Date post: | 09-Jan-2017 |
Category: |
Technology |
Upload: | cysinfo-cyber-security-community |
View: | 62 times |
Download: | 0 times |
Anatomy of Exploit Kits
Sameer Patil(sameerpatilmsgmailcom)
SecurityXploded
Exploit Kit Introduction Phases Exploits used Access Filters Detection Analysis of exploits
Content
Fiesta FlashPack Magnitude Rig Nuclear Angler Sweet Orange Neutrino
Exploit Kits
Exploit Kit Naming
Compromised site Redirector Landing page Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp
page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjs
funcionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Exploit Kit Introduction Phases Exploits used Access Filters Detection Analysis of exploits
Content
Fiesta FlashPack Magnitude Rig Nuclear Angler Sweet Orange Neutrino
Exploit Kits
Exploit Kit Naming
Compromised site Redirector Landing page Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp
page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjs
funcionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Fiesta FlashPack Magnitude Rig Nuclear Angler Sweet Orange Neutrino
Exploit Kits
Exploit Kit Naming
Compromised site Redirector Landing page Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp
page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjs
funcionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Exploit Kit Naming
Compromised site Redirector Landing page Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp
page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjs
funcionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Compromised site Redirector Landing page Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp
page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjs
funcionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp
page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjs
funcionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
wwwsoyentrepreneurcomassetsjs
funcionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Download from httpjxlpaianlarin malicious
files
Landing Page
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Banking Frauds Spying Information Stealing Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero
day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188
Exploits used
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks
Access Filters
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Java Exploit- CVE-2013-2465 Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes
between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer
table cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
VectorltIntgt Object Memory
Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
DPBG tool
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis
References
Thank You
Thank You