Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
EKFiddle: a framework to study Exploit Kits
1. EKFiddle: a framework
to study Exploit Kits
Jérôme Segura, @jeromesegura, Lead Malware Intelligence Analyst
BSides Vancouver March 13-14 2017
2017
2. Agenda
•Quick primer on Exploit Kits and drive-by downloads
•Tools to view and capture malicious traffic
•Introducing EKFiddle for the Fiddler web debugger
•Researching and cataloging EKs with EKFiddle
3. Exploit Kits: a quick definition
An exploit kit is a set of tools designed to facilitate the
exploitation of client-side vulnerabilities most commonly
found in browsers and their plugins in order to execute
malicious code on end users’ machines.
10. What about EK traffic only?
•Full packet captures are nice but not required
•Web debugger easier to inspect/replay web traffic
•Personal preference?
11. EKFiddle
•Based on Telerik’s Fiddler Web Debugger
•Multi OS compatibility via C# CustomRules
•Extends Fiddler’s ContextAction
•Adds support for custom EK regexes
14. Set up EKFiddle: Install Fiddler
•Download and install the latest version of Fiddler from
http://www.telerik.com/fiddler
•For Mac and Linux, you will need to set up the Mono
framework first
http://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1
http://www.telerik.com/blogs/fiddler-for-linux-beta-is-here
15. Download EKFiddle (CustomRules.cs)
•Download/clone CustomRules.cs from the GitHub page
https://github.com/malwareinfosec/EKFiddle
• Windows (7/10)
C:Users[username]DocumentsFiddler2Scripts
• Ubuntu
/home/[username]/Fiddler2/Scripts/
• Mac
/Users/[username]/Fiddler2/Scripts/
16. Change the default Text Editor (optional)
(Tools -> Telerik Fiddler options -> Tools)
17. Change the default scripting language to C#
(Windows only: Tools -> Telerik Fiddler options -> Scripting)
21. Main features: ContextAction items
•A list of useful ‘shortcuts’
•Designed to collect IOCs and artifacts
•Inspect each session and create signatures
34. Recap
•EKFiddle extends the Fiddler web debugger for EK analysis
•Get it here: https://github.com/malwareinfosec/EKFiddle
•Questions? @jeromesegura