdoes not keep any backups of his personal documents, pictures, and otherpersonalmedia,mostprobablywilltakehischancestopayhopingtorestorehisdata.Themajority of victims consider thepaymentmethod as adifficult task.Specifically,mostof theransomware incidentsrequire topay inbitcoin;so thevictimshouldopen abitcoinwallet inordertodeposit therequiredamountofbitcoinstoaspecificbitcoinaddress.ThefollowingfiguredepictstheblockscreenthevictimfacesasaresultofCerberransomwareinfection.
7 This type of ransomware welcomes victims with a voice saying “Hi, I’m infected! Please, pay bitcoin”
UniversityofPiraeus DigitalSystemsSecurity41
However,nowadayscybercriminalsofferdetailedinstructionsonhowtoperformthepaymentorevenworsetheyhavealreadystartedtofacilitatingtransactionsbyacceptingdepositsthroughknownanonymouse-paymentmethodswithouttheneedtoregisteradigitalcurrencywallet.ThefollowingscreenshotdisplaystheextraordinaryransomblockscreenofSporaransomware,toputitincomparisonwiththepreviousoneofCerber.
UniversityofPiraeus DigitalSystemsSecurity42
Figure 11 - Spora ransomware block screen
Inasenseofirony,cybercriminalshavedesignedasurprisinglyhelpfulportalforanyonewhoiswillingtopay,featuringacomprehensivedashboardwithtooltipsandlivestatusfrompayments,andmultipleotheroptionslikeofferingdecryptiontestbydecryptingtwofilesforfree,buyingimmunityfromfutureSporainfectionsandothers.
Statistically,thepercentageofapproximately3%ofthevictimsfinallygiveinandpaytheransom.Thepercentageislowbecauseofthepreviousreasonregardingthepayments,becausemaythinkthatisfutileaswillneverbeabletorestoreitsfilesandtheywilljustspendtheirmoneyfornothing,andlessbecausetheyhavenothing precious among the encrypted by ransomware files. This observationapplies to simple home computer users. On the other hand, in a corporateenvironmentitismuchmoredifficulttoletthisjusthappen.Enterprisesthathavebeencompromisedbyransomware,tendtopaytheransominthefearoflosingtheir corporatedocumentswith clientdata or other sensitive information andbecausethislossmayresultinregulatoryconsequencesandreputationaldamage.Inthiscase,theyhavetheundeniableargumenttopaytheransomhopingthattheir fileswillbe restored and theywill regain the control of their computersavoidingfurtherdisruptionoftheiroperations.
Inmoretechnicaldetail,ransomwareusuallytargetsWindowsusersandseeksout
UniversityofPiraeus DigitalSystemsSecurity43
forvaluablefiles,suchasfinancialspreadsheets,Officedocuments,photos,videos,configurationfiles,etctoencrypt.Butlet’sdescribetheprocessfromthebeginning,thusafterthevictim’shostisinfectedandpriortoperformingthisscan.Incasethedistributionmethodisanmaliciousattachmentwithinaspamemail,methodconstantly employed by CryptoWall, there is a RAR (archive) attachmentcontaininganCHMfile(orHTAorPDFfile),whichisactuallyaninteractiveHTMLfile, capable ofdownloading theCryptoWallbinary and copy itself in %temp%folderwhereeveryuserhasthepermissiontowriteinit.Thebinaryitselfcontainsa lot of abstract instructions that obfuscate the code todeludeAnti-virus andevadedetection,aswellasanti-virtualization/anti-emulationandanti-debuggerchecksinordertoavoidexecutingone.g.avirtualmachinebuiltbyresearcherformalware analysis or being executed in debugger tools. Then, it forks theexplorer.exeprocesswhereinjectsitsunpackedbinaryandhasitsownspacetobeexecuted,whiletheoriginalprocessterminates.Italsoinjectsitselfinnewlycreatedsvchost.exeprocess,installsitselfinseveralsystemlocationsandsetsitskeyintheWindowsRegistryinordertostartautomaticallyonboot,therebymakingitselfpersistentprocessinthesystem.Uponexecuting,bypassestheUserAccess Control (UAC) and deletes volume shadow copies via vssadmin.exeprocess,soastonotallowapotentialsystemrestore.ItthentriestoreachaliveC&CserverthroughconnectingtoanonymousproxysuchasTor,inordertoreportthat it has been already installed in a new system, to send system relatedinformation about the victim’s host and request the public key by the server.Newer ransomware variants, by employing asymmetric key cryptography, canensurethattheserverisprotectingitsprivatekeyfrombeingtransmittedoverthenetworktraffic.Onceitreceivesthehost-specificgeneratedpublickey fromtheserver, it starts encrypting the files of interest. For instance, one of themostnotorious kinds of ransomware,TeslaCrypt,besides valuable files, also targetssome well-known games such as Call of Duty, World of Warcraft and others,includingthefollowingfileextensions.
Figure 12 - File extensions encrypted by TeslaCrypt
Atthistime,theknownransomscreenisbeingdisplayedtothevictim,translatedtothelanguagerelatedtotheIPaddress’sgeolocation,leavingnoothercontrolto
UniversityofPiraeus DigitalSystemsSecurity44
thevictimuponitssystemexceptfromreadingthenotes.
Dependingontheransomwarevariant,thepublickey isnotuseddirectlybutasymmetricAES256keyisgeneratedandisfurtherbeingencryptedwiththepublickeysoastonotberedundantlyexposed.Usually,multipleanddifferentkingofencryption methods and algorithms combined to obfuscate the reverseengineeringprocess.Thenamesoftheencryptedfilespriorofbeingdeletedandtheencryptionprocessthatisapplied,alsodependsontheransomwarevariant.Most probably the encryption applied on files is unbreakable so to lead inpermanent loss in case the ransom is not paid up. Chances are that even theperpetratorsdonothave inpossession theprivatekeywhich iscrucial for thedecryptionprocess,becauseallthisprocessisautomaticallyexecutedandthereisnoneedtooccupyresources forstoringsomanykeysorbecause they justnotinterested in restoring payers files. The latter is another reason onwhy it isrecommendednottopaytheransomandinsteadbeproactivefollowingthebestpracticesofsecurity.
Typically,ransomwarewon’tencryptanythinguseful for itsoperation. ItneedscoreWindowscomponentstobefunctionalinorderforittofunctioncorrectly,soitavoidencryptingcoreWindows folders like “Windows”,“Program Files”,“Program File (x86)”,“ProgramData”andothers.Asmallbitofgoodnewsisthatitscanstheharddrivesandnetworkdrivesexceptthestorageaccessedviabrowserorsometypesofcloudstorageandonlinebackup.Sothiswayofstoringfilesmaybeapossiblemitigation,atleastofourveryimportantfiles.
There is a number of free and commercial tools designed by known securityvendors, which are capable of removing the malware or partially decryptingseveralfiletypesdependingonthetypeofransomware.Securitycommunitytriesto design decryptors almost after everymajor security incident involving thisspecimen.However, this isnot a full solutionandmost likely theywillnotbeeffectivedependingonthecase.
Itisworthmentioningthewebsitenomoreransom.orgmaintainedbyEuropolthat informspeopleaboutthismalwareandhelpsvictimstorecovertheirdatawithouthavingtopayransomtothecybercriminals.
BOTNETS Thisparagraph is entitledwith the termbotnet todescribe anothermaliciousactivity which EKs can perform to a targeted machine. They can deliver botmalwarewhichuponexecutingengagesthatmachinetoabotnet.
Abotnet(a.k.a.zombiearmy)isanetworkofinterconnectedcomputerswhichhasbeenremotelyexploitedandnowmanipulatedbythebotmasterwhooperatesthe
UniversityofPiraeus DigitalSystemsSecurity45
command and control activities. The bot (abbreviated name of robot) is themaliciouspieceofsoftware thatconnectonecomputer tobotnetandhasbeendesigned toexecuteautomated tasksdictatedby thebotmaster.Botnetscanbeusedforgoodreasonssuchassocialorcommercialorothernon-harmfulactivities,butwewill focusof courseon themaliciousbotnets.Cyber criminalsorganizecompromised endpoints in botnets to combine resources for launchingDistributedDenial of Service attacks, spreading viruses andworms andmoreimportantlylaunchinglargespamcampaigns,unbeknownsttothevictimwhosecomputeriscompromised.
TheprocessofinfectionisthesameasforanyotherEK,butthistimethevictimhasnoideathatamaliciouscodehasbeeninstalledtohiscomputerduetoanEK.Thewholeprocessdoesnotdemandanyuserinteractionanddoesnotraisesanywarningsornotificationstothevictim.Sosimply,hiscomputerjustconnectedtoabotnetwithoutnoticinganythingweird.
