John Bambenek-Tracking Exploit Kits中國(guó)第八屆云計(jì)算大會(huì)

TrackingExploitKitsJohnBambenekManagerofThreatSystemsFidelisCybersecurity?ManagerofThreatSystemswithFidelisCybersecurity?Part-TimeFacultyatUniversityofIllinoisinCS?Providerofopen-sourceintelligencefeeds?Runseveraltakedownorientedgroupsandsurveilthreats?Email:john.bambenek@Whytrackexploitkits?newmalwarealwaysshowsuptotakeitsplace.Whytrackexploitkits??Lawenforcementoperationsforcybercrimetakemonthsoryearsandonlypursuealimitedamountofthreats.?However,almostallcriminalmalwarecomesviatwomethods,spambotnetsorexploitkits.?Whatifyoucouldsmashtheentiremalwaredeliveryecosysteminstead?Whytrackexploitkits??Earlierthisyear,RussianauthoritiesarrestedLurkgroupwhohaddirectconnectionstoAnglerExploitKit(EK)operations.?AnglerEKwentawayovernight.?Priority1:EnsurecurrentproductsdetectnewmalwareandchangesinEKstoprotectcustomers.?Priority2:group.DevelopintelligencetotrackEKoperatorsandcustomerstodisruptanentireecosysteminsteadofonesmallcrimeWhatisanExploitKit??Setoftools(prominentlyweb-based)thatexploitvulnerabilitiesinsoftware(browser,Adobe,Java,etc)tospreadmalware.?Relativelystaticlistofexploitseachkitusesandtheyvary.?Rarely(butsometimes)use0-days.?Theyoperateasacriminalserviceand“sellinfections”ofwhateverprovidedmalware.?Primarydefense:patchyourOSandapplications.?RIGCampaignIDs?Many,butnotall,malwareoperatorsusemultiplemeansofdeliveryandtheycompartmentalizeusingCampaignIDs.?SometimesthecampaignIDreferstoanaffiliate.?Sometimesit’sjustforaspecificrunoftheirmalware.?Correlatingaffiliatesacrossmalwaredeliverymechanismscanprovideinterestinginsightsintothemarketplacebehindthemalwaredelivery.re?Takingdataderivedfrommalware,youcanripconfigsandgetinformation.?Spokeaboutthisherelastyear.?Cross-correlatebasedondeliverymethodandnowyouhaveinsightinwhoisbuyingservicefromwhom.?NowyouhaverawbuildingblocksforanoperationsimilartowhatRussiadidtotheLurkgroupthatendedAngler.?Victimclickson(usuallycompromised)webpage.?Thereisvalidationofsuitability.?Geo-blacklisting?Likelyvulnerablebrowser?Blacklistingofsuspectedsandboxes,securityresearchers?Victimisdirectedtoactualexploit.?Victimdownloadsandinstallsmalware.MagnitudetoCerberexampleFrom–hasgreatblogsonEKtrafficExploitKitURLsoftenhavepatterns?SomeolderNuclearEKURLpatternsinPCRE:?\.(su|ru)\/mod\_articles-auth.*\d\/(ajax|jquery)\/\/b\/shoe\/[0-9]{4,10}?^[^\/\n]{1,99}?\/url\?([\w]+=([\w\.]+)?&){5,10}url=https:\/\/[\w]+\.[a-z]{2,3}&([\w]+=([\w\.]+)?&){2,6}[\w]+=[\w\.]+$?^[^\/\n]{1,99}?\/search\?(?=.*[a-z]+=utf-8&)(?=.*ei=.*(\p{Ll}\p{Lu}|\p{Lu}\p{Ll}))(?=.*ei=.{20,})(?!=\/)([a-z_]{1,8}=[\w\+-\.\x20]+&?){2,5}$?^[^\/\n]{1,99}?\/(?-i)([a-z0-9]+\/){0,3}\d{2,3}(_|-)[a-z]+(_|-)\d+\.[a-z]{3,6}$?^[^\/\n]{1,99}?\/(?-i)([a-z0-9]+\/){0,3}[a-z-]+\?