![► TDS (Traffic Direction Script)
TDS
1st REQUEST
2nd REQUEST
INFECTED SITE
[ ----.com ]
REDIRECTOR 1
[ molo.tw ]
REDIRECTOR 2
[ rmi.tw ] [ mias.tw ]
[ ask.com ]
EXPLOIT SITE](https://image.slidesharecdn.com/ht-w23-150420135435-conversion-gate01/85/Ht-w23-36-320.jpg)
Ht w23
- 1. Session ID: Session Classification: Chris Astacio Websense, Inc. HT-W23 Intermediate SHINING SOME LIGHT INTOTHE EVOLUTION OFTHE BLACKHOLE
- 3. ► What is an exploit kit? ► Collection of exploits targeting vulnerabilities in client vulnerabilities, targeting browsers and programs triggered by browser activity. ► Hacking for Dummies ► Past exploit kits ► Phoenix (PEK) dates back to 2007,Siberia, Mpack, IcePack, Neosploit, Hierarchy ► Typically fluctuating in usage and volume ► Exploits and admin relatively static ► Effectiveness declines with patching ► Attack duration limited WHAT IS AN EXPLOIT KIT?
- 4. ► Top exploit families detected by Microsoft anti-malware products in the second half of 2011 and first half of 2012, by number of unique computers with detections, shaded according to relative prevalence WHAT IS AN EXPLOIT KIT?
- 5. ► Blackhole ► Creators of the kit are suspected to be "HodLuM" and " ► Most prevalent on the web? ► Websense 65% of all exploit detections ► AVG - 91% ► Sophos - 28 % ► Microsoft Leads other exploit families in prevalence by factor of 2 WHAT IS BLACKHOLE? ► Typically fluctuating in usage and volume ► Exploits and admin relatively static ► Effectiveness declines with patching ► Attack duration limited ► Usage accelerating – “King of the Kits” ► Exploits continually added and admin interface updated ► Addition of exploits extends window of effectiveness ► Attack duration extended ► Typical Kit ► Blackhole
- 6. ► The customer licenses the Blackhole exploit kit from the authors and specifies various options to customize the kit. ► A potential victim loads a compromised web page or opens a malicious link in a spammed email. ► The compromised web page or malicious link in the spammed email sends the user to a Blackhole exploit kit server's landing page. ► This landing page contains obfuscated JavaScript that determines what is on the victim's computers and loads all exploits to which this computer is vulnerable and sometimes a Java applet tag that loads a Java Trojan horse. ► If there is an exploit that is usable, the exploit loads and executes a payload on the victim's computer and informs the Blackhole exploit kit server which exploit was used to load the payload. BLACKHOLE
- 7. WHERE NO LIGHT ESCAPES
- 8. ► Prevalence and adoption ► How do they maintain dominance? ► Rental model ► Attack vectors (exploits) ► Attack success rates WHERE NO LIGHT ESCAPES
- 9. ► Obfuscation ► PHP protection ► AVChecker ► IP blocking ► Traffic Direction Script (TDS) ► Revision history ► Blackhole 2.X ► New features ► What is next? WHERE NO LIGHT ESCAPES
- 10. WHERE DO BLACKHOLES EXIST? ► Blackhole GEOIP ► 54% US ► 13.78% Russian Federation ► 6.22% Germany ► 6.4% Virgin Islands ► 2.51% Turkey ► 2.49% Poland
- 11. ► While past kits were sold relatively indiscriminately, Blackhole is primarily dispersed through a rental business model. ► If you want the kit, for the most part, you will have to pay for the use of the hosted kit for a specific duration. ► Rentals can be for a 24 hour, month or annual timeframe. ► Other licenses are also available. ECONOMIC MODEL
- 12. ► The pricing model for the first release of Blackhole ECONOMIC MODEL
- 14. ► Script injections ► Mostly using injection campaign I call iFramer ATTACKTYPES
- 15. ► Strong similarities between iFramer code and Blackhole code ► Similar code structures and sometimes the same algorithm used in the obfuscation!! ATTACKTYPES
- 16. ► Email campaigns ► DHL, UPS, and CNN OH MY! ATTACKTYPES
- 18. ► ATTACKTYPES
- 20. ► Online pharmacy/affiliates scams ATTACKTYPES
- 21. ► CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC) ► CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier ► CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability ► CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code ► CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll" ► CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability ► CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability ► CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability ► CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability ATTACKVECTORS
- 23. ► A ranking of the most successful exploits used in the kit ATTACK SUCCESS RATES
- 24. ► Specific vulnerabilities targeted by Blackhole exploit kit by number of unique computers reporting detections. ATTACK SUCCESS RATES
- 25. ► Zeus ► Cridex ► Parfeit ► GameOver ► Flashback ► KillAV Trojan ► TDL ► ZeroAccess ► Anti-Spyware 2011 ► Morto ► Poison Ivy ► GhostRAT ► NGRBot ► DNSChanger ► Monkif ► SpyEye ► Darkshell ► Nitol ► AV Live Platinum Security MALWARE DELIVERY ► Types of payloads:
- 27. MAIN STATS PAGE
- 29. ► Blackhole authors have attempted to protect themselves from the theft of their code through a number of means. One of which is the rental only model, that allows them to maintain hosting. RENT (AS IS)
- 30. ► PHP script protection with the ionCube encoder ► Prevents code stealing ► Hinders analysis OBFUSCATION - PHP