§ Bedep§ AndromedaBot§ SmokeBot§ SoakSoak§ andothers
ThefollowingscreenshotillustratesthepanelofAndromedaBotinitsliveaction:
Figure 13 – Andromeda Bot administration panel
Wecanobservethelistofbotmachinesthatarepartsofthebotnet.Oneofthemitappearstobeonline,whiletwoofthemarenotconnectedattime.TheAndromedapanel offers all the information one needs to know about his botnet and theadministrationtoolsheneedstooperateitatwill.
UniversityofPiraeus DigitalSystemsSecurity46
TechnicalIntroductiontoknownExploitKits
In thissection,wearegoing todescribe themostknownEKsandgive a shortreferenceoftheircharacteristics,theirhistoryandthetimelineoftheiractivity.Wewillnotfocusoneachandeverydetailoftheiractionsorcharacteristicsaswehavealreadymentionedthattheirversatility isthekey fortheirsuccess.Thismeansthat they tend to change their idiosyncrasy approximately every two days,renderingfullexaminationofthephenomenonunfeasibleinonethesis.
Fortunately,thereadersthatwanttoemphasizetospecificEKafterthisanalysis,willhavethechancetofindusefulresourcesbysearchingontheInternetwherepioneer researchers and labs have published great documentations on almosteveryEKandalmosteveryexpressionof itsmaliciousactivity.Mostofthebestsitesthathavealsohelpedus inwritingthisthesis,canbe found inthesection“References”attheendofthedocument.
ANGLEREK
GENERALCHARACTERISTICSResearchers have characterized this EK as the “most sophisticated” exploit kitidentified so far in cybercrime industry.Besides its elegantdesign thatwillbedescribedinfollowing,itisconsideredtobethemostnotoriousEKofthepastfewyearsduetoitsinvolvementinmalvertisingandhactivismcampaignsandmostlybecauseofitsuniqueeffectivenessinspreadingransomwaretovictims.
AnglerEKfirstappearedinlate2013andseemsthatithasbeendisappearedfromthecybercrimesceneonJune7thof2016,whenitslastversionhadbeenrecordedforlasttime8;that’swhywearegoingtousethepasttenseforourdescription.Before reaching its end of life, it went through serious propagation so as toincrease itsactivityanddominatethecyber-attacks fromMarch2015onwards.ThedemiseoftheBlackholeEKbecauseofitsauthors’arrestinOctober2013,wascertainlyanotherreason forAngler’sproliferation.TohaveanotionofAngler’sincreasing activity, we mention the following chart demonstrating its weeklygrowthrelatedtotheamountofdetectionsfrommid-2014untilmid-2015.
8 http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html
UniversityofPiraeus DigitalSystemsSecurity47
Figure 14 - Angler EK weekly growth
Moreover,thefollowingfigureshowsasnapshotoftheactivityofthemostpopularEKsforthreedifferentperiods,September2014,January2015andMay2015.
Figure 15 - Distribution of prevalent EK's activity
UniversityofPiraeus DigitalSystemsSecurity48
Wecanclearlynotice,thatAnglerincreasedstep-by-stepeachmonthitsmaliciousactivitiesuntilMayof2015whenitbecamedominantEKwiththehugepercentageof82.2%intermsofpresenceintheglobalcybercrimescene.TohaveanotionoftheAngler’sprevalence,wewillmentionareportofPaloAltoNetworksconductedin2015forthisexploitkit9.Byscanningvulnerablewebsites,theydiscoveredthat90,558 unique domains (29,531 IP addresses) had been compromised anddictatedbyAnglerEKinattackingthevictimsthatwerevisitingthem.OnlyoneoftheIPaddresses,the184.168.47.225,hostedatotalof422websitescompromisedbythekitwhichdescribesitswideattacksurface.UntilDecember2015,only2,850of the compromised websites had been registered as malicious by securityvendors,thusonlythe3%ofthedetectedsites.
AnglerEKinheritedthemosttraditionalcharacteristicsofEKsandsignificantlydevelopedthemthroughyearsofaction.OnecandistinguishAngerEKfromotherEKsfromthehighlyobfuscatedJavaScriptandthepopupmessagewhenthiscodeisexecutedinthebackground,aswellasthemultiplelayersofencryptionwithinitsHTMLcodeandabunchofcharacteristicfunctionnames(e.g.getKolaio()).Additionally,theuseofSWFfilesservingasdroppersusuallyforransomwareandseveralpost-exploitationactivities,formtheshapeofthemostprevalentEK.
BeforedivingintotechnicaldetailabouttheAnglerEK,weshouldoutlinethemainfactorsthatrenderedtheAnglerEKprevalentincybercrimemarket:
§ Adoptsrapidlythenewestexploits
TheteambehindAnglerEKisknownforadoptingthelatestexploitsassoonastheirpatchesarereleased.Forinstance,almosteverytimeAdobeannouncedtherelease of a new patch of Flash Player, the EK researcherswere noticing thecorrespondingexploittobeusedbyAnglerwithinthenextfewdays.Additionally,alotofeffortwasgivenonexploitdevelopmentandzero-dayproduction.Anglermaintainersregularlykeepupwiththelatestexploitsreleasedonhackerforumsandthelatestvulnerabilitiesdiscoveredbyresearchersorpublishedbyvendorssoas todevelop theirexistentexploitsanddesign theirownzero-dayexploitswhich,ofcourse,donotpublish.
§ Widelyspreadtoattackerswithlimitedtechnicalbackground
Itcanbeeasilyusedbynon-technicalattackerswhodonothavetheknowledgeof
9 http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-continues-to-evade-detection-over-90000-websites-compromised/
UniversityofPiraeus DigitalSystemsSecurity49
its functionality. Attackers, not having low level knowledge of the kit, uponpurchasingitasaservice,canoperateaneasy-to-usewebinterfacetolaunchtheirattacksthatalsoallowsthemtoadjustadditionalfeatures.
§ Widelyavailableforrentorbuy
Thesocalledcybercrime-as-a-service,metremarkablegrowthonthedaysthisEKwaspresent.Eachpricewasaffordable for theaverage cybercriminalwhich incombinationwithitsfeatures,yieldedanall-in-oneexploitpacket.
§ Offersprogrammablefeaturesatwill
Asofitsversatility,weshouldmentionthatadversarieswereallowedtolaunchthefollowingtypesofattacks:
§ Installmalwaretocompromisedhost,targetingonfinancialprofitordirectransomwareofsensitivedocuments
§ Dumpconfidentialdata from thecompromisedhostsuchasusernames,passwords,creditcardnumbers,certificates,etcandstorethemlocallytotheirhost.
§ Tiethecompromisedhosttobotnettopopulatean“armyofbots”thatwillbeusedformoremassiveattacks.
Aswehavealreadystated,AnglerEKhasdisappearedsinceearlyJune2016andsomeofEITestgatesthathadbeenprimarilyredirectingtoitslandingpages,havesincebegunredirectingtoNeutrinoEKandRIGEKlandingpages.
ANGLERINACTIONAnglerEK,especiallyonitsstartoflife,followedthecommonprocedureinorderto infect its victims, starting from the classic redirections via IFRAME (HTMLinjection)orJavaScriptinjectionsinvulnerablewebpages,standardidentificationandenumerationofthevictimbrowseruntildroppingthemaliciouspayloads.
However,Anglerhasbeengone farbeyond themainstreamprocedure throughtheseyearsinordertosurvivewithinthecompetitivecybercrimeenvironment.
Asfarastheredirectiontoitslandingpagesisconcerned,avariantofAnglerEKwas found toutilizeDIVandFORM JavaScriptelements,whichuponexecution,prompt theuserwithanabstractmessageand acoupleofoptions toselect inresponse.For instance, thevisitormaybeprompted foranswering to the fakemessagedisplayedinthefollowingfigure.
UniversityofPiraeus DigitalSystemsSecurity50
Figure 16 - Angler EK's pop-up message
ItisuptoEKauthor’simaginationtodesignamessagethatwillbebelievableandwilldeceivethevisitortointeract.Nomatterwhereheclickson,eithertheoption“Yes”ortheoption“Cancel”(ortheexitoption“X”),hewillberedirectedtotheEK’slandingpage.Sometimes,theuserinteractionismandatoryfortriggeringtheredirectiontolandingpage,whileseveralEKsareabletoachievethatwithoutanyuserinteraction.
