BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts Evolu<on
1. Evolving
Threat
Landscapes
Web-‐Based
Botnet
Through
Exploit
Kits
and
Scripts
Evolu<on
鄭毓芹
博士生
成功大學電腦與通訊工程研究所
julia.yc.cheng@gmail.com
2. Outline
Part
I:
Evolving
Botnet
Threats
v Tradi&onal
Botnet
Threat
Landscapes
v Evolu&on
Considera&ons
v Botnet
Today
Part
II:
Web
Exploit
Kits
v What
is
Web
Exploit
Kits
?
v How
Exploit
Kits
Works
v Case
Study
v How
Exploit
Kits
Bring
Money
In
v Exploit
Kits
Analysis
2
4. Tradi<onal
Botnet
Threat
Landscapes
4
Bot
Bot
Bot
Bot
Bot
C&C
Server
Botmaster
• Botnet
Characteris<cs:
(1) Central
C&C
Infrastructure
(2) C&C
based
on
IRC,
HTTP,
IM
server
(3) Single
point
of
failure
(4) Predefined
execu<ng
commands
on
bot
(5) Easy
to
detect,
easy
to
take
down
(6) Hard
to
sell,
sharing,
transfer
and
upgrade
•
Botnet
Threats:
(1) Spamming
(2) Phishing
site
installing
(3) Stealing
Confiden<al
Data
(4) Distributed
Denial-‐of-‐Service
(DDOS)
(5) Compromising
and
Installing
Malware
• Bots:
a
group
of
compromised
computers
• Botmaster:
human
controller
• C&C
Server
(
Command
&
Control):
a
channel
which
botmaster
user
to
send
command
to
bots
5. Tradi<onal
IRC
Botnet
C&C
Logs
5
.
.capture
.ddos.syn
.ddos.ack
.ddos.random
.download
.findfile
.getcdkeys
Command
Lists
.keylog
.login
.logout
.open
.procs
Easy
to
inflate
into
C&C
Server
and
collect
all
messages
in
channel
6. Evolu<on
Considera<ons
…
6
Bots
Crea<on
Botnet
Spreading
Botnet
Controlling
Botnet
Defending
Botnet
Commerce
Evolving
Upgrade
Customize
bot
func<ons
and
avoid
an<virus
to
detect:
• Bot-‐herders
assemble(compile)
their
own
func<ons
through
malware
kits
• Different
malware
kits,
divide
into
different
bot
families.
Different
func&ons
to
be
enabled,
create
malware
variants.
• Techniques
used
to
bypass
An&virus:
• Code
Metamorphism
• Packer/
Cryptor
/
Binder
• An<-‐Technology
(Protectors)
12. Evolu<on
Considera<ons
…
(Cont.)
12
Bots
Crea<on
Botnet
Spreading
Botnet
Controlling
Botnet
Defending
Botnet
Commerce
Evolving
Upgrade
Setup
“Exploit
Kit
Outposts”
to
infect
computers
and
distribute
malwares
efficiently
• How
to
spread
out
new
vic&ms:
• Bots
automa<cally
exploit
vulnerabili&es,
ex:
Conflicker
bots
(Using
dionaea
honeypot
/
IM
Honeypots/
ssh
honeypots…
to
collect)
• Use
social
engineering
tac&cs
to
trick
users
into
install
malwares
• Spam
Mail:
Send
spam
messages
that
contain
malware
links
to
malware
• Drive-‐by
Downloading:
Web
pages
including
exploits
to
use
specific
browser
vulnerabili&es
to
secretly
install
malware
by
exploit
kits
14. Evolu<on
Considera<ons
…
(Cont.)
14
Bots
Crea<on
Botnet
Spreading
Botnet
Controlling
Botnet
Defending
Botnet
Commerce
Evolving
Upgrade
Bot
Creators
use
many
techniques
to
prevent
from
detected
•
Enable
secure
communica&on
in
IRC
channel
•
Rootkit
Component
•
Scrip&ng
Language
•
Malware
Polymorphism
•
Strong
Cryptography
•
Distributed
Network
Architecture
(P2P
Botnet:
Storm,
Waledac)
15. Evolu<on
Considera<ons
…
(Cont.)
