SlideShare a Scribd company logo

EKFiddle: a framework to study Exploit Kits

Download as PPTX, PDF
J
Jerome Segura

EKFiddle extends the Fiddler web debugger to help analysts dissect malicious traffic.

Internet
1 of 35
EKFiddle: a framework to study Exploit Kits Jérôme Segura, @jeromesegura, Lead Malware Intelligence Analyst BSides Vancouver March 13-14 2017 2017
Agenda •Quick primer on Exploit Kits and drive-by downloads •Tools to view and capture malicious traffic •Introducing EKFiddle for the Fiddler web debugger •Researching and cataloging EKs with EKFiddle
Exploit Kits: a quick definition An exploit kit is a set of tools designed to facilitate the exploitation of client-side vulnerabilities most commonly found in browsers and their plugins in order to execute malicious code on end users’ machines.
Exploit Kits: basic flow Landing page Exploits Payload
Exploit Kits: some names •Angler EK (defunct) •Nuclear Pack (defunct) •Astrum EK •RIG EK •Neutrino EK •Sundown EK •Magnitude EK
Drive-by campaigns: traffic to exploit kits •Compromised websites •EITest, Pseudo-Darkleech •Malvertising •[ insert various ad networks here ]
Compromised sites and Exploit Kits Legitimate site Gate (optional) Exploit Kit Malware
Malvertising and Exploit Kits Malicious ad Exploit Kit Malware Gate (optional)
Tools for traffic analysis •Full packet capture (tcpdump, WireShark, etc.) •Security Suites (Security Onion) •IDS/IPS (Suricata) •HTTP/S (Fiddler, Charles, etc.)
What about EK traffic only? •Full packet captures are nice but not required •Web debugger easier to inspect/replay web traffic •Personal preference?
EKFiddle •Based on Telerik’s Fiddler Web Debugger •Multi OS compatibility via C# CustomRules •Extends Fiddler’s ContextAction •Adds support for custom EK regexes
The standard Fiddler UI
Extend Fiddler’s UI with EKFiddle
Set up EKFiddle: Install Fiddler •Download and install the latest version of Fiddler from http://www.telerik.com/fiddler •For Mac and Linux, you will need to set up the Mono framework first http://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1 http://www.telerik.com/blogs/fiddler-for-linux-beta-is-here
Download EKFiddle (CustomRules.cs) •Download/clone CustomRules.cs from the GitHub page https://github.com/malwareinfosec/EKFiddle • Windows (7/10) C:Users[username]DocumentsFiddler2Scripts • Ubuntu /home/[username]/Fiddler2/Scripts/ • Mac /Users/[username]/Fiddler2/Scripts/
Change the default Text Editor (optional) (Tools -> Telerik Fiddler options -> Tools)
Change the default scripting language to C# (Windows only: Tools -> Telerik Fiddler options -> Scripting)
Finalize EKFiddle’s installation
Get traffic captures • Malware Traffic Analysis (PCAPs) http://www.malware-traffic-analysis.net/ • Broad Analysis (PCAPs) http://www.broadanalysis.com/ • PacketTotal (PCAPs) https://www.packettotal.com/ • Malware Don’t Need Coffee (SAZ) http://malware.dontneedcoffee.com/ • VirusTotal (need API) https://www.virustotal.com/
Import traffic captures
Main features: ContextAction items •A list of useful ‘shortcuts’ •Designed to collect IOCs and artifacts •Inspect each session and create signatures
Check Host (pDNS, Whois) on VT
Check IP (Geo, pDNS) on VT
Extract IOCs
Extract artifacts
Main features: Regular expressions •Regex matching in 3 different ways: •URL patterns (URLRegexes.txt) •Source code patterns (SourceCodeRegexes.txt) •Server Headers patterns (HeadersRegexes.txt)
Build URL Regex (paste from clipboard)
Build source code Regex (paste from clipboard)
View/edit Regexes
Save Regexes •One signature per line: [Name of sig] TAB [regex]
Run Regexes against traffic
Visualize results •Each matched session is colour coded and commented •Malware type (Landing Page, Flash Exploit, Malware Payload) is ‘guessed’ automatically
Demo
Recap •EKFiddle extends the Fiddler web debugger for EK analysis •Get it here: https://github.com/malwareinfosec/EKFiddle •Questions? @jeromesegura
Thank You!