Upon loadingthe landingpage,theembeddedscriptwithin itperformsvariousfingerprintingchecksinordertodesigntheprofileofthevictim.Atthispoint,aform is crafted including the necessary initial information the Exploit Servershouldknowforselectingthecorrectexploit.Specifically,thesender’sIPaddress,browser’sUser-Agentand the targetURLareencodedandsubmittedviaPOSTmethodtothemaliciousserver.AfterseveralprocessesinEK’sback-endservers,a response will be sent containing the malicious JavaScript code with theredirectionplacedwithinanIFRAME.
Alternatively, vulnerableweb pagesmay be injectedwithmalicious Flash filespecially designed to collect viaActionScript and submit in the sameway thesender’sinformationviaPOSTmethod.
Anothertrick,withshortlifetime,Angleremployedin2014forachievingbetterredirectionsyetdecreasing the listofhostnames ithad tokeepupdated,was asimplealgorithmforhostnamegenerationthatdependedtothecurrentdate,theDGAalgorithmmentionedinpreviouschapter.Thenamesthatweregiventothemaliciousdomainswereactuallythehashedvalueofthecurrentdate,alongwiththesuffixes.PW, .DE or.EUandfollowedbythetypicalURLsuffixes.Thesenameswerechangingeverydaywithnoneedfortheattackerstomaintainalargedictionaryof thehostnames theyemployed.However,once the trickofdomaingenerationalgorithmwasdiscovered,thepredictionofthemalicioushostnameswasalow-hangingfruitforresearchersandbyincludingthemtoblockinglists,theAngler’sauthorsweresoonenforcedtoquitthisideaandsearchforalternatives.
UniversityofPiraeus DigitalSystemsSecurity51
Angler EK also used the so called 302 Cushioning for redirecting users to itslandingpages.Thiscanoccurwhen theserverhasbeencompromisedsoas torespondtobrowserwith falsifiedHTTP302(orsometimes301)responses.BysubmittingasimpleGETrequesttowardsthecompromisedwebsite,thebrowsergetsanHTTP 302 “Found”serverresponsewiththe“Location”responseheader assigned to a specially crafted URL. The aforementioned URL actuallyperformstheredirectiontothenextstepoftheexploitationchain.Inthismanner,the legitimate server responses, suchas theHTTP302 response, can turn intoredirectionstotheEKs’serversasdisplayedinthefollowingfigure.
Figure 17 - Angler EK leverages 302 cushioning
WecanseethattheGETrequestreceivesa“302 Moved Temporarily”serverresponseinordertoredirecttheusertoanotherwebpage.Normally,thisactionistotallybenignunlesstheredirectionthroughthe“Location”headeristargetingamaliciouswebsite,whichisthecaseinthisexample.
Additionally,AnglerEKusedthemosteffectivemethodsforachievingredirections,the injectionof IFRAMEsand JavaScript scriptswithin thewebsite’s code.Themaliciouscodecanbeembeddedtothemainpageofthecompromisedwebsiteorcanberetrievedfromotherresourceswithinthewebsite’sfilesystem.Forexample,itcanbeembeddedwithinalibraryalreadystoredinwebsite’sdirectorythatisusually called during runtime for functionality reasons. The following figure
UniversityofPiraeus DigitalSystemsSecurity52
displaysanembeddedJSscriptredirectingtoamaliciousURL,beingpartofthemainwebsite.
Figure 18 - JavaScript redirect embedded in legitimate website
Theinitialmaliciousscriptofthecompromisedhost,redirectsthevisitorintoanintermediateserver.Theredirectionrequestgoesthroughaninitialscanbytheintermediateserverandifitmeetsthecriteria,thebrowserreceivesanHTTP200status code and another redirect pointing to Angler’s landing page. Else, theintermediateserverrespondswithaHTTP404“Not found”response.
Ithavealsoheavilyusedthesocalled“EITest”redirection(campaign),coinedbyMalwarebytesresearchersduetothevalueassignedtothevariable“id”whichisincludedinitsmaliciousHTMLcode.ThemaliciousredirectionhasbeeninjectedthroughamassivecampaigntothousandsofwebsitessinceOctober2014untilthefall of Angler in 2016, but effectively continued to redirect to other EKs. ThefollowingfigureillustratestheinjectedscriptofEITestcampaign:
Figure 19 - Injected script of EITest redirection
ThefeatureofEITestgateistoperformanHTTPGETrequesttoreceiveaFlashfilethatwillperformtheredirectionofthevisitor,alsoviaanotherHTTPGETrequest,toAngler’slandingpage.Theaforementionedrequestsareillustratedbelow:
UniversityofPiraeus DigitalSystemsSecurity53
Figure 20 - EITest request that downloads Flash file
Figure 21 - Flash request redirects to Angler EK’s landing page
Then, the landing page probes the victim browser for vulnerabilities and bysendingthisinformationtotheExploitServer,retrievesthecorrespondingexploittocompromisethevictim.
OBFUSCATIONOFANGLERAstrongpointofAnglerEKwasthesophisticatedobfuscationusedsinceitsstartoflife,whichhelpedinevadingdetectionbythemajorityofsecurityproductsforyears.Theobfuscationofitsmainscriptimplementedonmultiplelayers,actedas
UniversityofPiraeus DigitalSystemsSecurity54
ashieldagainstdetectionsincetheverybeginning.
As farasAngler’s landingpagesare concerned, theyutilized a largevarietyofobfuscationtechniquestoevadedetectionasdescribed intheprevioussection.Themainscriptofthepageiscomprisedbyaseriesofstringsassignedtovariablesand stored to the parentHTML altogether.When the visitor navigates to thelandingpage,thescriptisloadedbythebrowser,therebyinitiatingthedecodingprocessofthetruecontentofthelandingpage.
HOSTPROBINGAnglerleveragesvarioustechniquesinordertofingerprintthevictimhost.Wearegoingtopresenthere themost indicative fingerprintingphasessoas tohave agoodoverviewofitsmaliciousactivity.
Severalcodesnippetsthatarecitedbelow,havebeenpublishedbywell-knownsecurityresearcherswhoachievedtotransformtheheavyobfuscationappliedonthem into human-readable code. It is commonly admitted by stakeholders insecuritycommunitythatAngler’sauthorsfairlydeservetheattentionduetotheirprogrammingskillsandsmarttechniquestheydiscovertoobfuscatetheircodeinordertoevadesecurityproducts.Itisalwaysabigchallengeforthecommunitytofightback.
Putting the reader into context, after series of redirections the visitor of thecompromisedwebsitewillstumbleuponanunintendedrequestor intended, incase of clicking on an malicious advertisement, that will perform thefingerprintingofitsbrowserandlocalhostingeneral.Inanycase,uponreachingtheAngler’sgate,somesortoffingerprintingwilltakeplace.
Thefollowingcodesnippetdisplaysafunctionembeddedintherequestreceivedfrom themalicious server that served a variant ofAngler EK, that probes thebrowsertodetermineifitistheInternetExplorerbrowser.
Infollowing,itchecksiftheunderattackbrowserisMozillaFirefox(usingGeckoengine),Chrome,SafariorOpera.
UniversityofPiraeus DigitalSystemsSecurity55
Figure22-AnglerfingerprintingnoIEbrowsers
In the followingAngler’sunobfuscated landingpage code,we can observe theroutine that performs the fingerprinting of the victim’s underlying host, bysearchingforkernelmodedevicedriversofKasperskyandTrendMicrodeployedonthesystem.
Figure23-AnglerfingerprintingAVs
TheroutineconsistsofanIFstatementwhichperformseightcheckswithinthemainWindows filesystem (System32) and specifically thedirectorywhere thesystem’s drivers are installed, to identify if core drivers related to securityproductsarepresent.Ifthereisamatch,itisdeterminedthatsomesortofsecuritycontrolshavebeendeployedonthevictimhost,henceitquitsinfectingthehost.
Once thechecks fordetermining theunderlyingsecuritydetectionsystemsarefalse, itwillproceedwithcrafting the script thatwillcommunicate theExploitServer.
Anglerisalsoaknownexploitkitforitsabilitytoperformthesocalled filelessinfection.This is a technique thatbypasses the traditionalanti-virusproducts,sincenofileisstoredintheharddriveduringtheinfection.Instead,themalwareisdirectlyinjectedintoamemoryspaceofalegitimateprocessoftheoperatingsystem,most likely the processwhose plugin has been already exploited, e.g.iexplorer.exe the Internet Explorer process. In thisway conceals itsmaliciousactivitywithin another process, having also the capability to run persistentlywhenever thespecificprocessstartsagainafterrebooting thesystem.ButwhoexactlythistechniqueworksinAnglerEK?