(([a-z_-]|[0-9]){3,}=([a-z_-]|[0-9]){3,}&){1,5}[a-z0-9_-]{2,}=[a-z0-9]{8,}$Non-AttributableNetworks?EKsdohaveatendencytoblockobvioussecurityresearchersandsecuritycompanynetblocks.?Theydon’tdoagoodjobblockingcommodityVPNservices.?Youcanpickwhatcountryyouwanttoappearfrom.?StilllimitstowhatyoucanretrieveusingaVPN.?VPNinsideoroutsidecuckooVM?Non-AttributableNetworksNon-AttributableNetwork?Atpresent,thereisnoeasycentralwaytomanagemultiplecuckooinstancesthatreachouttomultiplegeographiesfromthesameinstance.?SolutionistorunmultiplephysicalcuckooinstanceswithVPNoutsidetheVMandrotateIPsinsideageoeachbatchrun.?Eachexploitkithasapartiallyoverlappingbutuniquesetofexploitstheyuse.?Togetcuckootoexecutetheexploit,somecareneedstobespentinchoosingtheimagesandvulnerablesoftwarebasedonexploitkit.?Anoldertrackingspreadsheetisavailableat:/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhTmphLUE#gid=10butanewversionshouldbeatContagioDsoon.?EasiestwayistohaveasetofVMimagesforspecificexploitkits.?Stillneedtomonitorforadditionofnewexploits.?0-dayshappenmaybeonceayear.DecodingEKlandingpages?Opensourcetoolsavailablehere:/mak/ekdecoforNeutrino,NuclearandAngler.?Canexportconfigandencryptionkeys,intermediateflashfiles,andtheexploitoutputsthatareusedandsavethosetofiles.?RequireslandingpagesorfirstSWFfile(availableinPCAPorviaCuckoo).?$pythonneutrino.py-dout-e-istrong-special-green-tread-motive-happiness-warm-stre-slap-happy.swf?[+]embededswf(SHA256:d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82)extracted,andsavedtoout/d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82.swf?[+]cfgkey:uturwhahhdm820991,exploitkey:czynukeclllu385015?{u'debug':{u'flash':False},?u'exploit':{u'nw22':{u'enabled':True},?u'nw23':{u'enabled':True},?u'nw24':{u'enabled':True},?u'nw25':{u'enabled':True},?u'nw8':{u'enabled':True}},?u'key':{u'payload':u'yykrnnfwet'},?u'link':{u'backUrl':u'',?u'bot':u'http://muusikkopruflin.earclearclinic.co.uk/1994/05/16/jump/loom/have-september-meal-borrow-normal.html',?u'flPing':u'http://muusikkopruflin.earclearclinic.co.uk/wobbler/1440055/carrot-every-hasten',?u'jsPing':u'http://muusikkopruflin.earclearclinic.co.uk/1978/12/12/alley/knock-trial-guilty-knee-younger-sigh-suffer-fault-lamp.html',?u'pnw22':u'http://muusikkopruflin.earclearclinic.co.uk/dull/aXF4Y21nYw',?u'pnw23':u'http://muusikkopruflin.earclearclinic.co.uk/consciousness/clever-13253660',?u'pnw24':u'http://muusikkopruflin.earclearclinic.co.uk/hospital/d2dxY3dkZw',?u'pnw25':u'http://muusikkopruflin.earclearclinic.co.uk/disappointment/battle-31593215',?u'pnw8':u'http://muusikkopruflin.earclearclinic.co.uk/another/hideous-33550406',?u'soft':u'http://muusikkopruflin.earclearclinic.co.uk/belong/animal-none-western-14473008'},?u'marker':u'rtConfig'}?[+]Exploitsavedto….?$xxd7ccc54cd4e819ee0a8b291917cf321acc058ccc6e4d35ad6f21db09491e05332.ek.bin?0000000:5a575312c7410000682000005d000020ZWS..A..h..]..?0000010:00003bfffc8e19fadfe76608a03d3e85..;f..=>.?0000020:f5756fd07e61351b1a8b164ddf0532fe.uo.~a5M..2.?0000030:a44c4649b77b6b75f92b5c37290b9137.LFI.{ku.+\7)..7?0000040:01370ee9f2e1fc9e64da6c112133eda0.7d.l.!3..?0000050:0e7670a0cd982e7680f0e059560608e9.vpv...YV...?0000060:caeba2c6db5a867b47de995d68763816Z.{G..]hv8.?0000070:bd933cd3d09ed355635adab0db27e67c..<UcZ...'.|?0000080:213daccc90a176587308c85895d6680b!