Recommended

[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...Andrea Draghetti
 
install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -Naoto MATSUMOTO
 
using Virtualbox NAT and shared folder
using Virtualbox NAT and shared folderusing Virtualbox NAT and shared folder
using Virtualbox NAT and shared folderYingshiuan Pan
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Talk NullByteCon 2015
Talk NullByteCon 2015Talk NullByteCon 2015
Talk NullByteCon 2015Roberto Soares
 
How to Install nRF51 IPv6 over Bluetooth using MDK-ARM+IoT SDK
How to Install nRF51 IPv6 over Bluetooth using MDK-ARM+IoT SDKHow to Install nRF51 IPv6 over Bluetooth using MDK-ARM+IoT SDK
How to Install nRF51 IPv6 over Bluetooth using MDK-ARM+IoT SDKNaoto MATSUMOTO
 
MIPS-X
MIPS-XMIPS-X
MIPS-XZoltan Balazs
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalationnullthreat
 

Recommended

[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...Andrea Draghetti
 
install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -Naoto MATSUMOTO
 
using Virtualbox NAT and shared folder
using Virtualbox NAT and shared folderusing Virtualbox NAT and shared folder
using Virtualbox NAT and shared folderYingshiuan Pan
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Talk NullByteCon 2015
Talk NullByteCon 2015Talk NullByteCon 2015
Talk NullByteCon 2015Roberto Soares
 
How to Install nRF51 IPv6 over Bluetooth using MDK-ARM+IoT SDK
How to Install nRF51 IPv6 over Bluetooth using MDK-ARM+IoT SDKHow to Install nRF51 IPv6 over Bluetooth using MDK-ARM+IoT SDK
How to Install nRF51 IPv6 over Bluetooth using MDK-ARM+IoT SDKNaoto MATSUMOTO
 
MIPS-X
MIPS-XMIPS-X
MIPS-XZoltan Balazs
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalationnullthreat
 
tizen-oshw-tds14sh
tizen-oshw-tds14shtizen-oshw-tds14sh
tizen-oshw-tds14shPhil www.rzr.online.fr
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
Cisco Project 2 Description
Cisco Project 2 DescriptionCisco Project 2 Description
Cisco Project 2 DescriptionEvaKeeling
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiNaoto MATSUMOTO
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devicesLars Gregori
 
GCC ARM nRF51 IoT SDK -cheat sheet-
GCC ARM nRF51 IoT SDK -cheat sheet-GCC ARM nRF51 IoT SDK -cheat sheet-
GCC ARM nRF51 IoT SDK -cheat sheet-Naoto MATSUMOTO
 
A tale of a rouge router firmware
A tale of a rouge router firmwareA tale of a rouge router firmware
A tale of a rouge router firmwareBijay Senihang
 
如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全Tim Hsu
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
MQTTS mosquitto - cheat sheet -
MQTTS mosquitto - cheat sheet -MQTTS mosquitto - cheat sheet -
MQTTS mosquitto - cheat sheet -Naoto MATSUMOTO
 
Linux encrypted container
Linux encrypted containerLinux encrypted container
Linux encrypted containerMarc-Andre Heroux
 
Network Device Development - Part 5: Firewall 104 ~ Packet Splitter
Network Device Development - Part 5: Firewall 104 ~ Packet SplitterNetwork Device Development - Part 5: Firewall 104 ~ Packet Splitter
Network Device Development - Part 5: Firewall 104 ~ Packet SplitterCheng-Yi Yu
 
Tizen platform-dev-tds14sh
Tizen platform-dev-tds14shTizen platform-dev-tds14sh
Tizen platform-dev-tds14shPhil www.rzr.online.fr
 
presentation
presentationpresentation
presentationPeter Oswald
 
Installing OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Installing OpenSim (Diva Distro) to Create Your Own Private Sim SandboxInstalling OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Installing OpenSim (Diva Distro) to Create Your Own Private Sim SandboxFleep Tuque
 
窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconf窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconfjack51706
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on WindowsCarl Su
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Igor Korkin
 