Asperusual,thevictimvisitsacompromisedsiteorclicksonafalsifiedlinkwithinaspamemail,togetredirectedtotheEK’slandingpage.Thebigdifferenceisthatthepayloadisdirectlyinjectedintothememorysegmentsinsteadofstoredondisk,whichwouldraisealertsonanti-virus.
UniversityofPiraeus DigitalSystemsSecurity56
Thedescribedtechnique is farmoreeffectiveandpowerfulthanthetraditionalinfection chainsnot onlybecausemanages to evade themajority of anti-virusproducts,butalsobecausegrabbingthedropperisconsideredasadifficulttask.The researcherneeds todump the correspondingmemory segments and thendecodeitsoastounderstandwhathashappened.Furthermore,italsoallowsthemalware to perform more detailed fingerprinting of the host without raisingattentionbutonlywhenithastowritesomethingtoharddisk,ifitnecessarytodothat.
The finalphase ofAngler’s infection chain, varied through the years of actionbetweenthekindsofmalwarewhichAnglerEK isknown for,thusbankingandbackdoorTrojans,ransomwareandrootkits.
ThelastvariantofAnglerusedaverydangerousandeffectiveransomware,theCryptoWallthatreachedtheversion4.0inOctober2015.
Thisthreatisanadvancedransomwarewhichbesidesthetypicalcharacteristics,pretendstobeananti-virustoolthatduringscanning,itisactuallyencryptingthefiles.Moreover,itencryptsthefilenamesitidentifiesonthevictim’shost,soastopreventusersfromrecognizingtheirfiles.
MALVERTISING OneofthefactorsofAngler’sfastproliferation,wastheabilitytogettinginvolvedinmalvertisingcampaignsservingmaliciousadvertisementsthateventuallyledtoitslandingpage.
Themaliciousadvertisements,besidesofbeingembeddedtobenignwebsitesandthusincreasingtheattacksurface,havealsoanotheradvantage.Theyareabletoconductapreliminaryhostprobingsoastopassfine-graineddatatothelandingpage.
RIGEK
In this section,wewill attempt to analyze another prevalent EK that evolvedthroughthelastyears.RIGEKhasfilledthevoidofleftbythedemiseofAnglerEKandhasbecomethedominantactorinthecrimewareundergroundmarketplaceoverallotherEKs.ItisthemostprolificEKintermsofinfectionincidentduringthelastseveralmonths.
UniversityofPiraeus DigitalSystemsSecurity57
RIGisamongtheolderEKsinthecrimescene,firstdetectedinlate2012,formerlyknownasGoonand Infinity. Ithaddisappeared foraperiodbecausepartof itssource code had been disclosed in 2015, apparently as a result of a disputebetweenamaindeveloperandareseller.ThenewRIG3.0cameupafterawhiletoclaimapieceofthecybercrimemarket.Inthischapter,wearegoingtodescribethemostimportantcomponentsandfeaturesofallRIGvariants,focusingmoreonthelatestones.
RIG activities are heavily relying onmalvertising and ransomware. It is beingdistributedmostly via large campaigns likeAfraidgate and EITest and usuallydrops CryptoWall, TeslaCrypt, Cerber, CryptoMix (a.k.a. CryptFile2) and Tofseeransomware.
RIGINFRASTRUCTUREThefollowingfiguredepictsatypicalRIGinfrastructureattachedhereinordertohave a notion of the operations that take place in the back-end, how allcomponents are connected and communicate with each other. The additionalbenefitofthisflowgraphisthatdescribesthesequenceofconnectionsthataremadefromvictim’sandcustomer’sperspective.
UniversityofPiraeus DigitalSystemsSecurity58
Figure 24 - RIG EK infrastructure
Accordingtothisflowgraph,followingtheAngler’sinfrastructure,therearealsotheAdminServer,theExploitServerwheretheexploitsarestoredanddeliveredtoothercomponents,andaProxyServer(mayexistmorethanone).
Onedirectobservationisthegoodsegregationofserversinwhichthevictimnevercommunicatesdirectlywiththevictim.Theybothconnectedtodifferentpartsofthe system; the victim only communicates with the Proxy Server and thecustomersorresellersworkonlywiththeAdminServer.RIGadministrators,ofcourse,areabletoconnecttoanycomponent.
AllentitieshavebeendescribedonpreviouschapterexceptfromtheVDSServer.ItstandsforVirtualDedicatedServerthatisactuallytheserverwhichcontainstheexploitsthataregoingtobedeliveredtothevictimsandactslikeatunnelbetweentheAdminServerandtheProxyServer.
RIGINACTIONRIGmastermindshavedesignedanexploitkitthatcombinesthetraditionalattack
UniversityofPiraeus DigitalSystemsSecurity59
patternswhichallEKsemploymoreorless,buttheyhaveputextraeffortinthefinalphaseofinfection.
As usual, an IFRAME redirect may be injected within a vulnerable website,maliciousadvertisement,orspamemailtoserveasaredirector:
Figure 25 - Injected IFRAME redirecting to RIG gate
Actually,IFRAMEredirectionisoneofthemanywaysthatRIGleveragetomeetitsvictim. Before continuing with campaigns, we should give an example of RIGleveraging domain shadowing on the legitimate retradio.org against therogueads.retradio.org.
Figure 26 - RIG EK domain shadowing
Even today, large campaigns are alive that redirect unsuspected users to RIG.Anotherpopular campaign is “gonext” campaign that took itsname from themalicious URLs’ parameter usually involved in these attacks(http://biomasspelletplant7.top/lobo.phtml?gonext=<>).Ituses
UniversityofPiraeus DigitalSystemsSecurity60
specificTLDssuchas“.top”,withheavilyobfuscatedHTMLfilesusuallyendingwith“.phtml”andafteraseriesofredirectionsdropsa302responsestatuscodein order to redirect to RIG landing page. The following figure illustrates theobfuscatedcodeof“gonext”campaignandthefinal302redirectorthroughthecompromiseddomain“artisticplaces.net”:
Figure 27 - RIG's gonext campaign
Another redirector has the name “IPredir” because it uses a hardcoded IPaddress 131.72.136.46 through which the victim is redirected to an IFRAMEtargetingRIG’slandingpage.
UniversityofPiraeus DigitalSystemsSecurity61
Figure 28 - RIG's IPredir campaign
UponloadingtheaforementionedIFRAMEs,thevisitorgetsredirectedwithoneormoreredirectionstothegatethroughtheproxy.InfactthevictiminteractsonlywithEK’sproxy.Throughtheproxy,thevictimisredirectedtotheRIGlandingpage.Foreachnewvictimrequest,thereisadifferentlandingURLandslightlydifferentpayload.The figurebelowshows thecore functionof a landingpageofRIG,ofcourseimplementingallthesecharacteristicsthatmostoftheEKstakeadvantageof,inordertonotbedetected.
UniversityofPiraeus DigitalSystemsSecurity62
--------------------- snipped --------------------
Figure 29 - RIG's landing page HTML
Asusual,thepayloadishashedintoseveralpiecesofcodeassignedtovariablesthatinturnwillbeconcatenatedtocraftthefullpayload.Ifwelookmorecarefullythelatestlinesofcode,wecanfindwithintheobfuscatedcodetheinstructionscreateElementandString.fromCharCodeinseveralpieces.
Thefigurebelowdepictsacodeexcerptfromalandingpage,whichincludestheshellcodethatwillexploittheidentifiedvulnerability,theURLthatwillfetchthepayloadincasetheexploitissuccessful,andtheRC4keytodecryptthepayload.
UniversityofPiraeus DigitalSystemsSecurity63
Figure 30 - RIG’s shellcode and payload
RIG’sfavoritemalwaretypeisransomware.ThefollowingfiguredepictsthescreenblockofSpora ransomwaredeliveredbyone of the latest and currentlyactivevariant,theRIG-V.
Figure 31 - RIG-V delivering Spora ransomware
CUSTOMER’SPERSPECTIVEAt thispoint,wewill trytodescribe theoperationsofRIGEK fromcustomer’sperspective.The sameoperationsexist,perhapswithminorvariations,alsoonotherEKs.
