SlideShare a Scribd company logo

Vicente Diaz - Jorge Mieres - Fuel For Pwnage

Source Conference
Source Conference
Technology
1 of 44
Download to read offline
Fuel for pwnage: Exploit kits Jorge Mieres, Senior Malware Analyst Vicente Diaz, Senior Malware Analyst April 21, 2011, Source Conference
Introduction Something about us Vicente Díaz Jorge Mieres @trompi @jorgemieres PAGE 2 | Source Conference Boston 2011 | April 21, 2011
Exploit Packs PAGE 3 | Source Conference Boston 2011 | April 21, 2011
What we are talking about Exploit Kits inside! PAGE 4 | Source Conference Boston 2011 | April 21, 2011
What we are talking about Redirections iFrames, Badness Surfing Exploiting Attack! Victim Malicious server PAGE 5 | Source Conference Boston 2011 | April 21, 2011
A simple plan PAGE 6 | Source Conference Boston 2011 | April 21, 2011
Attack process of a conventional Exploit Kit Server side What browser is it? What OS is it? Index.php CVE-XXXX-XXXX Statistics Malicious Code PAGE 7 | Source Conference Boston 2011 | April 21, 2011
Detecting the browser Get the browser FirePack PAGE 8 | Source Conference Boston 2011 | April 21, 2011
Detecting the OS Get the OS PAGE 9 | Source Conference Boston 2011 | April 21, 2011
Choose the exploit kit And launch it PAGE 10 | Source Conference Boston 2011 | April 21, 2011
You might have not noticed but … They are everywhere imagen PAGE 11 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits in the media PAGE 12 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits in the media PAGE 13 | Source Conference Boston 2011 | April 21, 2011
Back to the old times Mpack – mid 2006 Developed by DreamCoders (russian gang) Discovered in DreamDownloader campaign First version by 700 USD 5 exploits: MDAC (CVE-2006-0003) WinZip ActiveX (CVE-2006-6884) Microsoft WebViewFolderIcon ActiveX (CVE-2006-3730) Microsoft Management Console (CVE-2006-3643) Windows Media Player Plug-In Firefox & Opera (CVE-2006-0005) PAGE 14 | Source Conference Boston 2011 | April 21, 2011
Evolution Arabella (private) Liberty MPack Eleonore Modern Napoleon Phoenix (2.5) Unique Eleonore (1.6) JustExploit Fragus 2006 2008 2009 2010 2011 2007 Mpack ElFiesta BlackHole AdPack LuckySploit NeoSploit (Reload) IcePack CRiMEPACK Impact (Ex SEO) Armitage BOMBA (private) Siberia (Ex Napoleon) FirePack BleedinLife NeoSploit iPack PAGE 15 | Source Conference Boston 2011 | April 21, 2011
Let´s see some numbers PAGE 16 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers 7 out of 10 botnets use Exploit Packs PAGE 17 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers Play time How many Exploit Kits do you think there are around? PAGE 18 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers Play time How many servers serving these kits during 2010? 35000 + PAGE 19 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers Play time How many Exploits are necessary for this? However … just in case PAGE 20 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers Play time How many 0 day exploits used in exploit kits? They are just incorporated later PAGE 21 | Source Conference Boston 2011 | April 21, 2011
Let´s check if there are vulnerabilities around PAGE 22 | Source Conference Boston 2011 | April 21, 2011
How many vulnerable systems? In a given period of time, it could be 100% (0-day vulns) During 2010, exposition window was 21 days in average for Adobe Vulnerabilities. PAGE 23 | Source Conference Boston 2011 | April 21, 2011
