Anatomy of Exploit Kits

Sameer Patil(sameerpatilmsgmailcom)

SecurityXploded

Exploit Kit Introduction Phases Exploits used Access Filters Detection Analysis of exploits

Content

Fiesta FlashPack Magnitude Rig Nuclear Angler Sweet Orange Neutrino

Exploit Kits

Exploit Kit Naming

Compromised site Redirector Landing page Post-infection traffic

Phases

LFI in RevSlider plugin of Wordpress

http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp

XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp

page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E

Drupal Sql Injection

CDN reference compromise (Eg Operation Poisoned Helmand)

Iframe Injectors

Compromised sites

Exploit Kit Introduction Phases Exploits used Access Filters Detection Analysis of exploits

Content

Fiesta FlashPack Magnitude Rig Nuclear Angler Sweet Orange Neutrino

Exploit Kits

Exploit Kit Naming

Compromised site Redirector Landing page Post-infection traffic

Phases

LFI in RevSlider plugin of Wordpress

http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp

XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp

page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E

Drupal Sql Injection

CDN reference compromise (Eg Operation Poisoned Helmand)

Iframe Injectors

Compromised sites

Fiesta FlashPack Magnitude Rig Nuclear Angler Sweet Orange Neutrino

Exploit Kits

Exploit Kit Naming

Compromised site Redirector Landing page Post-infection traffic

Phases

LFI in RevSlider plugin of Wordpress

http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp

XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp

page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E

Drupal Sql Injection

CDN reference compromise (Eg Operation Poisoned Helmand)

Iframe Injectors

Compromised sites

Exploit Kit Naming

Compromised site Redirector Landing page Post-infection traffic

Phases

LFI in RevSlider plugin of Wordpress

http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp

XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp

page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E

Drupal Sql Injection

CDN reference compromise (Eg Operation Poisoned Helmand)

Iframe Injectors

Compromised sites

Compromised site Redirector Landing page Post-infection traffic

Phases

LFI in RevSlider plugin of Wordpress

http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp

XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp

page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E

Drupal Sql Injection

CDN reference compromise (Eg Operation Poisoned Helmand)

Iframe Injectors

Compromised sites

LFI in RevSlider plugin of Wordpress

http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp

XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-adminusersphp

page=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E

Drupal Sql Injection

CDN reference compromise (Eg Operation Poisoned Helmand)

Iframe Injectors

Compromised sites

wwwsoyentrepreneurcomassetsjs

funcionesCargajs

Compromised sites

wwwmediaorpicomjsscriptsjs

Redirector (Obfuscated)

It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)

The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()

Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()

Redirector (after deobfuscating)

Download from httpjxlpaianlarin malicious

files

Landing Page

wwwmediaorpicomjsscriptsjs

Redirector (Obfuscated)

It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)

The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()

Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()

Redirector (after deobfuscating)

Download from httpjxlpaianlarin malicious

files

Landing Page

Redirector (Obfuscated)

It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)

The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()

Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()

Redirector (after deobfuscating)

Download from httpjxlpaianlarin malicious

files

Landing Page

It checks if Silverlight plugin is installed by creating the following ActiveXObject object ActiveXObject(AgControlAgControl)

The presence of Flash plugin is ensured by creating the following objectswfobjectembedSWF()

Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()

Redirector (after deobfuscating)

Download from httpjxlpaianlarin malicious

files

Landing Page

Download from httpjxlpaianlarin malicious

files

Landing Page

Banking Frauds Spying Information Stealing Click Fraud activities

Post-Infection

IE- CVE-2014-0322(zero day) CVE-2014-0324(zero

day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331

Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)

Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)

Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188

Exploits used

Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks

Access Filters

Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns

ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=

ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=

ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr

Detection

Java Exploit- CVE-2013-2465 Javascript deobfuscation

Demo

Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes

between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer

table cancel() is called -gt call to VirtualProtect()

Flash Exploit CVE-2014-0515

VectorltIntgt Object Memory

Layout

Source HP security Blog

DPBG tool

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

IE- CVE-2014-0322(zero day) CVE-2014-0324(zero

day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331

Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)

Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)

Silverlight- CVE-2013-0074 CVE-2013-3896 PDF- CVE-2010-0188

Exploits used

Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks

Access Filters

Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns

ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=

ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=

ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr

Detection

Java Exploit- CVE-2013-2465 Javascript deobfuscation

Demo

Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes

between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer

table cancel() is called -gt call to VirtualProtect()

Flash Exploit CVE-2014-0515

VectorltIntgt Object Memory

Layout

Source HP security Blog

DPBG tool

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

Request with no referrer Block IP addresses Non-Windows traffic User Agent access Plugin-Detect scripts URL blacklist checks

Access Filters

Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns

ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=

ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=

ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr

Detection

Java Exploit- CVE-2013-2465 Javascript deobfuscation

Demo

Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes

between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer

table cancel() is called -gt call to VirtualProtect()

Flash Exploit CVE-2014-0515

VectorltIntgt Object Memory

Layout

Source HP security Blog

DPBG tool

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

Obfuscation in JS Signatures for specific CVEs User Agent strings URL patterns

ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=

ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=

ltdomaingtindexphpreq=xapampPHPSSESID= ltdomaingt1phpr

Detection

Java Exploit- CVE-2013-2465 Javascript deobfuscation

Demo

Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes

between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer

table cancel() is called -gt call to VirtualProtect()

Flash Exploit CVE-2014-0515

VectorltIntgt Object Memory

Layout

Source HP security Blog

DPBG tool

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

Java Exploit- CVE-2013-2465 Javascript deobfuscation

Demo

Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes

between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer

table cancel() is called -gt call to VirtualProtect()

Flash Exploit CVE-2014-0515

VectorltIntgt Object Memory

Layout

Source HP security Blog

DPBG tool

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

Vectorltintgt array of size 0x90 bytes Vector size resized to 0 resulting in holes

between vector objects Vulnerability exploited Memory Corruption Spraying FileReference objects Modify FileReference object function pointer

table cancel() is called -gt call to VirtualProtect()

Flash Exploit CVE-2014-0515

VectorltIntgt Object Memory

Layout

Source HP security Blog

DPBG tool

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

VectorltIntgt Object Memory

Layout

Source HP security Blog

DPBG tool

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

DPBG tool

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

CVE-2013-2465 Java Exploit Java obfuscators PixelBender Exploit Malware donrsquot need Coffee Malware Traffic Analysis

References

Thank You

• Anatomy of Exploit Kits
• Content
• Exploit Kits
• Exploit Kit Naming
• Phases
• Compromised sites
• Compromised sites (2)
• Slide 8
• Redirector (Obfuscated)
• Redirector (after deobfuscating)
• Landing Page
• Post-Infection
• Slide 13
• Slide 14
• Exploits used
• Access Filters
• Detection
• Demo
• Flash Exploit CVE-2014-0515
• VectorltIntgt Object Memory Layout
• Slide 21
• Slide 22
• References
• Thank You