Firstofall,wemaketheassumptionsthattheEKhasalreadyestablishedaremoteconnection(backdoor)withthevulnerablewebsite,aswellascustomerhasrenttheEKandhasalreadyaccess to theadminpanel.CurrentEKsoffer a friendlygraphical interface provided to the customer to orchestrate his attacks. ThefollowingfiguredepictstheloginpagetoaRIGEKrecentversion:
UniversityofPiraeus DigitalSystemsSecurity64
Figure 32 - RIG EK 4.0 login screen
Then,thecustomershouldselectthepayloadhewantstopassontothevictims,whichuponbeinguploaded,wouldredirectvictimstotheEK’slandingpages.Atthispoint,auniqueURL iscreatedcombininguser’s IDaswellasotheruniquevaluesforauthorizationandsessionmanagementreasons.ModernEKsalsoofferAPIservices,throughwhichonecangeneratethemaliciousURLsondemandandusethemjustlikeeveryotherAPIservice.Forinstance,theAPIURLcanhavethefollowingshape:
http://[EK-server]/index.php?apitoken=[API-TOKEN]
Theapitokenvalueiscalculatedbythefollowingcodeexcerpt:
Figure 33 - API token generation code excerpt
TheFlowIDisauniquevaluethatrepresentsasingleattackflow.TheapitokenvalueisconstructedbytheUseIDandFlowIDvalues,goesthroughserializationandencryptionwithaprivatekeygeneratedbytheEKadministratorandusing
UniversityofPiraeus DigitalSystemsSecurity65
RC4algorithm,soaseveryattackbeuniqueandabletoevadeURLblacklisting.
Thelinkvaluewhichisproducedbytheabovecode,istheproxyURLthatformstheinfectionpage,havingthefollowingshape:
http://[proxy-server]/proxy.php?PHPSSESEID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-
4|OTMxOGYwMjdkZTMxOGFmN2M5OWZkMDNjODE0MmMyODM
SincetheconstantparameterPHPSSESEIDwaseasytobedetectedbysecurityproductswithasimplerulecontainingthatstringandflagtheURL,RIGauthorsdecidedtogeneraterandomlyinthenewerversionofRIG.AllcustomersthatsharethesameEKserveruseaproxyURLsimilartoit,distinguishedfromeachotherbytheirpersonaltokenthatispartoftherandom-lookingURI.ThecontentoftheURIuntilcharacter“|”whendecrypted,revealsalinktotheVDSserver.Thevalueafterthecharacter“|”,ensuresthefreshnessandthedemiseoftheURLafteraspecifictimeperiod.
Inthismanner,thecustomercommunicateswiththeEK.Themost famousEKsoffera largevarietyofpayloadstoselect,easilyemployedandconfigurableviaextrapluginsthatfacilitatetheadministration.Latestvariants,areuser-friendly,arewidelyavailable inmarketandhave low cost, rendering themattractive toadversaries.
EKcomparison
Inthissection,wearegoingtocomparetheaforementionedEKs,AnglerEKandRIGEK,according toourobservationsandanalysisof theircharacteristicsandecosystems.
OnedifferencebetweenthemostsophisticatedEKs,istheRIGhasbeenprovenreallysuccessful in infectingthetargetedhosts,because itusedmultiplestagesandmethodstodeliverthefinalmalware.Itoftenwritesthesamemalwarefileandexecuteitmultipletimesonvictim’shost,therebyincreasingthechancestocompromiseit.Anotherdifferenceisthatcombinesrelativelymoreanddifferentwebtechnologiestosucceedbetterattackobfuscation.
AnglerEK,duringitslife,achievedtoincorporatenewlyreleasedzero-dayexploitsmuchfasterthatallotherEKs.Especially,whenanewAdobeFlashvulnerabilitywaspublished,thesecuritycommunitywasexpectingfromAnglertocomewithazero-dayexploit in thenext fewdays.Thiswasalsoan important factor for itssuccess.RIGisnotthatgoodinadoptingnewexploits.Besidesthis,itwasthatkit
UniversityofPiraeus DigitalSystemsSecurity66
whichemployedthefilelessinfectionmorethanRIGandotherkits,soastoevadesecuritysolutionsmoreeasily.
In the listof common characteristicsbetween themostprevalentEKs,we canincludetheiruniquecapabilitytoeffectivelyinfectvictims,meaningthatfromtheexploitation phase and afterwards,most chances are that the exploit and themalwareexecutionwillsucceed, thus thevictimwillbe infectedeventually.Weshould also notice their favorite method to propagate themselves, which ismalvertising campaigns.Another commonality is that theyareboth tailored toransomware malware, meaning that both like dropping ransomware tocompromisedhost,whichbesidesallowsdirectfinancialprofit.
UniversityofPiraeus DigitalSystemsSecurity67
CHAPTER3-MALWARETRAFFICANALYSISEXAMPLE
Inthischapter,wewilldivemoreintotechnicaldetailofthetechniquestheEKsleverage to compromise a host. We are going to focus on network levelcommunicationsandthenmakeashortintroductiontomalwareanalysis,because,aswehavealreadystated,thebasicintentionoftheEKistodeliversomekindofmalwaretothevictim.Additionally,wewilldemonstratethebasictoolsweusuallyuseforperformingtheanalysis.
Typically, security researchers identifyEKs onnetwork levelby capturing andanalyzingmaliciousnetwork traffic viaPCAP (PacketCapture) files.There aremultiple network tools capable of capturing, intercepting network traffic andanalyzing network protocols like tcpdump, netsniff-ng, Network Monitor,Intercepting-NG,etc,butthemostpowerfulandcomprehensivenetworksnifferisWireshark,developedforbothWindowsand*nixoperatingsystems.Aresearchercaneitheranalyzemalicioustrafficmanuallyviathewaywearegoingtodescribebelow,orparseacapturewithseveralrule-basedtools,suchasYara,BroandSnort.Theseareopen-sourceandcommercialtoolsoftheNetworkIntrusionDetection&Prevention Systems (NIDS, IPS), actually parsing network traffic to identifymalicious characteristics within it and intrusion signs and, especially thecommercialversions,updatefrequentlysoastonotmissinganynewsignature.Acomprehensive Linux-based distribution that comeswith all network analysistools pre-installed, is the SecurityOnion distribution. It is easy todeploy thedistributioninavirtualmachineandperformalltestsinsideit,whichhasalsotheadvantageofbeinganisolatedenvironment,servingalsothenecessityofhandlingmalware with caution. It contains all the necessary tools needed to performeffectiveandnearly-professionalanalysis.SecurityOnionfeatures:
§ Full-packetcapturevianetsniff-ng,forlivetrafficsniffing
§ Tcpreplay,forreplayingmalicioustraffictosocketfortestingpurposes
§ Squil,forgraphicalinterfaceofnetworksecuritymonitoring
§ Squert,isthewebapplicationinterfacetoSquil’sdatabase
§ ELSA(EnterpriseLogSearch&Archive),isacentralizedsyslogframeworkbuiltonSyslog-NG,MySQLandSphinxfull-textsearch.
§ SnortandSnortBy,defactostandardopen-sourceIDS
§ BroandSucirata,arepowerfullIDSsystems
§ A large amount of rule-sets and signatures such as Snort EmergingThreats10,ETPRO,Talos rule-sets, community rule-setand theability to
10 https://rules.emergingthreats.net/
UniversityofPiraeus DigitalSystemsSecurity68
buildcustom.
We are going to analyze a sample PCAP file 11 so as to better understand theprocessofdiscoveringEKsinnetworktraffic.
At first, we open the sample with Wireshark to see the packets in its nicevisualizationenvironment.ItisalwaysconvenienttochoosethemostrelevanttoouranalysiscolumnstobedisplayedinWiresharkpanel.Besidesthesourceanddestination IP addresses, we also prefer displaying the host header of HTTPrequests so as to easily spot the transitions between hosts, as well as the“Content-Type”headerthathelpusidentifythepotentiallydangeroustypesofcontentsdeliveredfromthemaliciousservertovictim’shost.Itisalsoimportanttoapplythefilter“http”or“http.request”toWireshark,inordertoseparatethe HTTP requests that contain the interesting data. That said, we can startreviewingthesample.
Uponreviewingpacketcaptures,mostprobablysecurityresearcherswillhavetodealwithalotofnoiseintermsofjunkpacketsthatobfuscatethepacketanalysis.Experiencecomeswiththetimeandthemoreexercisesonesolves.
Byreadingcarefullythepackets,weusuallytrytoidentifyanawkwardhostnamewhichmaydeliverEK.The randomness inhostname, as alreadymentioned inpreviouschapter,isonegoodreasontoassumethepresenceofanEKandstarttheanalysis from thathostname. In the following figure,we spotted themaliciousdomainnotbythehostnamewhichitlooksnormal,butbecauseoftherandomnessoftheURIfollowingtheGETHTTPmethodandaclassicURIpattern.Beforethat,weappliedafilterwiththecorrespondingIPaddressinWiresharktoreducethenoise.