Most common targets (1) Different targeted vulnerabilities among kits 3% 3% 1% 5% IE 6% 30% Adobe Reader 8% Java Firefox 16% Browser complement 28% Adobe Flash Quicktime Windows Other PAGE 24 | Source Conference Boston 2011 | April 21, 2011
Most common targets (2) New unique exploits added during 2010 8% 8% 39% Java 15% Adobe Reader Windows IE 15% 15% Adobe Flash Quicktime PAGE 25 | Source Conference Boston 2011 | April 21, 2011
Typical attacking vector Attacking vector 2010 3% 3% 3% 1% 7% Adobe Reader 28% IE 9% Java Adobe Flash 19% Firefox 27% Quicktime Windows Browser complement Other PAGE 26 | Source Conference Boston 2011 | April 21, 2011
How effective are the attacks? Attacking perspective 36.16% PAGE 27 | Source Conference Boston 2011 | April 21, 2011
How effective are the attacks? Attacking perspective PAGE 28 | Source Conference Boston 2011 | April 21, 2011
Do they need 0-days? What is the all-time most common exploit among all kits? CVE 2006-003 IE 6 MDAC Remote Code Execution Phoenix 2.5, 2011 brand new release PAGE 29 | Source Conference Boston 2011 | April 21, 2011
What makes an exploit kit successful? PAGE 30 | Source Conference Boston 2011 | April 21, 2011
What makes an exploit kit successful? •  First Price •  Then Exploits •  Today Additional services: VirTest Domain reputation Special offers: Get a bullet proof domain Also: Piracy/easy customization! PAGE 31 | Kaspersky Lab PowerPoint Template | April 21, 2011
New trends (1) Phoenix 2.5 (2011) 15 exploits Target distribution 7% 6% 7% 40% Adobe Reader Adobe Flash 20% Java IE 20% Windows Quicktime PAGE 32 | Source Conference Boston 2011 | April 21, 2011
New trends (2) Phoenix 2.5 (2011) 15 exploits Vulnerabilities age 7% 13% 7% Y2010 53% Y2009 Y2008 20% Y2007 Y2006 PAGE 33 | Source Conference Boston 2011 | April 21, 2011
New trends (3) Phoenix 2.5 (2011) IN OUT JAVA (Skyline) 2010 Java (JRE Calendar) 2008 Java (MIDI) 2010 Java JRE 2009 Java (javagetval) 2010 PDF newPlayer 2009 New fresh Java exploits replace old ones PAGE 34 | Source Conference Boston 2011 | April 21, 2011
Java as new attacking vector There is a good reason for that 87.91 % PAGE 35 | Source Conference Boston 2011 | April 21, 2011
The business behind PAGE 36 | Source Conference Boston 2011 | April 21, 2011
The business behind PAGE 37 | Source Conference Boston 2011 | April 21, 2011
Evolution of business Marketing " Underground forums " Dedicated websites " Social networks: Facebook / Twitter " Pastebin Protection and antipiracy " Malware as a service model " Zend / IonCube " Randomization " Packing/polymorphism PAGE 38 | Source Conference Boston 2011 | April 21, 2011
Evolution of business PAGE 39 | Source Conference Boston 2011 | April 21, 2011
Copycats PAGE 40 | Source Conference Boston 2011 | April 21, 2011
Copycats Find the 7 differences PAGE 41 | Source Conference Boston 2011 | April 21, 2011
The future? Let me see PAGE 42 | Source Conference Boston 2011 | April 21, 2011
Some conclusions •  Exploiting is the business, and the business is good •  However something is changing: increased demand on security •  New services make the difference, added value •  Exploits for new platforms will be common •  Resurrection of old kits, rearmed with new stuff PAGE 43 | Source Conference Boston 2011 | April 21, 2011
Thank You Vicente Díaz Jorge Mieres vicente.diaz@kaspersky.com jorge.mieres@kaspersky.com @trompi @jorgemieres