15
Bots
Crea<on
Botnet
Spreading
Botnet
Controlling
Botnet
Defending
Botnet
Commerce
Evolving
Upgrade
Black
market
associated
with
online
communi<es
of
bot-‐herders
and
malware
authors
•
Sell/rent
bots
controlling
network
to
spammers
and
aeackers
•
Sell
collec&ons
of
bots
•
Offer
lists
of
vulnerable
IP
addresses
hos&ng
web
services
•
Sell
“bulletproof”
hosts
for
C&C
server
installa&on
•
Sell
undetectable
u&li&es
such
as
packer,
encryptor,
rootkits,
…
etc.
16. Evolu<on
Considera<ons
…
(Cont.)
16
Bots
Crea<on
Botnet
Spreading
Botnet
Controlling
Botnet
Defending
Botnet
Commerce
Evolving
Upgrade
Adver<sing
in
black
market
featuring
legi<mate
e-‐commerce.
•
Offer
poten&al
buyer
a
free
trial
•
Verified
seller
and
seller
reputa&on
evalua&on
•
Provide
round-‐the-‐clock
technical
support
for
purchasers
•
Scammer
informing
•
Up-‐to-‐date
malware
crea&on
kits
on
sales
•
Wri&ng
tutorials
and
answering
ques&ons
by
newcomers
17. Hack
Forums
for
different
purposes
17
XBOX, PSP, PS3 Hacking Forum
18. Hack
Forums
for
different
purposes
(Cont.)
18
Gaming Hacking and Sharing
In this forum
19. Hack
Forum
for
different
purposes
(Cont.)
19
Cracking and Hacking Forums
22. Botnet
Infrastructure
observa<on
in
2009
2.
Setup
Botnet
C&C
Server
and
fast-‐flux
xxxx.asia
xxxx.asia
xxxx.asia
xxxx.asia
xxxx.asia
1.Register
Domain
xxxx.asia
Botnet
Developer
3.
Bot
Controlling
4.
Sell
botnets
5.Control
botnets
6.
Criminal
Ac<vi<es
inside
Botnets
YouTube
ddos
exploits
downlaod
Phishing
Sites
Click
Informa&on
Stealer
DDOS
Exploits
/
New
malware
SSH
Brute
Flooding
(new
target)
Web
Panel
used
to
show
bots
and
selling
service
Most
IRC-‐Based
Botnet
23. Botnet
Today
23
Botmaster
/
Opera&on
Team
Online
Black
Market
adver<sing
Aeacker/
Spammer
Phisher
buying
Proxy
Domain
Encrypted
Commands
Control
Panel
Exploits
Pool
Control
Infrastructure
=
Fast-‐Flux
+
C&C
Servers
+Exploit
Kits
+
Protect
Mechanisms
Different
C&C,
different
purposes
Venerable
web
applica&ons
Inject
IFrame
into
web
pages
Bots
DDOS
Exploits
/
New
malware
Account
Stealer
Phishing
Sites
Click
Informa&on
Stealer
Malicious
Ac&vi&es
Launch
New
Vic&ms
drive-‐by-‐download
aeack
drive-‐by-‐download
aeack
Automa&cally
vulnerability
Spreading
New
Vic&ms
24. Botnet
Today
(Cont.)
• Most
botnets
assembling
with
exploit
kits
to
fast
spread,
control
and
upgrade
• Evasion
technologies
make
botnet
detec&on
difficult
• Mul&-‐source
logs
on
botnet
scenario
detec&on
• Exploit
kits
analysis
is
essen&al
to
detect
malicious
ac&vi&es
24
30. What
is
exploit
kits
?
• An
exploit
kit
is
a
web
applica&on
that
serves
mul&ple
exploits
through
browsers
or
applica&ons
to
carry
out
automated
drive-‐by-‐
downloading
aeacks
for
malware
distribu&ng.