Figure 34 - Sample PCAP analysis: Spot malicious hostnames
Specifically,thepattern/<filepath>/search.php?keywords=<number>,isprettycommon,iscontainedinIDSrule-setsandtheexperiencedresearchercansaywithgoodprobabilitywhichEKmaybeisinvolvedinthisinfectionevenwearejustinthebeginningofthereview.Byviewingthesesigns,itisfairlysafetoassumethat this is a variant of Angler EK. The pattern /term.xbel?out=<random_string>constitutesanadditionalsign.
11 http://www.malware-traffic-analysis.net/2015/07/24/index.html
UniversityofPiraeus DigitalSystemsSecurity69
WecanclearlyseethatthevictimhastheIPaddress192.168.137.85andsubmitsa GET request towards the malicious server kiralyi.arcadiumentertainment.comwhichhasIPaddress185.43.223.164.
Anotherway thathelpuspinpoint thebeginningof infection, is toobserve the“Content-Type” header.Aswehave alreadydescribed inprevious chapters,usuallythereisabinaryblobreceivedbythevictim,soasafirststepwemaytryto identify the Content-Type “application/octet-stream” or somethingsimilar.Oncewespotthebinary,wecanexaminethepreviousconversationstoidentifythelandingpageandtheredirectionifitisnotdetectableatfirstsight.
Figure 35 - Sample PCAP analysis: Spot malicious Content-Type
Somewhere near the binary will probably exist an “application/x-shockwave-flash”SWFfilethatfacilitatesthemalwaretobedownloaded.Wewillthengobackwardstofindtherootcause,thustheredirection.RightbeforetheEKdomain,thevictimwasservedwitha“text/html”webpagebythe IPaddress185.43.223.164withdomainwww.twentyone-development.com.ItisworthexaminingthisHTMLfile.ByfollowingtheHTTPstream,wecansee,outofsurprise,themaliciousIFRAMEredirectionbeinginjectedatthefirstlineoftheHTMLdocument.
UniversityofPiraeus DigitalSystemsSecurity70
Figure 36 - Sample PCAP analysis: Spot redirection
We can be sure now that the www.twentyone-development.com is thecompromised website that redirects visitors to EK landing pagekiralyi.arcadium entertainment.com.Thefollowingfiguredepictstherequestof theEK landingpagedue to theredirectionand thebeginningof therenderedlandingpage.
UniversityofPiraeus DigitalSystemsSecurity71
Figure 37 - Sample PCAP analysis: Rendering the landing page
Apreliminaryfingerprintingofthebrowserandhost,hasalreadybedoneuponsubmittingtheabovementionedrequest,viatheUser-Agentholdingthevalues“Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) likeGecko”whichrepresentthehostandwebunderlyingtechnologiesinstalledonthe targeted host. This means that the browser that is trying to establish aconnection with the landing page, is Internet Explorer 11, installed within aMicrosoftWindows732-bitdesktop(WindowsNT6.1value).
Moreover,thelandingpageishostedbyaNGinXwebserverwhichisthepreferredwebserverofEKs.Byextracting the fullHTML landingpage from thenetworktrafficsample,weobservethatitiscomprisedbylargeblocksofobfuscatedcodewhich upon rendered on victim’s browser, performs the fingerprinting of thebrowser seeking for vulnerabilities. Among obfuscated code which is visuallylimitedwithinacoupleofpixelssoastonotbeseen,thelandingpagealsocontainspartsofJaneAusten’snovelwithtitle“SenseandSensibility”.Aswecanseetheimportantpartsofthelandingpageareheavilyencoded.Iftheresearchermanagestodecodetheseparts,hewillbeabletoseethechecksperformed.
UniversityofPiraeus DigitalSystemsSecurity72
Moving on the next request towards the EK server, we will notice whatvulnerability was found and exploited. By looking to the request and serverresponseonceagain,wecanobservethattheSWFfileisrequestedforthedetectedversion18.0.0.203ofFlashplayerplugin.
Figure 38 - Sample PCAP analysis: Vulnerable Flash plugin version
TheCWSrepresentsthefilesignature(magic)oftheSWFfile.
The aforementioned version suffers from the “AdobeFlash opaqueBackgroundUseAfterFree”vulnerability,registeredasCVE-2015-512212 (CVSSBaseScore10.0-Criticalseverity)andhasapubliclyknownexploit13 inJuly2015closetothedatetheEKusedit.Perhaps,theattackershadalreadydesignedtheexploitanduseditinseveralinfectionslikeinthiscase,beforethesecuritycommunitydiscovers it; this is a common phenomenon that contributes in EK’s success.Specifically, the crafted SWF file leverages the improper handling ofopaqueBackground property of the Display Object class in the Adobe’sActionScript implementation, to achieve execution of arbitrary code or causememorycorruption.ThedownloadedSWFfilesareheavilyobfuscatedusingthe
12 https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-512213 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
UniversityofPiraeus DigitalSystemsSecurity73
commercialFlashobfuscatorDoSWFasrevealedbytheDoABC2()tag.
Figure 39 - Sample PCAP analysis: SWF obfuscated with DoSWF tool
AnalyzingthisSWFfilecanbequiteeasyifitissentincleartext,butmostprobablyitwillbedifficulttoovercometheobfuscation.Finally,wereviewtherealmalwaretheEKdropsintothehost,fromwhichouranalysisstarted.Inoursample,thisistherequestfordownloadingthemalware:
UniversityofPiraeus DigitalSystemsSecurity74
Figure 40 - Sample PCAP analysis: Dropped malware
Atthistime,themalwarehasalreadydroppedinvictim’scomputer,ithasbeenexecuted,andthehost is fullycompromised. It ispossibletoextractthebinaryobjectfromthetrafficandsubmititinpublicmalwarerepositoriesforanalysisortrytoreverseengineerit.Themalwaremaycometomorethanonephasesandmost probablywill use the system’s resources to communicatewith the EK’sAdminServer,othermaliciousserversorevenseveral legitimatesites thatwillhelpitunderstandthenetworkthathasinfected.Forinstance,inourcasetheEKperformsaseriesofpost-infectioncommunications:
§ ip-addr.es-188.165.164.184§ biganddigital.com-198.211.120.49§ bibubracelets.ro-85.204.50.99§ ehsansurgical.com-50.87.150.75§ 100pour100unity.com-91.216.107.226§ hotfrance.ru-95.85.4.87§ hajuebo.de-212.90.148.43§ beybladeoyunlari.org-213.238.166.230§ 6i3cb6owitcouepv.ministryordas.com-46.30.43.66
Thefirstofthesecommunicationsistowardsthelegitimatewebsiteip-addr.es,that helps it identifying the external IP address of the host. But how canwedetermineorbesureaboutthekindofEKandthetypeofmalware?WecancheckthePCAPfileagainstSnortrulesorotherrule-setstofindthisinformation.Wewill
UniversityofPiraeus DigitalSystemsSecurity75
usetheSecurityOniondistributiontofinditout.WereplayedthePCAPtrafficwithtcpreplaytoolontheIDSengineloadedwithEmergingThreatcommonandprorule-setsandgottheresultsonSquilinterface.
Figure 41 - Sample PCAP analysis: IDS analytic events
TheIDSconfirmswhatwesawinfirstplacebymanualexamination:Theactorinthis sample is theAngler EK. The IDS detected theURI that leads toAngler’slandingpage,thelandingpageitself,aswellastheFlashexploitagainstvictim’swebbrowser.Inturn,itdroppedtheCryptoWall3.0ransomwarewithinabinaryblobencryptedwithTinyEncryptionAlgorithm(XTEA).
Itisworthnotingforreader’spractice,somepublicPCAPrepositoriescontainingcapturedfilesofmaliciousandnonmalicioustraffic:
http://www.malware-traffic-analysis.net/,
UniversityofPiraeus DigitalSystemsSecurity76
http://www.netresec.com/?page=PcapFiles,https://wiki.wireshark.org/SampleCaptures,http://www.tcpdump.org/
UniversityofPiraeus DigitalSystemsSecurity77
CHAPTER4-ATTACKPATHSCRIPT
Thelastpartofthisthesisistodesignasimplecommand-linescriptthatparsescapture files that containmaliciousnetwork traffic and indicates thepotentialattackpath.The script iswritten inPython languagewhich is reallypowerfulscriptinglanguagewithasheeramountofusefullibrariesforallneeds.
ThescripttakesadvantageoftheScapylibrarywhichisconsideredastoplibraryforpacketanalysisandapowerfulandinteractivepacketmanipulationprogramingeneral.Itiscapableofparsingalargenumberofprotocols,decodingpackets,capturingthem,craftingone layerontopofother,transmittingthem,matchingrequestsandresponsesandmanyotherfeatures.
