vicente diaz - jorge mieres - fuel for pwnage
DESCRIPTION
TRANSCRIPT
Jorge Mieres, Senior Malware Analyst
Vicente Diaz, Senior Malware Analyst April 21, 2011, Source Conference
Fuel for pwnage: Exploit kits
Introduction Something about us
Source Conference Boston 2011 PAGE 2 |
Vicente Díaz Jorge Mieres
@jorgemieres @trompi
| April 21, 2011
Source Conference Boston 2011 PAGE 3 |
Exploit Packs
| April 21, 2011
What we are talking about
Source Conference Boston 2011 PAGE 4 |
Exploit Kits inside!
| April 21, 2011
What we are talking about
Source Conference Boston 2011 PAGE 5 |
Redirections iFrames, Badness
Surfing
Victim
Malicious server
Exploiting Attack!
| April 21, 2011
Source Conference Boston 2011 PAGE 6 |
A simple plan
| April 21, 2011
Source Conference Boston 2011 PAGE 7 |
Index.php
What browser is it?
What OS is it?
CVE-XXXX-XXXX
Malicious Code
Statistics
Attack process of a conventional Exploit Kit Server side
| April 21, 2011
Detecting the browser Get the browser
Source Conference Boston 2011 PAGE 8 |
FirePack
| April 21, 2011
Detecting the OS Get the OS
Source Conference Boston 2011 PAGE 9 | | April 21, 2011
Choose the exploit kit And launch it
Source Conference Boston 2011 PAGE 10 |
| April 21, 2011
Source Conference Boston 2011 PAGE 11 |
imagen
You might have not noticed but … They are everywhere
| April 21, 2011
Exploit Kits in the media
Source Conference Boston 2011 PAGE 12 |
| April 21, 2011
Exploit Kits in the media
Source Conference Boston 2011 PAGE 13 |
| April 21, 2011
Back to the old times
Mpack – mid 2006 Developed by DreamCoders (russian gang) Discovered in DreamDownloader campaign First version by 700 USD 5 exploits: MDAC (CVE-2006-0003) WinZip ActiveX (CVE-2006-6884) Microsoft WebViewFolderIcon ActiveX (CVE-2006-3730) Microsoft Management Console (CVE-2006-3643) Windows Media Player Plug-In Firefox & Opera (CVE-2006-0005) Source Conference Boston 2011 PAGE 14 | | April 21, 2011
Evolution
PAGE 15 |
2006
2007 2009 2011 2010 2008
MPack
Mpack
AdPack
IcePack
Armitage
FirePack
NeoSploit
Arabella (private)
Liberty
Eleonore
Napoleon
Unique
JustExploit
Fragus
BlackHole
NeoSploit (Reload)
Impact (Ex SEO)
Siberia (Ex Napoleon)
BleedinLife
iPack
Modern
Phoenix (2.5)
Eleonore (1.6)
ElFiesta
LuckySploit
CRiMEPACK
BOMBA (private)
Source Conference Boston 2011 | April 21, 2011
Let´s see some numbers
Source Conference Boston 2011 PAGE 16 | | April 21, 2011
Exploit Kits by numbers
Source Conference Boston 2011 PAGE 17 |
7 out of 10 botnets use Exploit Packs
| April 21, 2011
Exploit Kits by numbers Play time
How many Exploit Kits do you think there are around?
Source Conference Boston 2011 PAGE 18 | | April 21, 2011
Play time
How many servers serving these kits during 2010?
Source Conference Boston 2011 PAGE 19 |
35000 +
Exploit Kits by numbers
| April 21, 2011
Play time
How many Exploits are necessary for this?
Source Conference Boston 2011 PAGE 20 |
However … just in case
Exploit Kits by numbers
| April 21, 2011
Play time
How many 0 day exploits used in exploit kits?
Source Conference Boston 2011 PAGE 21 |
They are just incorporated later
Exploit Kits by numbers
| April 21, 2011
Source Conference Boston 2011 PAGE 22 |
Let´s check if there are vulnerabilities around
| April 21, 2011
How many vulnerable systems?