Recommended

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxSebastián Guerrero Selma
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Dcm#8 elastic search
Dcm#8 elastic searchDcm#8 elastic search
Dcm#8 elastic searchIvan Wallarm
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.shChandrapal Badshah
 

Recommended

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxSebastián Guerrero Selma
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Dcm#8 elastic search
Dcm#8 elastic searchDcm#8 elastic search
Dcm#8 elastic searchIvan Wallarm
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.shChandrapal Badshah
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAbhijeth D
 
Ceph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelCeph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelRed_Hat_Storage
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Esteganografia
EsteganografiaEsteganografia
EsteganografiaSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 

More Related Content

Viewers also liked

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAbhijeth D
 
Ceph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelCeph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelRed_Hat_Storage
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 

Viewers also liked (6)

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
 
Ceph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelCeph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to Jewel
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Vicente Diaz - Jorge Mieres - Fuel For Pwnage

  • 1. Fuel for pwnage: Exploit kits Jorge Mieres, Senior Malware Analyst Vicente Diaz, Senior Malware Analyst April 21, 2011, Source Conference
  • 2. Introduction Something about us Vicente Díaz Jorge Mieres @trompi @jorgemieres PAGE 2 | Source Conference Boston 2011 | April 21, 2011
  • 3. Exploit Packs PAGE 3 | Source Conference Boston 2011 | April 21, 2011
  • 4. What we are talking about Exploit Kits inside! PAGE 4 | Source Conference Boston 2011 | April 21, 2011
  • 5. What we are talking about Redirections iFrames, Badness Surfing Exploiting Attack! Victim Malicious server PAGE 5 | Source Conference Boston 2011 | April 21, 2011
  • 6. A simple plan PAGE 6 | Source Conference Boston 2011 | April 21, 2011
  • 7. Attack process of a conventional Exploit Kit Server side What browser is it? What OS is it? Index.php CVE-XXXX-XXXX Statistics Malicious Code PAGE 7 | Source Conference Boston 2011 | April 21, 2011
  • 8. Detecting the browser Get the browser FirePack PAGE 8 | Source Conference Boston 2011 | April 21, 2011
  • 9. Detecting the OS Get the OS PAGE 9 | Source Conference Boston 2011 | April 21, 2011
  • 10. Choose the exploit kit And launch it PAGE 10 | Source Conference Boston 2011 | April 21, 2011
  • 11. You might have not noticed but … They are everywhere imagen PAGE 11 | Source Conference Boston 2011 | April 21, 2011
  • 12. Exploit Kits in the media PAGE 12 | Source Conference Boston 2011 | April 21, 2011
  • 13. Exploit Kits in the media PAGE 13 | Source Conference Boston 2011 | April 21, 2011
  • 14. Back to the old times Mpack – mid 2006 Developed by DreamCoders (russian gang) Discovered in DreamDownloader campaign First version by 700 USD 5 exploits: MDAC (CVE-2006-0003) WinZip ActiveX (CVE-2006-6884) Microsoft WebViewFolderIcon ActiveX (CVE-2006-3730) Microsoft Management Console (CVE-2006-3643) Windows Media Player Plug-In Firefox & Opera (CVE-2006-0005) PAGE 14 | Source Conference Boston 2011 | April 21, 2011
  • 15. Evolution Arabella (private) Liberty MPack Eleonore Modern Napoleon Phoenix (2.5) Unique Eleonore (1.6) JustExploit Fragus 2006 2008 2009 2010 2011 2007 Mpack ElFiesta BlackHole AdPack LuckySploit NeoSploit (Reload) IcePack CRiMEPACK Impact (Ex SEO) Armitage BOMBA (private) Siberia (Ex Napoleon) FirePack BleedinLife NeoSploit iPack PAGE 15 | Source Conference Boston 2011 | April 21, 2011
  • 16. Let´s see some numbers PAGE 16 | Source Conference Boston 2011 | April 21, 2011
  • 17. Exploit Kits by numbers 7 out of 10 botnets use Exploit Packs PAGE 17 | Source Conference Boston 2011 | April 21, 2011
  • 18. Exploit Kits by numbers Play time How many Exploit Kits do you think there are around? PAGE 18 | Source Conference Boston 2011 | April 21, 2011