Thelogicbehindthescript(ekchain.py)wastodesignasimplescriptthatwouldbeabletoanalyzethegivenPCAPcaptureandrespondwithapotentialattackpathaccordingtotheIOCs(IndicatorsofCompromise)itidentifiesinpacketheaders.Aswealreadydescribed inthepreviouschapter,webasedthe identificationofIOCsinalogicalsequenceofevents.Thus,theanalysiscanstartwithidentifyingthebinaryexecutablewhich is in turndelivered to thevictim.This iswhat thescriptsearchesforasafirststepandthisconstitutesourfirstIOC.Then,itsearchesthepacketcapturefilebackwardstoidentifytheexploitationphaseandhencetheFlash file. Inthismanner, itcontinues inreverseorderto identifythepotentiallandingpageandsubsequentlytheredirectorifexist.So,thescriptwillsearchforthebinaryfileatfirst,theFlashfile,thelandingpageandinturntheredirectorwhichisprobablyanIFRAME.
Asforthescriptitself,ithasthefollowingfeatures:
§ TakesasinputaPCAPfile§ ParseseachpacketofthePCAPfile§ Separatestherequestsandresponses§ Collectstherequestheadersthatareinterestingtoouranalysis§ Collectstheresponseheadersthatareinterestingtoouranalysis§ Identifiestheredirectionsinresponseheadersandresponsebody§ Decodestheresponsebodythatisencoded § Decompresses the responsebody in case its “Content-Type” is “gzip”or
“deflate”§ Analyses the packets to identify potential IOCs according to the above
mentionedrationale§ Printpacketinfo§ Printsthepotentialinfectionchain
Thescriptisverysimpleinusage:
UniversityofPiraeus DigitalSystemsSecurity78
Figure 42 - Ekchain script usage
Upon executing the ekchain.py, supplied with a sample PCAP filesample1.pcap,wegetthefollowingoutput:
Snipped Output
UniversityofPiraeus DigitalSystemsSecurity79
Snipped Output
UniversityofPiraeus DigitalSystemsSecurity80
Figure 43 - Ekchain script output
WecanobservethatthescriptidentifiedapotentialinfectionattackpathinthePCAPfile,indicatingapossibleredirector,landingpage,SWFfile,andBinaryfile.
ThescriptpreformssimpleandpreliminaryanalysisandisdemonstratedhereasastartingpointforEKtrafficanalysis.Forsure,itneedsalotofdevelopmenttoincludeallaspectsandcriteriaofcommonIOCs.
CHAPTER5-RECOMMENDATIONS,FUTUREWORK&CONCLUSIONS
Inthischapter,wewilltrytogivesomerecommendationstothereaderonhowtopreventfromEKattacks.Ouradvicesarebasedoncommonbestpracticesandourprofessional experience. Furthermore, we are going to propose future workpertainingtoEKsandsharesomethoughtsonsubjectsrelatedtothemthatcanbestudiedinthefuture.Finally,wewilldemonstratetheresultsandfinalthoughtsofouranalysis.
Recommendations
The task of safeguarding an enterprise or a home network from EKs is notconsideredasaneasytaskduetotheversatilityandresiliencetheEKmanagetodemonstrate through the years of their act.Most of our recommendations aresimple tobeadoptedby theaverage Internetuserandsometimesarecostless,whileothers involve implementingcommercialproductsonwhichtheusercanrelyon.ThefollowingrecommendationswillreducetheriskofgettinginfectedbyEKsandtheirmalware,suchasransomwareorbots.
Asaruleofthumb,usersarerecommendedupdatingtheirbrowsersandbrowser
UniversityofPiraeus DigitalSystemsSecurity81
pluginsandrelatedwebservicesonaregularbasissincethebrowserisconsideredtobetheweakestlinktowardsinfectionbyEK.Thismeansthattheuserwhoispromptedbyhisbrowserforinstallingthenextsecurityupdateandjustskipsit,doesnotmitigateatalltheriskofbeinginfectedby,forinstance,anewversionofRIGEKservingaransomwarewhichisabletoencryptallhisvaluablecomputerdocuments.Additionally,youcanallowanddenycertainexecutionsofbrowserbyselectingtherightoptionsinbrowser’sconfiguration.Forinstance,youcanblockthe execution of scripts in browserby installing the correspondingplugins orprevent from themajorityofadvertisementsby installing trustedadd-blockers.YoucanalsodenytheexecutionofIFRAMEsorinstallapluginthatpromptstheuserwithamessageeverytimeanIFRAMEisabouttobeexecutedandgiveshimtheopportunitytodecideforitsexecution.Ofcourse,allthesepluginsmaynotbeinnocentsoyoushouldcheck the trustedones,keep themalwaysupdatedandfollowthecommunitydirectionsandnewsreferredtotheirsecurityissues.
Except fromeverydaymaintenanceofourcomputer, it isalsorecommendedtodeploythebestsecurityproductspreventingfrommalware.Withoutdowngradingthevalueofopen-sourceproducts,weshouldadvisethereadertodeploypopularcommercialanti-virusandanti-malwareproductsinhiscomputerwhichincluderobustdetectionandprevention capabilities,have invested a lotofmoneyandotherresourcesindevelopingtheirfeaturesinanoptimallevelandupdatetheirrule-setsandsignaturesfrequentlysoastonotmissanythreat.Therearedecentsolutions, that even in zero-day exploits and even in most sophisticated andpolymorphicmalware,theymanagetothejobandpreventuserfromcompromise.
The ISP (InternetServiceProvider)plays crucial role in termsof security. It isimportant for our network to reside within a well-established and security-consciousISPnetworkthatimplementsstrongsecurityproceduresandpoliciesregarding anti-spam and anti-phishing filtering, as well as having deployedeffectivesecurityproducts for thesamereason.Ensure thatyourpreferred ISPfulfills as many as possible security prerequisites and follow security bestpractices.
Finally, theadvice that is constantlyofferedbecause is themost importantyetusefulratheranythingelse,isthesystematictrainingofstakeholderswithineitherlimiteddomesticorlargeenterprisenetwork,onthedangersinherentinInternetbrowsing.ThesecurityawarenessofthepeoplethatusetheInternetonadailybasis,mostofthetimesplaysthecrucialroleinpreventingagainstexposuretoEK,sinceahighpercentageofEKactivitiesarepropagatedviamalvertisingandspamcampaigns. People should be ready to distinguish the benign from the fakeadvertisementorspamemailsoastonotclickingonthemaliciouslinkthatwilltransferthemtoEKpagesandharmtheircomputer.Especially,withinacorporatenetwork,employeesshouldbeawareofhowtohandleaphishingemailorarogue
UniversityofPiraeus DigitalSystemsSecurity82
webpage and report the security incident as soon aspossible to the IncidentResponse Team. Possible delay to identify such attacks,may have devastatingresults on home network computers and personal files, aswell asmay causesignificantdamageincorporateimage,reputationloss,orregulatoryissues.
To summarize the controls against computer infection,we recommend alwaysusing trustedanti-virusandanti-spywaresoftwareandkeepingyouroperatingsystemandinstalledsoftware-especiallythewebbrowseranditsplugins-up-to-date.Note that these are theminimum prerequisites in order to protect yourcomputer fromknown threats tosomeextent,sincenodevicepluggedat leastonceintheInternetistotallysecure.
FutureWork
Asexploitkitresearch isconcerned,weencouragethereadertotrytokeepupwiththelatestdevelopmentsofthisfieldsinceitdepictsafastmovingarea.
Nowadays,thegrowingofsmartphonedeviceshasbecomeanewfieldincybersecurityresearch.Theincreasedusageofmobiledevicescomesalsowithalotofsecuritythreatsfortheusers.AsthesedevicesconnecttoInternet,theyinheritthesecurityissuesoftheInternet.Inthefollowingchart,wecanseethegrowingusageof Internet via smartphone devices compared with the usage in desktopcomputersinagloballevel.TheresearchhasconductedbetweenOctober2009andOctober2016byStatCounterGlobalStats.
Figure 44 - Global statistics of Internet usage
UniversityofPiraeus DigitalSystemsSecurity83
Wecanseethatthe51.3%ofusersgloballyprefertousetheirmobileandtabletdevice tonavigate to the Internet in comparisonwith the48.7%ofusers thatprefertheirdesktop.Itisareasonableresultifweconsiderthelargeamountofsmartphonedeviceshavepurchased globally,howmanyhours ofourdayswespend using our device and howmany everyday taskswe can dowith it; thecapabilitiesof smartphonedevicesanddesktoparenowadaysalmostequal. Insmartphone capability,we can countweb banking and everyday transactions,onlinepurchases,chatting,andmanyothersthatinvolveInternetandtherebyapotentialattackcancostusintermsoffinancialcost,privacy-concernedorothersecurityissues.