In a given period of time, it could be 100% (0-day vulns)
During 2010, exposition window was 21 days in average for Adobe Vulnerabilities.
Source Conference Boston 2011 PAGE 23 | | April 21, 2011
Most common targets (1)
Source Conference Boston 2011 PAGE 24 |
30%
28% 16%
8%
6% 5% 3% 3% 1%
Different targeted vulnerabilities among kits
IE Adobe Reader Java Firefox Browser complement Adobe Flash Quicktime Windows Other
| April 21, 2011
Most common targets (2)
Source Conference Boston 2011 PAGE 25 |
39%
15% 15%
15%
8% 8%
New unique exploits added during 2010
Java Adobe Reader Windows IE Adobe Flash Quicktime
| April 21, 2011
Typical attacking vector
Source Conference Boston 2011 PAGE 26 |
28%
27% 19%
9%
7% 3% 3% 3% 1%
Attacking vector 2010
Adobe Reader IE Java Adobe Flash Firefox Quicktime Windows Browser complement Other
| April 21, 2011
How effective are the attacks? Attacking perspective
Source Conference Boston 2011 PAGE 27 |
36.16%
| April 21, 2011
How effective are the attacks? Attacking perspective
Source Conference Boston 2011 PAGE 28 | | April 21, 2011
Do they need 0-days?
Source Conference Boston 2011 PAGE 29 |
What is the all-time most common exploit among all kits?
CVE 2006-003 IE 6 MDAC Remote Code Execution
Phoenix 2.5, 2011 brand new release
| April 21, 2011
What makes an exploit kit successful?
Source Conference Boston 2011 PAGE 30 | | April 21, 2011
What makes an exploit kit successful?
• First Price
• Then Exploits
• Today Additional services: VirTest Domain reputation Special offers: Get a bullet proof domain
Also: Piracy/easy customization! Kaspersky Lab PowerPoint Template PAGE 31 | | April 21, 2011
New trends (1) Phoenix 2.5 (2011)
Source Conference Boston 2011 PAGE 32 |
15 exploits
40%
20%
20%
6% 7%
7%
Target distribution
Adobe Reader Adobe Flash Java IE Windows Quicktime
| April 21, 2011
New trends (2) Phoenix 2.5 (2011)
Source Conference Boston 2011 PAGE 33 |
15 exploits
53%
20%
7% 13%
7%
Vulnerabilities age
Y2010 Y2009 Y2008 Y2007 Y2006
| April 21, 2011
New trends (3) Phoenix 2.5 (2011)
Source Conference Boston 2011 PAGE 34 |
New fresh Java exploits replace old ones
IN OUT
JAVA (Skyline) 2010 Java (JRE Calendar) 2008
Java (MIDI) 2010 Java JRE 2009
Java (javagetval) 2010 PDF newPlayer 2009
| April 21, 2011
Java as new attacking vector There is a good reason for that
87.91 % Source Conference Boston 2011 PAGE 35 | | April 21, 2011
The business behind
Source Conference Boston 2011 PAGE 36 | | April 21, 2011
The business behind
Source Conference Boston 2011 PAGE 37 | | April 21, 2011
Evolution of business
Marketing " Underground forums
" Dedicated websites
" Social networks: Facebook / Twitter
" Pastebin
Protection and antipiracy " Malware as a service model
" Zend / IonCube
" Randomization
" Packing/polymorphism
Source Conference Boston 2011 PAGE 38 | | April 21, 2011
Evolution of business
Source Conference Boston 2011 PAGE 39 | | April 21, 2011
Copycats
Source Conference Boston 2011 PAGE 40 | | April 21, 2011
Copycats Find the 7 differences
Source Conference Boston 2011 PAGE 41 | | April 21, 2011
The future? Let me see
Source Conference Boston 2011 PAGE 42 | | April 21, 2011
• Exploiting is the business, and the business is good
• However something is changing: increased demand on security
• New services make the difference, added value
• Exploits for new platforms will be common
• Resurrection of old kits, rearmed with new stuff
| April 21, 2011 Source Conference Boston 2011 PAGE 43 |
Some conclusions