(Exploit
Driven)
• Web
browser
as
aeack
vector
30
31. Exploit
kits
by
numbers
31
Data
from
MalwareDomainList
Reference:
Exploit
Kits
–
A
Different
View
hep://www.securelist.com/en/analysis/204792160/Exploit_Kits_A_Different_View
1. Phoenix
2. Eleonore
3. Neosploit
32. What
is
exploit
kits
?
(Cont.)
• Exploit
Kits
Components:
v Exploits
Pack
v Install
file
v Configura<on
file
v Database
Schema
v Administra<on
Panel:
• Launch
and
manage
exploits
using
the
central
management
console
• Connect
to
database
for
logging
and
repor&ng
• Upload
malwares
to
vic&ms
• Upload
spam
mail
content
and
recipients
lists
32
33. What
is
Web
Exploit
Kits:
(Cont.)
• Exploit
kits
installed
onto
a
web
server
as
a
web
applica&on
such
as
Apache
+
PHP
+
MySQL
• Special
features
developed
to
present
exploit
kits
author’s
mo&va&on,
most
likely
bypass
AVs
scanning
and
IPS
v Code
obfuscated
v URL
Random
Link
Structure
v Code
Cryptor
v Exploit
rota&on
• The
first
exploit
kit
tool
is
MPack
33
Exploit
Kits
Name
Authors
From
Price
Vulnerability
MPack
(2006.
12)
Russian
Cracker
$500~
$1000
$50~$150
(new!)
MS06-‐014,
MS06-‐006,
MS06-‐044,
ANI
overflow,
XML
Overflow,
WebViewFolderIcon
overflow,
WinZip
Ac&veX
overflow,
QuickTime
overflow
34. 34
CVE-‐2003-‐O111
M503-‐O11
-‐
ByteCode
Verifier
component
flaw
in
Microsov
VM
CVE-‐2004-‐1043
MSOS-‐OO1
HTML
vulnerabili&es
CVE-‐2004-‐0549
MSHTML
IE6
CVE-‐2005-‐2127
COM
Object
Instantaa&on
Memory
Corrup&on
(Msdssdll)
CVE-‐2005-‐2265
FF
CompareTo
MFSA2005-‐50
-‐
Firefox
Install
VersioncompareTo
CVE-‐2005-‐0055
IE
5.01,
5.5,
and
6
DHTML
Method
Heap
Memory
Corrup&on
Vulnerability
CVE-‐2006-‐0003
MDAC
MS06-‐014
for
lE6/Microsov
Data
Access
Components
(MDAC)
Remote
Code
Execu&on
CVE-‐2006-‐0005
FF
EMBED
/
MS06-‐006
MS06-‐006
-‐
Windows
Media
Player
plug-‐in
vulverabiIity
for
Firefox
&
Opera
CVE-‐2006-‐1359
MS06-‐013
-‐
CreateTextRange
CVE-‐2006-‐3643
Microsov
Management
Console
(MMC)
Redirect
Cross-‐Site
Scrip&ng
(XSS)
vulnerability
(IE)
CVE-‐2006-‐3677
Firefox
Jno
/
JNO
Firefox
-‐js
navigator
Object
Code
CVE-‐2006-‐3730
WebViewFolderlcon
(IE)
CVE-‐2006-‐4777
DirectAnima&on
Ac&veX
Controls
Memory
Corrup&on
Vulnerability
CVE-‐2006-‐4868
MSO6-‐055
-‐
Windows
Vector
Markup
Language
Vulnerability
CVE-‐2006-‐5559
IE6
MDAC
MS07-‐009-‐
lE6/Microsov
Data
Access
Components
(MDAC)
Remote
Code
Execu&on
CVE-‐2006-‐5745
Microsov
XML
Core
Services
Vulnerability
CVE-‐2006-‐5820
AOL
SuperBuddy
Ac&veX
Control
LinkSBlcons()
Vulnerability
CVE-‐2006-‐6884
Winzip
FileView
Ac&veX
(IE)
CVE-‐2007-‐0015
Apple
QuickTime
RTSP
URI
(lE)
CVE-‐2007-‐0018
NCTsov
NCTAudioFile2
Ac&veX
Control
Remote
Buffer
Overflow
Vulnerability
CVE-‐2007-‐0024
Vector
Markup
Language
Vulnerability
(IE)
CVE-‐2007-‐0071
FLASH
9
Integer
overflow
in
Adobe
Flash
Player
9
CVE-‐2007-‐0243
JAVA
GIF
PARSE
:
Java
GIF
file
parsing
vulnerability
CVE-‐2007-‐3147/3148
Yahoo!