  • 19. Exploit Kits by numbers Play time How many servers serving these kits during 2010? 35000 + PAGE 19 | Source Conference Boston 2011 | April 21, 2011
  • 20. Exploit Kits by numbers Play time How many Exploits are necessary for this? However … just in case PAGE 20 | Source Conference Boston 2011 | April 21, 2011
  • 21. Exploit Kits by numbers Play time How many 0 day exploits used in exploit kits? They are just incorporated later PAGE 21 | Source Conference Boston 2011 | April 21, 2011
  • 22. Let´s check if there are vulnerabilities around PAGE 22 | Source Conference Boston 2011 | April 21, 2011
  • 23. How many vulnerable systems? In a given period of time, it could be 100% (0-day vulns) During 2010, exposition window was 21 days in average for Adobe Vulnerabilities. PAGE 23 | Source Conference Boston 2011 | April 21, 2011
  • 24. Most common targets (1) Different targeted vulnerabilities among kits 3% 3% 1% 5% IE 6% 30% Adobe Reader 8% Java Firefox 16% Browser complement 28% Adobe Flash Quicktime Windows Other PAGE 24 | Source Conference Boston 2011 | April 21, 2011
  • 25. Most common targets (2) New unique exploits added during 2010 8% 8% 39% Java 15% Adobe Reader Windows IE 15% 15% Adobe Flash Quicktime PAGE 25 | Source Conference Boston 2011 | April 21, 2011
  • 26. Typical attacking vector Attacking vector 2010 3% 3% 3% 1% 7% Adobe Reader 28% IE 9% Java Adobe Flash 19% Firefox 27% Quicktime Windows Browser complement Other PAGE 26 | Source Conference Boston 2011 | April 21, 2011
  • 27. How effective are the attacks? Attacking perspective 36.16% PAGE 27 | Source Conference Boston 2011 | April 21, 2011
  • 28. How effective are the attacks? Attacking perspective PAGE 28 | Source Conference Boston 2011 | April 21, 2011
  • 29. Do they need 0-days? What is the all-time most common exploit among all kits? CVE 2006-003 IE 6 MDAC Remote Code Execution Phoenix 2.5, 2011 brand new release PAGE 29 | Source Conference Boston 2011 | April 21, 2011
  • 30. What makes an exploit kit successful? PAGE 30 | Source Conference Boston 2011 | April 21, 2011
  • 31. What makes an exploit kit successful? •  First Price •  Then Exploits •  Today Additional services: VirTest Domain reputation Special offers: Get a bullet proof domain Also: Piracy/easy customization! PAGE 31 | Kaspersky Lab PowerPoint Template | April 21, 2011
  • 32. New trends (1) Phoenix 2.5 (2011) 15 exploits Target distribution 7% 6% 7% 40% Adobe Reader Adobe Flash 20% Java IE 20% Windows Quicktime PAGE 32 | Source Conference Boston 2011 | April 21, 2011
  • 33. New trends (2) Phoenix 2.5 (2011) 15 exploits Vulnerabilities age 7% 13% 7% Y2010 53% Y2009 Y2008 20% Y2007 Y2006 PAGE 33 | Source Conference Boston 2011 | April 21, 2011
  • 34. New trends (3) Phoenix 2.5 (2011) IN OUT JAVA (Skyline) 2010 Java (JRE Calendar) 2008 Java (MIDI) 2010 Java JRE 2009 Java (javagetval) 2010 PDF newPlayer 2009 New fresh Java exploits replace old ones PAGE 34 | Source Conference Boston 2011 | April 21, 2011
  • 35. Java as new attacking vector There is a good reason for that 87.91 % PAGE 35 | Source Conference Boston 2011 | April 21, 2011
  • 36. The business behind PAGE 36 | Source Conference Boston 2011 | April 21, 2011
  • 37. The business behind PAGE 37 | Source Conference Boston 2011 | April 21, 2011
  • 38. Evolution of business Marketing " Underground forums " Dedicated websites " Social networks: Facebook / Twitter " Pastebin Protection and antipiracy " Malware as a service model " Zend / IonCube " Randomization " Packing/polymorphism PAGE 38 | Source Conference Boston 2011 | April 21, 2011
  • 39. Evolution of business PAGE 39 | Source Conference Boston 2011 | April 21, 2011
  • 40. Copycats PAGE 40 | Source Conference Boston 2011 | April 21, 2011
  • 41. Copycats Find the 7 differences PAGE 41 | Source Conference Boston 2011 | April 21, 2011
  • 42. The future? Let me see PAGE 42 | Source Conference Boston 2011 | April 21, 2011
  • 43. Some conclusions •  Exploiting is the business, and the business is good •  However something is changing: increased demand on security •  New services make the difference, added value •  Exploits for new platforms will be common •  Resurrection of old kits, rearmed with new stuff PAGE 43 | Source Conference Boston 2011 | April 21, 2011
  • 44. Thank You Vicente Díaz Jorge Mieres vicente.diaz@kaspersky.com jorge.mieres@kaspersky.com @trompi @jorgemieres