We strongly encourage the reader, as a future researcher to study the attackcharacteristics and patterns of EK against smartphone devices and perform aresearchonthisgrowingfield.
Followingtoourscript,wesuggesttotheresearcherswhoareinterestedinPCAPanalysistocontributeinthisoneorinmanyotherexistentscriptsandprograms,inmaking thepacketanalysis live. Itwouldbe agreat idea ifwewere able toperformon-the-flyanalysis,bydelayingthenormalpackettransmissionasmuchasitgetssoastoperformpacketinspection,aimingtospotmaliciousactivitybyexploitkitsandinturn,resumethetrafficflow.
Conclusions
Inthisthesis,weattemptedtocovertheexploitkitphenomenonthatisconsideredthe most notorious cyber threat of recent years. This study is based on ourmethodicalresearchon the Internet,onscientificpapersandbooks,onannualsecuritypublicationsandreportspublishedbythemostpopularsecurityvendorsand research laboratories, on practical analysis of a large amount of networkcapturefilescontainingexploitkittrafficandotherresources.
We tried to present the core components of exploit kits’ ecosystem, themostimportantaspectsof theirmaliciousactivitiesandattempted topinpoint theirposition inthegrowingcyberthreat landscape.Wecoveredtheirattack-centricand self-defense characteristics in general and specifically for the two mostprevalentexploitkits,theAnglerEKandtheRIGEK.
Moreover,weanalyzedasamplePCAP,todescribetheoverallprocedureandstepsofPCAPanalysiswhichcontainsmalicioustrafficproducedbyexploitkitactivities.
UniversityofPiraeus DigitalSystemsSecurity84
Finally,weconstructedabasicscriptwhichcanidentifythepotentialattackpathofanexploitkitbyanalyzingthenetworktrafficcapturedduringitsactivities.Thescriptsperforms several checksaccording to criteria stemmed fromexploitkitresearchandmanualanalysisofmanymalicioustrafficsamples.
Ourintentionwastolearnmoreaboutthetopcyberthreatthatevolvesinourdaysandgainthenecessaryknowledgesoastobemoreproactiveagainstexploit-kitdrivensecurityincidents.
UniversityofPiraeus DigitalSystemsSecurity85
ABBREVIATIONS/ACRONYMS
AV Anti-Virus
C2-or-C&C Command&Control(server)
CHM MicrosoftCompiledHTML
DDoS DistributedDenialofService(attack)
EK(s) ExploitKit(s)
ELSA EnterpriseLogSearch&Archive
ETPRO EmergingThreatsPRO(rule-sets)
HTA HTMLApplication
IOC IndicatorofCompromise
IPS IntrusionPreventionSystems
NIDS NetworkIntrusionDetectionSystems
PCAP PacketCapture(files)
PHP HypertextPreprocessor(language)
RAR Archive,nativeformatofWinRARarchiver
RC4 RivestCipher4(algorithm)
SWF ShockwaveFlash(file)
TDS TrafficDetectionSystems
TLD Top-LevelDomain
VDS VirtualDedicatedServer
XTEA TinyEncryptionAlgorithm
UniversityofPiraeus DigitalSystemsSecurity86
TABLEOFFIGURES
Figure 1 - Greek Police Virus screen message ................................................................................... 8
Figure 2 - Infection chain ................................................................................................................. 10
Figure 3 - EK indicative infrastructure ............................................................................................. 12
Figure 4 - Revenue and resource of Anger EK (2015) ...................................................................... 17
Figure 5 - Fingerprinting via loadXML function ............................................................................... 23
Figure 6 - DGA code sample ............................................................................................................ 27
Figure 7 - IonCube encoded PHP code ............................................................................................ 29
Figure 8 - String replacement method ............................................................................................ 30
Figure 9 - Web browser brands ....................................................................................................... 35
Figure 10 - Web browser statistics .................................................................................................. 36
Figure 11 - Spora ransomware block screen ................................................................................... 42
Figure 12 - File extensions encrypted by TeslaCrypt ....................................................................... 43
Figure 13 – Andromeda Bot administration panel .......................................................................... 45
Figure 14 - Angler EK weekly growth .............................................................................................. 47
Figure 15 - Distribution of prevalent EK's activity ........................................................................... 47
Figure 16 - Angler EK's pop-up message ......................................................................................... 50
Figure 17 - Angler EK leverages 302 cushioning .............................................................................. 51
Figure 18 - JavaScript redirect embedded in legitimate website .................................................... 52
Figure 19 - Injected script of EITest redirection............................................................................... 52
Figure 20 - EITest request that downloads Flash file ....................................................................... 53
Figure 21 - Flash request redirects to Angler EK’s landing page ..................................................... 53
Figure22-AnglerfingerprintingnoIEbrowsers ....................................................................... 55
Figure23-AnglerfingerprintingAVs .......................................................................................... 55
Figure 24 - RIG EK infrastructure ..................................................................................................... 58
Figure 25 - Injected IFRAME redirecting to RIG gate ....................................................................... 59
Figure 26 - RIG EK domain shadowing ............................................................................................ 59
Figure 27 - RIG's gonext campaign .................................................................................................. 60
Figure 28 - RIG's IPredir campaign .................................................................................................. 61
Figure 29 - RIG's landing page HTML............................................................................................... 62
Figure 30 - RIG’s shellcode and payload .......................................................................................... 63
Figure 31 - RIG-V delivering Spora ransomware ............................................................................. 63
Figure 32 - RIG EK 4.0 login screen .................................................................................................. 64
Figure 33 - API token generation code excerpt ............................................................................... 64
Figure 34 - Sample PCAP analysis: Spot malicious hostnames........................................................ 68
Figure 35 - Sample PCAP analysis: Spot malicious Content-Type.................................................... 69
Figure 36 - Sample PCAP analysis: Spot redirection ........................................................................ 70
Figure 37 - Sample PCAP analysis: Rendering the landing page ..................................................... 71
Figure 38 - Sample PCAP analysis: Vulnerable Flash plugin version ................................................ 72
UniversityofPiraeus DigitalSystemsSecurity87
Figure 39 - Sample PCAP analysis: SWF obfuscated with DoSWF tool ............................................ 73
Figure 40 - Sample PCAP analysis: Dropped malware ..................................................................... 74
Figure 41 - Sample PCAP analysis: IDS analytic events ................................................................... 75
Figure 42 - Ekchain script usage ...................................................................................................... 78
Figure 43 - Ekchain script output .................................................................................................... 80
Figure 44 - Global statistics of Internet usage ................................................................................. 82
UniversityofPiraeus DigitalSystemsSecurity88
REFERENCES
[1]. B.EsheteandV.N.Venkatakrishnan,WebWinnow:LeveragingExploitKitWorkflowstoDetectMaliciousURLs,2014
[2]. M.Cova,C.KruegelandG.Vigna,DetectionandAnalysisofDrive-By-DownloadAttacksandMaliciousJavaScriptCode,2010
[3]. T.Taylor,X.Hu,T.Wang,J.Jang,M.Ph.Stoecklin,F.MonroseandR.Sailer,DetectingMaliciousExploitKitsusingTree-basedSimilaritySearches,2016
[4]. Y.Shindo,A.Satoh,Y.NakamuraandK.Iida,LightweightApproachtoDetectDrive-byDownloadAttacksBasedonFileTypeTransition,2014
[5]. Website,URLhttp://malware.dontneedcoffee.com/,[lastvisited:27/02/2017]
[6]. Website,URLhttp://malware-traffic-analysis.net/,[lastvisited:27/02/2017]
[7]. CiscoSecurityTalosGroup,BiasiniN.,CiscoTalosonExploitKits:HuntingtheHunters,June30,2016,10amPDT
[8]. CiscoSecurityTalosGroup,BiasiniN.,ExploitKits-isthistheendorjustthebeginning?,Jan12,2017,10amPST
[9]. Cisco2016AnnualSecurityReport,URLhttp://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf,2016
[10]. Contextis,WhitePaper,Demystifyingtheexploitkit,https://www.contextis.com/documents/171/Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf,Cert-UK,2015
[11]. J.Wyke,A.Ajjan,TheCurrentStateofRansomware,https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf,SophosLabstechnicalpaper,2015
UniversityofPiraeus DigitalSystemsSecurity89
APPENDIX
UniversityofPiraeus DigitalSystemsSecurity90
UniversityofPiraeus DigitalSystemsSecurity91
UniversityofPiraeus DigitalSystemsSecurity92