Anatomy of Exploit Kits
- 2.
Exploit Kit Introduction
Phases
Exploits used
Access Filters
Detection
Analysis of exploits
Content
- 6. LFI in RevSlider plugin of Wordpress
http://[compromised.com]/wp-admin/admin-
ajax.php?action=revslider_show_image&img=../wp-config.php
XSS in Simple Security Wordpress plugin: CVE-2014-9570
http://[compromised.com]/wp-
admin/users.php?page=access_log&datefilter=%27%22%3E%3
C
script%3Ealert%28/HACKED/%29;%3C/script%3E
Drupal Sql Injection
CDN reference compromise (Eg. Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
- 10. It checks if Silverlight plugin is installed by creating the
following ActiveXObject object:
ActiveXObject("AgControl.AgControl")
The presence of Flash plugin is ensured by creating the
following object:
swfobject.embedSWF()
Antivirus detection:
if( chavs("kl1.sys") || chavs("tmciesc.sys") || chavs("tmtdi.sys") ||
chavs("tmactmon.sys") || chavs("TMEBC32.sys") ||
chavs("tmeext.sys") ||chavs("tmconn.sys") ||
chavs("tmevtmgr.sys") ) { exit(); }
Redirector (after
deobfuscating)
- 15.
IE- CVE-2014-0322(zero day), CVE-2014-0324(zero
day), CVE-2014-6332, CVE-2013-2551, CVE-2013-
3918, CVE-2013-7331
Java- CVE-2013-2460, CVE-2013-2465, CVE-2012-
1723, CVE-2012-0507, CVE-2013-0422(zero day)
Flash- CVE-2014-8440, CVE-2014-0556, CVE-2014-
0569, CVE-2014-0515, CVE-2014-8439, CVE-2014-
0502(zero day), CVE-2015-????(zero day)
Silverlight- CVE-2013-0074, CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
- 16.
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
- 17.
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns:
<domain>/index.php?req=mp3&num=37&PHPSSESID=
<domain>/index.php?req=swf&num=8413&PHPSSESID=
<domain>/index.php?req=xap&PHPSSESID=
<domain>/1.php?r
Detection
- 19.
Vector<int> array of size 0x90 bytes
Vector size resized to 0 resulting in holes between
vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -> call to VirtualProtect()
Flash Exploit CVE-2014-0515
- 23.
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware don’t need Coffee
Malware Traffic Analysis
References