Messenger
Webcam
(IE)
CVE-‐2007-‐4034
Yahoo!
Widgets
YDP
(IE)
Usually
to
use
known
vulnerabili<es:
35. 35
CVE-‐2007-‐4336
DirectX
-‐
DirectTransform
FlashPix
Ac&veX
(IE)
CVE-‐2007-‐5327
CA
BrightStor
ARCserve
Backup
Mul&ple
VulnerabiIi&es
CVE-‐2007-‐5659/2008-‐0655
collab,
collectEmaillnfo
PDF
Exploit
-‐collab,
collectEmaillnfo
CVE-‐2007-‐5755
AOL
Radio
AmpX
Buffer
Overflow
CVE-‐2007-‐6250
AOL
Radio
AmpX
(AOLMediaPlaybackControl)
Ac&veX
control
vulnerability
CVE-‐2008-‐0015
IE6/IE7
DSHOW
MS09-‐032
DirectX
DirectShow
(IE)
CVE-‐2008-‐1309
RealPlayer
Ac&veX
Control
Console
Property
Memory
Corrup&on
CVE-‐2008-‐2463
M508-‐041
-‐
MS
Access
Snapshot
Viewer
CVE-‐2008-‐2992
PDF
Exploit•
u&l.prin{
CVE-‐2008-‐4844
Iexml
Internet
Explorer
7
XML
Exploit
CVE-‐2008-‐5353
JAVA
JRE
/
Javad0
/
Javado
/
Java
Calendar
/
javaold/JavaSr0
Javad0—JRECalendar
Java
Deserialize
CVE-‐2009-‐0075/0076
IE7
MEMCOR
in
IE7
MS09-‐002
MS09-‐002
-‐
lE7
Memory
Corrup&on
CVE-‐2009-‐0355
Firefoxdiffer
Firefox
-‐
Components/sessionstore/src/nsSessionStore.js
CVE-‐2009-‐0836
PDFOPEN
Adobe
Reader
-‐
Foxit
Reader
PDF
OPEN
CVE-‐2009-‐0927
PDF
collab.getIcon
/
pdf-‐gi
PDF
Exploit-‐
collab.getlcon
CVE-‐2009-‐1136
Spreadsheet
MSO9-‐043
-‐
lE
OWC
Spreadsheet
Ac&veX
control
Memory
Corrup&on
CVE-‐2009-‐1538
MS09-‐028
Microsov
DirectShow
Remote
Code
Execu&on.
CVE-‐2009-‐1671
Java
buffer
overflows
in
the
Deployment
Toolkit
Ac&veX
control
in
deploytk.dll
CVE-‐2009-‐1862
Memory
corrup&on
via
a
craved
Flash
applica&on
in
a
.pdf
file
or
a
craved
.swf
fil
(authplay.dll)
CVE-‐2009-‐1869
Flash
10
Integer
overflow
in
the
AVM2
abcFile
parser
in
Adobe
Flash
Player
CVE-‐2009-‐2477
Firefox
3.5
contains
a
vulnerability
in
TraceMonkey
components
of
Firefox's
JavaScript
engine
CVE-‐2009-‐2477
Mozilla
FF
3.5
Exploit
/
font
tags
Firefox
-‐
Font
tags
CVE-‐2009-‐3269
TELNET
-‐
for
OPERA
9.0
-‐
9.25
or
OPERA
Telnet
for
Opera
Th3270
CVE-‐2009-‐3867
JAVA
GSB
Java
Run&me
Env.