=vXs..X..h.?0000090:f2b8c7c712554087e759c04edf21aee8U@..Y.N.!..?00000a0:a06a8ec4ecd83838a5f455b9284e31d5.j88..U.(N1.?00000b0:12565f00c2ea9c36e8beb7105aa62909.V_6Z.).?00000c0:3d4934711ec514ee224f7b3140e3fb00=I4q"O{1@...?00000d0:d5f1bfe22fbe445810a801f43108fa24/.DX1..$e:0d9aaefdc5cfcfa2350baeeddc4139c8 5A9. OtherCuckooconsiderations?Cuckoostorestonsofinformation,butforEKsweareonlyinterestedingettingthedroppedbinary.?Turnoffalltheloggingexceptthatdirectlyrelatedtodroppedfiles.?RunningYaraandusingvolatilitycanhelpquicklyidentifydroppedfiles.?Remember,useanon-attributablenetwork.:)FindingEKlandingpages?Allthisautomationstillhastobefedwithtargetstosandbox.?Workbackwardsfromaninfectionevent.?Usewebproxylogs/telemetryandPCREs.?Useacrawler.?TrickEKtogiveyoutheinitialgates.Workingbackwardsfromaninfection?Leastefficientwayofdoingitbutinsomecases(newEK,significantchangestoanexistingEK)it’sallwecando.?Initialgatesaretransientresources,somanuallyidentifyingthemhaslimitedutility.?Alsolimitedonlybywhatisattackingyouoryourcustomer.ngPCREstohunt?Stillrequiresuserstovisitbutcanbeprogrammaticallypipelinedintoasandboxsystemforrelativelyrealtimeanalysis.?Everyonehasauser-baseandtelemetrythathasgeographicordemographicbiasesthatcreateholesinvisibility.?Inefficientbecauseitwillrequestmorethanwhatyouarelookingfor.?Crawlersarealsoresourceintensivethebroaderyouarelookingforbehavior.?Itcan,however,haveaglobalfootprintandbethorough.?Luckily,wedon’thavetomakeourowncrawlerwhenMicrosoftwillgiveBingcrawlermaliciousURLstoMAPP/VIAmembers.?On4August2016,over26MmaliciouswebpageswereseenwhichMicrosoftgivesa99%confidenceintervaltoo.?MuchmorethanEKs.UsingBingMaliciousURLs8/4/20164:58:27PMhttp://0000-.ar/2011/03/my-defragmenter-ydefragmenteresklinkswidgetIdBlogwidgetTypeBlogresponseTypejspostID.58.216.193us15169MalwareNetwork8/4/20164:51:46PMhttp://0000-.ar/2011/03/pocopique-tv-rogramaparavertvhtmlactionbacklinkswidgetIdBlog1&widgetType=Blog&responseType=js&postID=78418329us15169ES8/4/20166:06:13PMhttp://0000-.ar/2011/07/reparacion-de-8/4/20166:26:04PMhttp://0000-.ar/2011_02_24_archive.html8/4/20164:34:23PMhttp://0000-.es/2011/02/descarga-chat-para-facebook.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=ousURLs?On4August,524,713ofthoseURLspointedtoIPsinsideChina.?NumberismisleadingbecauseitincludesmultipleURLsundersamedomain.?Alsoflags“interesting”advertiserbehavior.?NeedtofilterbasedonthePCREswehaveseenbeforeorotheralertingtechnology.?WearerunningalltheseURLsthroughcURLwithaspoofeduseragentjusttoseerequestandfirstresponse.URLs?Dealingwithcompromisedwebsitesandbulkmaliciousbehaviorishardtodo.?Withproperfilteringoftheabove,italsobecomespossibletoprogrammaticallystartdersofsuchcontentsotheycanstartcleaningthesewebsitesowserversNetblockReportingServicetogetalertsonmaliciousactivityseenonyournetwork.ousURLsingmUrlstsvhttp://melnoosh.narod.ru/p3aa1.html/indexEN.htmlhttp://peterbronkhorst.rusa.nl/pag013l.htm/vk3en62w.htmhttp://portvein777.narod.ru/MirChiselChast10.htmhttp://portvein777.narod.ru/MirChiselChast26.htm/fadi7a.htmlhttp://re