Linux Virus
Linux VirusLinux Virus
Linux VirusAkhil Kadangode
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3Setia Juli Irzal Ismail
 

More Related Content

What's hot

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
Cisco Project 2 Description
Cisco Project 2 DescriptionCisco Project 2 Description
Cisco Project 2 DescriptionEvaKeeling
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiNaoto MATSUMOTO
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devicesLars Gregori
 
GCC ARM nRF51 IoT SDK -cheat sheet-
GCC ARM nRF51 IoT SDK -cheat sheet-GCC ARM nRF51 IoT SDK -cheat sheet-
GCC ARM nRF51 IoT SDK -cheat sheet-Naoto MATSUMOTO
 
A tale of a rouge router firmware
A tale of a rouge router firmwareA tale of a rouge router firmware
A tale of a rouge router firmwareBijay Senihang
 
如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全Tim Hsu
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
MQTTS mosquitto - cheat sheet -
MQTTS mosquitto - cheat sheet -MQTTS mosquitto - cheat sheet -
MQTTS mosquitto - cheat sheet -Naoto MATSUMOTO
 
Network Device Development - Part 5: Firewall 104 ~ Packet Splitter
Network Device Development - Part 5: Firewall 104 ~ Packet SplitterNetwork Device Development - Part 5: Firewall 104 ~ Packet Splitter
Network Device Development - Part 5: Firewall 104 ~ Packet SplitterCheng-Yi Yu
 
Installing OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Installing OpenSim (Diva Distro) to Create Your Own Private Sim SandboxInstalling OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Installing OpenSim (Diva Distro) to Create Your Own Private Sim SandboxFleep Tuque
 
窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconf窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconfjack51706
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on WindowsCarl Su
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Igor Korkin
 

What's hot (20)

tizen-oshw-tds14sh
tizen-oshw-tds14shtizen-oshw-tds14sh
tizen-oshw-tds14sh
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
Cisco Project 2 Description
Cisco Project 2 DescriptionCisco Project 2 Description
Cisco Project 2 Description
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFi
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devices
 
GCC ARM nRF51 IoT SDK -cheat sheet-
GCC ARM nRF51 IoT SDK -cheat sheet-GCC ARM nRF51 IoT SDK -cheat sheet-
GCC ARM nRF51 IoT SDK -cheat sheet-
 
A tale of a rouge router firmware
A tale of a rouge router firmwareA tale of a rouge router firmware
A tale of a rouge router firmware
 
如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
MQTTS mosquitto - cheat sheet -
MQTTS mosquitto - cheat sheet -MQTTS mosquitto - cheat sheet -
MQTTS mosquitto - cheat sheet -
 
Linux encrypted container
Linux encrypted containerLinux encrypted container
Linux encrypted container
 
Network Device Development - Part 5: Firewall 104 ~ Packet Splitter
Network Device Development - Part 5: Firewall 104 ~ Packet SplitterNetwork Device Development - Part 5: Firewall 104 ~ Packet Splitter
Network Device Development - Part 5: Firewall 104 ~ Packet Splitter
 
Tizen platform-dev-tds14sh
Tizen platform-dev-tds14shTizen platform-dev-tds14sh
Tizen platform-dev-tds14sh
 
presentation
presentationpresentation
presentation
 
Installing OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Installing OpenSim (Diva Distro) to Create Your Own Private Sim SandboxInstalling OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Installing OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
 
窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconf窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconf
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on Windows
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
 

Similar to EKFiddle: a framework to study Exploit Kits

Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwarePriyanka Aash
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
3. Android Architecture.pptx
3. Android Architecture.pptx3. Android Architecture.pptx
3. Android Architecture.pptxHarshiniB11
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxbriancrawford30935
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkAmr Thabet
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 

Similar to EKFiddle: a framework to study Exploit Kits (20)

Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
File000173
File000173File000173
File000173
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of Andromeda
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
3. Android Architecture.pptx
3. Android Architecture.pptx3. Android Architecture.pptx
3. Android Architecture.pptx
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 

Recently uploaded

"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 

Recently uploaded (20)