getSoundBank
Stack
BOF
CVE-‐2009-‐3958
download
mgr
buffer
overflows
in
the
NOS
Microsystems
getPlus
Helper
Ac&veX
control
before
1.6.2.49
in
gp.ocx
in
the
Download
Manager
in
Adobe
Reader
and
Acrobat
CVE-‐2009-‐4324
PDF
mediaNewPlayer
/
pdf-‐mp
PDF
Exploit
-‐
docmedianewPlayer
36. 36
CVE-‐2010-‐0188
PDF
Lib&ff
/
Lib
PDF
Exploit
-‐
LibTiff
Integer
Overflow
CVE-‐2010-‐0249
Aurora
se-‐aver-‐free
vulnerability
in
Microsov
Internet
Explorer
6,
6
SP1,
7,
and
8
cve-‐2010-‐0094
Javarmi
Java
Run&me
Environment
component
in
Oracle
Java
SE
CVE-‐2010-‐0806
IEPeers
msiemc
IEPeers
Remote
Code
Execu&on
IE7
Uni&alized
Memory
Corrup&on
CVE-‐2010-‐0840
JAVA
TC
(?)
javagetval
OBE
Trusted
Method
Chaining
-‐
Java
getValue
Remote
Code
Execu&on
CVE-‐2010-‐0842
JAVA
MIDI
Java
OBE
Unspecified
vulnerability
in
the
Sound
component
in
Oracle
Java
SE
and
Java
for
Business
6
Update
18,
5.0
Update
23,
1.4.2_25,
and
1.3.1_27
allows
remote
aeackers
to
affect
confiden&ality,
integrity,
and
availability
via
unknown
vectors.
NOTE:
the
previous
informa&on
was
obtained
from
the
March
2010
CPU.
Oracle
has
not
commented
on
claims
from
a
reliable
researcher
that
this
is
an
uncontrolled
array
index
that
allows
remote
aeackers
to
execute
arbitrary
code
via
a
MIDI
file
with
a
craved
MixerSequencer
object,
related
to
the
GM_Song
structure.
CVE-‐2010-‐0886
JAVA
SMB
/
JAVA
JDT
Java
SMB
/
Java
JDT
in
Oracle
Java
SE
and
Java
for
Business
JDK
and
JRE
6
Upd
10-‐19
*
Requires
xtra
components
CVE-‐2010-‐1240
PDFOPEN
Open/Launch
embedded
exe
via
built
in
func&onality,
ability
to
change
user
prompt
text.
Reported
by
Didier
Stevens.
CVE-‐2010-‐1297
Adobe
PDF
SWF
CVE-‐2010-‐1423
javanew
JWS
Java
Deployment
Toolkit
Remote
Argument
Injec&on
Vulnerability
(Taviso)
CVE-‐2010-‐1818
QuickTime
6.x,
7.x
Read
func&on
in
QTPlugin.ocx
allows
remote
aeackers
to
execute
arbitrary
code
via
the
_Marshaled_pUnk
aeribute
CVE-‐2010-‐1885
HCP
Help
Center
URL
Valida&on
Vulnerability
CVE-‐2010-‐2883
PDF
FONT
/
Cooltype
PDF
Exploit
Adobe
Reader
Stack-‐based
buffer
overflow
in
CoolType.dll
CVE-‐2010-‐2884
Adobe
authplay.dll
Ac&onScript
AVM2
memory
corrup&on
Vulnerability
–
Adobe
Reader
<
9.4.0
–
ALL
Windows
CVE-‐2010-‐3552
JAVA
SKYLINE
Unspecified
vulnerability
in
the
New
Java
Plug-‐in
–
Java
6
<
Update
22
–
IE
Only
–
ALL
Windows
CVE-‐2010-‐3653
The
Director
module
(dirapi.dll)
in
Adobe
Shockwave
Player
CVE-‐2010-‐3962
CSS
Clip
Use-‐aver-‐free
vulnerability
in
Microsov
Internet
Explorer
6,
7,
and
8
CVE-‐2010-‐3971
IE-‐8
css
parser
Use-‐aver-‐free
vulnerability
in
the
CSharedStyleSheet::No&fy
func&on
in
the
Cascading
Style
Sheets
(CSS)
parser
in
mshtml.dll
CVE-‐2010-‐4452
Sun
Java
Applet2ClassLoader
Remote
Code
Execu&on
Exploit
"Java
JSM”
maybe
means
JMS
CVE-‐2010-‐4438
?
OSVDB-‐61964
AOL
9.5
Phobos.Playlist
(Phobos.dll)
Ac&veX
Control
Import
EDB-‐11175
Windows
Media
Player
11
Ac&veX
launchURL()
files
download
37. Case
Study:
Ice-‐Pack
Exploit
• Released
on
2007.06
by
IDT
Group
in
Russian
• A
tool
kit
for
installing
malware
through
exploits
• Allow
automa&c
injec&on
of
malicious
iframes
into
websites
• Price:
v Lite
Edi&on
($30):
only
MS06-‐014
and
MS06-‐006
exploits
v Pla&num
Edi&on
($400)
• Exploits:
v MSIE
6:
MDAC(RDS),
Zenturi,
XML
Core
Services,
VML,
WebViewFolderIcon
v MSIE
7:
x16
v Firefox:
WMF
Firefox
v Opera
9-‐9.20
v Opera
7:
.ANI(animated
cursor)
v QuickTime
overflow
buffer
flow
37
38. Ice-‐Pack
administra&on
panel
38
GENERAL
STATISTICS
FTP
WORK
TOOLS
LOGOUT
OS
Browsers
Loads
Countries
Referers
Clean
Import
Check
Inject
Clean
Iframe
Traffic
Sekng
Scripts
with
FTP
tools
will
automate
iframe
injec<on
into
websites
44. Case
Study:
Phoenix
Exploit
(Cont.)
44
Installa&on
Complete
Phoenix
Exploit
Panel
Samba
Pool
Exploits
Update
45. Case
Study:
Phoenix
Exploit
(Cont.)
45
Bypass
AVs
Scanning
Only
Kit
Owner
can
reach
correct
links
and
filename
Data
to
access
sta<s<cs:
hep://xxx.xxx.xxx.xxx/phoenix/bnyojnxzfsariuatk7.php
Link
for
traffics:
hmp://xxx.xxx.xxx.xxx/phoenix/hscrasg6.php
Name
of
config's
file:
awfpkqynhpgmdqxw.php
Name
of
.exe
file:
epczgvksingvesam.exe
Server-‐Side
Polymorphism
46. Case
Study:
Phoenix
Exploit
(Cont.)
46
Exploits
Sta&s&cs
Opera&on
systems
sta&s&cs
Advanced
browsers
sta&s&cs
Countries
Sta&s&cs
Panel
to
upload
malwares
47. Case
Study:
Phoenix
Exploit
(Cont.)
• Features:
v Password
to
access
administrtor
panel
encoded
in
SHA1
v Detect
OS
and
browsers
to
exploit
• XPIE7:
IE7+WinXP,
IE7+WinXP
SP2,
IE7+Win2003
• VISTAIE7:
IE7+WinVista
• XPIE8:
IE8+WinXP,
IE8+WinXP
SP2,
IE8+Win2003
• VISTAIE8:
IE8+WinVista
• IE:
not
IE7
or
IE8
• WIN7IE:
IE7+Win7
• XPOTHER:
Browser+
WinXP/WinXP
SP2/Win2003
• VISTAOTHER:
Browsers
+
WinVista
•
WIN7OTHER:
Browsers
+
Win7
47
48. Case
Study:
Phoenix
Exploit
(Cont.)