"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 

EKFiddle: a framework to study Exploit Kits

  • 1. EKFiddle: a framework to study Exploit Kits Jérôme Segura, @jeromesegura, Lead Malware Intelligence Analyst BSides Vancouver March 13-14 2017 2017
  • 2. Agenda •Quick primer on Exploit Kits and drive-by downloads •Tools to view and capture malicious traffic •Introducing EKFiddle for the Fiddler web debugger •Researching and cataloging EKs with EKFiddle
  • 3. Exploit Kits: a quick definition An exploit kit is a set of tools designed to facilitate the exploitation of client-side vulnerabilities most commonly found in browsers and their plugins in order to execute malicious code on end users’ machines.
  • 4. Exploit Kits: basic flow Landing page Exploits Payload
  • 5. Exploit Kits: some names •Angler EK (defunct) •Nuclear Pack (defunct) •Astrum EK •RIG EK •Neutrino EK •Sundown EK •Magnitude EK
  • 6. Drive-by campaigns: traffic to exploit kits •Compromised websites •EITest, Pseudo-Darkleech •Malvertising •[ insert various ad networks here ]
  • 7. Compromised sites and Exploit Kits Legitimate site Gate (optional) Exploit Kit Malware
  • 8. Malvertising and Exploit Kits Malicious ad Exploit Kit Malware Gate (optional)
  • 9. Tools for traffic analysis •Full packet capture (tcpdump, WireShark, etc.) •Security Suites (Security Onion) •IDS/IPS (Suricata) •HTTP/S (Fiddler, Charles, etc.)
  • 10. What about EK traffic only? •Full packet captures are nice but not required •Web debugger easier to inspect/replay web traffic •Personal preference?
  • 11. EKFiddle •Based on Telerik’s Fiddler Web Debugger •Multi OS compatibility via C# CustomRules •Extends Fiddler’s ContextAction •Adds support for custom EK regexes
  • 13. Extend Fiddler’s UI with EKFiddle
  • 14. Set up EKFiddle: Install Fiddler •Download and install the latest version of Fiddler from http://www.telerik.com/fiddler •For Mac and Linux, you will need to set up the Mono framework first http://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1 http://www.telerik.com/blogs/fiddler-for-linux-beta-is-here
  • 15. Download EKFiddle (CustomRules.cs) •Download/clone CustomRules.cs from the GitHub page https://github.com/malwareinfosec/EKFiddle • Windows (7/10) C:Users[username]DocumentsFiddler2Scripts • Ubuntu /home/[username]/Fiddler2/Scripts/ • Mac /Users/[username]/Fiddler2/Scripts/
  • 16. Change the default Text Editor (optional) (Tools -> Telerik Fiddler options -> Tools)
  • 17. Change the default scripting language to C# (Windows only: Tools -> Telerik Fiddler options -> Scripting)
  • 19. Get traffic captures • Malware Traffic Analysis (PCAPs) http://www.malware-traffic-analysis.net/ • Broad Analysis (PCAPs) http://www.broadanalysis.com/ • PacketTotal (PCAPs) https://www.packettotal.com/ • Malware Don’t Need Coffee (SAZ) http://malware.dontneedcoffee.com/ • VirusTotal (need API) https://www.virustotal.com/
  • 21. Main features: ContextAction items •A list of useful ‘shortcuts’ •Designed to collect IOCs and artifacts •Inspect each session and create signatures
  • 22. Check Host (pDNS, Whois) on VT
  • 23. Check IP (Geo, pDNS) on VT
  • 26. Main features: Regular expressions •Regex matching in 3 different ways: •URL patterns (URLRegexes.txt) •Source code patterns (SourceCodeRegexes.txt) •Server Headers patterns (HeadersRegexes.txt)
  • 27. Build URL Regex (paste from clipboard)
  • 28. Build source code Regex (paste from clipboard)
  • 30. Save Regexes •One signature per line: [Name of sig] TAB [regex]
  • 32. Visualize results •Each matched session is colour coded and commented •Malware type (Landing Page, Flash Exploit, Malware Payload) is ‘guessed’ automatically
  • 33. Demo
  • 34. Recap •EKFiddle extends the Fiddler web debugger for EK analysis •Get it here: https://github.com/malwareinfosec/EKFiddle •Questions? @jeromesegura