• Exploits
Lists:
v CVE-‐2006-‐0003:
IE
MDAC
v CVE-‐2007-‐0071:
Adobe
Flash
9
v CVE-‐2009-‐1869:
Adobe
Flash
10
v CVE-‐2007-‐5659:
Adobe
Reader
CollectEmailInfo
v CVE-‐2008-‐2992:
Adobe
Reader
u&l.prin{
v CVE-‐2009-‐0927:
Adobe
Reader
Collab
GetIcon
v CVE-‐2009-‐4324:
Adobe
Reader
newPlayer
v CVE-‐2010-‐0188:
Adobe
Reader
LibTiff
v CVE-‐2010-‐1297:
Adobe
PDF
SWF
v CVE-‐2009-‐0836:
Adobe
Reader/Foxit
Reader
PDF
OPEN
v CVE-‐2009-‐3867:
Java
HsbParser.getSoundBank
(GSB)
v CVE-‐2008-‐5353:
Java
Run&me
Environment
(JRE)
v CVE-‐2010-‐0746:
Java
SMB
v CVE-‐2010-‐0806:
IE
iepeers
v CVE-‐2010-‐1885:
Windows
Help
Center
(HCP)
v CVE-‐2008-‐2463
:
IE
SnapShot
Viewer
Ac&veX
• Java
has
become
the
leading
exploit
vector
including
three
Java
exploits
v JAVA
RMI
v JAVA
MIDI
v JAVA
SKYLINE
48
49. Case
Study:
Phoenix
Exploit
(Cont.)
• Exploit
Vulnerability:
CVE-‐2009-‐3867
v
Java
applica&on
using
import
javax.sound.midi.*
v an
error
in
the
implementa&on
of
the
HsbParser.getSoundBank
func&on
that
can
be
exploited
to
result
in
a
stack-‐based
buffer
overflow.
49
50. Exploit
Kits
Analysis
(The
First
Step
is
to
find
possible
landing
pages)
50
• Unknow
• Tor
• Target-‐Exploit
• Smart
pack
• RDS
• My
poly
sploit
• mul<sploit
• mypack-‐009
• mypack-‐091
• mypack-‐086
• mypack-‐081
• Mpack0.91
• Infector
• Ice-‐pack-‐1
• G-‐pack
• Firepack
-‐1
• Fiesta
• Cry
217
• Armitage
• Adpack
-‐1
• Blackhole
• Spyeye
• Phonix
• Open
Source
exploit
kit
• Neosploit
• Zues
• Crimepack
URL
Structure
Iden<ty
Exploits
Collec<on
The
Order
of
Exploits
Suppor<ng
Func<ons
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Web
Page
Tes&ng
Mapping
55. Exploit
Kits
Analysis
(Cont.)
The
Order
of
Exploits
55
Order
of
explots
browser:
• hep://xxx.in/cgi-‐bin/azz
• hep://xxx.in/cgi-‐bin/etn
• hep://xxx.in/cgi-‐bin/gjj
• hep://xxx.in/cgi-‐bin/gyw
• hep://xxx.in/cgi-‐bin/io
• hep://xxx.in/cgi-‐bin/iok
• hep://xxx.in/cgi-‐bin/ion
• hep://xxx.in/cgi-‐bin/ip
• hep://xxx.in/cgi-‐bin/jjo
Exploit
Pack
IE
MS06-‐006
Winzip
MS06-‐014
MS06-‐057
JAVA
JRE
Firefox
MS06-‐006
Opera
Quick&me
MS06-‐006
56. Exploit
Kits
Analysis
(Cont.)
Suppor<ng
Func<ons
• Code
obfusca<on
are
composed:
v Encrypt
/
Decryptor
• Base
64
Encoding
• Dean
Edwards
packer
• String
splits
• Gzip
Encoding
• Custom
Encoders
•
ionCube
Loader:
a
PHP
extension
that
works
to
decode
PHP
scripts
previously
encoded
by
the
ionCube
PHP
Encoder
package
v Mul&-‐level
Loop
based
on
algorithm
• An<-‐Authen<ca<on
Bypass
• Self-‐Cryptor
Algorithm
• ….
56
57. How Exploit Kits Bring Money In
1. Kits
and
vic&ms
ren&ng
2.Steal
cri&cal
informa&on
3.Sending
spam
Control
Panel
Exploit
Kit
Creator
Exploit
Kit
Operator
Botnet
Herders,
Spammers
Underground
Criminals
Online
Black
Market
Kits
adver&sing
Vic<ms
adver<sing
Buy
malicious
ac&vity
ex:DDOS
Buy
cri&cal
informa&on
Pay
for
exploit
kits
(100USD~1000USD)
1.
Pay
for
traffic
providers
to
click
exploit
codes
2.
Pay
for
install
third
party
sovwares
• Spambots
• Informa&on
stealers
like
Zeus
• Password
stealers
• Fake
AVs
Service
Traffic
Providers
(Click
Fraud)
Pay-‐Per-‐Install
Operator
Pay
for
generic
malware
func&ons
ex:
cryptors
Pay
for
installa&on
of
malicious
applica&on,
such
Fake
AV
58. Pay-‐per-‐Install
• One
of
the
business
models
by
which
an
affiliate
system
provides
a
set
of
"clients”
• Paying
each
a
percentage
of
money
as
a
commission
for
each
installa&on
the
malicious
applica&on
successful.
58
60. The
Trend
of
Exploit
Kits:
• Easy
to
find
exploits
kits
adver&sements
in
black
markets
• Install
exploit
kits
on
free
or
cheap
hos&ng
services
• Kits
author
keeps
to
upgrade,
bug
fixed
and
support
on
exploit
kits
by
adding
new
exploits
• Java/Browser/PDF/Flash
are
major
vulnerabili&es
to
be
infected.
• Using
a
complicated
obfusca&on
to
handle
AVs
and
IPSs
• Combine
with
SEO
poisoning
• Increase
the
probability
of
successful
when
mul&ple
exploits
are
used
against
dissimilar
targets.
60
61. Conclusions:
• Botnet
and
exploit
kits
are
closely
related.
• Exploit
kits
detec&on
is
essen&al
to
eliminate
botnet
threats
• How
exploit
kits
work:
v
Inject
HTML
iframe/Scripts
into
web
pages
v
Embed
HTML
iframe
in
spam
mail
v
Exploi&ng
Un-‐patched
vulnerabli&es
v
Drive-‐by-‐download
install
malware
• Hope
to
rise
exploit
kits
threat
to
all
par&cipants.
61
62. References
• Web
Exploits:
There's
an
App
for
That
v hep://www.google.com.tw/url?sa=t&source=web&cd=1&ved=0CBgQFjAA&url=hep%3A%2F
%2Fwww.m86security.com%2Fdocuments%2Fpdfs%2Fsecurity_labs
%2Fm86_web_exploits_report.pdf&ei=2XEkTsiDNcromAWzpvGcAw&usg=AFQjCNGennJqF62s
uQXrvXgXmRMn9f4Dfw&sig2=WNzmg6BN6O5WuY43KALYg
• Modern
Botnets:
A
Survey
and
Future
DirecCons
v hep://docs.karamatli.com/paper/karamatli-‐modern_botnets.pdf
• Volume
9.
January
through
June
2010.
Microsos
|
Security
Intelligence
Report
v download.microsov.com/download/8/1/B/81B3A25C-‐95A1-‐4BCD-‐88A4-‐2D3D0406CDEF/
Microsov_Security_Intelligence_Report_volume_9_Jan-‐June2010_English.pdf
• Exploit
Kits:
A
different
View
v hep://www.securelist.com/en/analysis/204792160/Exploit_Kits_A_Different_View
• Phoenix
Exploit
Kit
(2.4)
-‐
Infec<on
Analysis
v hep://secniche.blogspot.com/2010/10/phoenix-‐exploit-‐kit-‐24-‐analysis.html
• Phoenix
Exploit’s
Kit
From
the
mythology
to
a
criminal
business
v hep://www.malwareint.com/docs/pek-‐analysis-‐en.pdf
62