- 31. ► Configuration options for all the following parameters: ► Querystring parameters ► File paths (for payloads, exploit components) ► Redirect URLs ► Usernames, passwords ► MySQL backend ► Blacklisting/blocking ► Only hit any IP once ► Maintain IP blacklist ► Blacklist by referrer URL ► Import blacklisted ranges ► Auto update BACK-END FUNCTIONALITY
- 32. ► Management console provides statistical summary, breaking down successful infections by: ► Exploit ► OS ► Country ► Affiliate/partner (responsible for directing user traffic to the exploit kit) ► Browser ► Targets a variety of client vulnerabilities ► AV scanning add-ons (through the use of two scanning services, available as optional extras of course, this is business!) ► Advertisements for additional underground services MANAGEMENT CONSOLE
- 33. ► AntiVirus Check ► VirTest and Scan4you AVOIDING AV
- 34. ► IP Blacklisting IP BLOCKING
- 35. ► TDS (Traffic Direction Script) ► By browser ► By OS ► By geolocation ► By time ► By referrer TDS
- 36. ► TDS (Traffic Direction Script) TDS 1st REQUEST 2nd REQUEST INFECTED SITE [ ----.com ] REDIRECTOR 1 [ molo.tw ] REDIRECTOR 2 [ rmi.tw ] [ mias.tw ] [ ask.com ] EXPLOIT SITE
- 37. ► Historically, kits change their obfuscation techniques only on version releases ► Blackhole seems to change its obfuscation, on average, every two months! OBFUSCATION -TIMELINE December 2010 February 2011 March 2011 Changed 3 times! April 2011 July 2011 September 2011 December 2011 February 2012 May 2012 June 2012 October 2012
- 40. A NEW EVENT HORIZON
- 41. HISTORY OF REVISION RELEASES Version Release 1.0 August 2010 1.0.2 November 2010 1.1.0 June 2011 1.2.0 November 2011 1.2.1 December 2011 1.2.2 February 2012 1.2.3 March 2012 1.2.4 July 2012 2.0 September 2012
- 42. ► Released September 12, 2012 Version 2.X
- 43. ► There is reused code from 1.x version to 2.x version but 2.x is meant to be more efficient. CLEAR CODE 1.XVS 2.X
- 44. ► New rates: BUY 2 GET ONE FREE! ► How is your Russian?
- 45. ► New rates: ► Rent on our server: ► Day rental - $50 (limit traffic 50k hits) ► Week rental - $200 (limit traffic 70k hits a day) ► Month rental - $500 (limit traffic 70k hits a day) if needed, traffic limit can be raised for the additional fee ► The license for your server: ► License for 3 months $700 ► The license for six months $1,000 ► License for 1 year $1500 ► Multidomain bundle version ► $200 one-time fee for the duration of the license (not binding to the domain and the ip) ► Change of the domain on the standard bundle version - $20 BUY 2 GET ONE FREE!
- 47. ► New features: ► Updated admin tools ► Short-term URLs - random-domain generation feature ► a dynamic URL, which is valid for a few seconds, you need only to one victim at a time ► Software Version - determines which versions of Java or Acrobat Reader are running on client ► is very useful for evaluating the quality of traffic and to monitor the the right version of the plugin ► Prevent direct download of executable payloads ► Only load exploit contents when client is considered vulnerable ► the plug is not vulnerable, exploits not issued, and not get in detection loop ALL NEW FEATURES
- 48. ► Drop use of PluginDetect library ► ► Remove some old exploits (leaving Java atomic & byte, PDF LibTIFF, MDAC) ► Update machine stats to include Windows 8 and mobile devices ► order to see how much of your traffic is mobile, and mobile traffic, you can redirect to the appropriate affiliate MORE!
- 49. ► Improvements include several things designed to make it harder for researchers to harvest content from the exploit sites: ► Change from predictable url structure (filenames and querystring parameter names) ► Improved checking of referrer ► Ban unnecessary referrers ► Block bots ► Block TOR traffic IMPROVED EVASION
- 51. ► Bot Blocking OBFUSCATION IP &ToR BLOCKING ► ToR Blocking
- 52. OBFUSCATION IP RECORDING ► Making a better Blackhole ► Defalt IP block list containing ToR nodes and research IP ► Continues to collect after the campaign assuming traffic is exclusively researchers ► put the record mode, and all reversers and bots that run on
- 53. ► Java Run-Time Environment 0-day vulnerability (CVE-2012-4681) was actually first discovered in a kit. (Gondad). ► Incorporated into Blackhole within a week. COMESWITH A 0-DAY BONUS!
- 54. ► The Blackhole kit owners quickly incorporated the Java Run-Time Environment vulnerability (CVE- 2013-0422). COMESWITH A 0-DAY BONUS! ► It took them one day to do it.
- 55. ► Remember the rental costs? ► Compare to (estimated) price of zero day: COMESWITH A 0-DAY BONUS!
- 57. ► The future of Blackhole ► Ongoing updates to obfuscation ► Zero Day integration ► Two in three months time ► From POC ► Purchased from market ► Evolution of premium kits GRAVITATIONAL COLLAPSE We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public (not counting the situations, when a vulnerability is made public not because of us). Not only do we purchase weaponized (ready) exploits, but also their descriptions and proof of concepts (with subsequent joint work with our specialists).
- 58. ► Is Cool the next Blackhole? ► Same developer? ABSOLUTE ZERO F CVE-2011-3402 CVE-2012-5076 CVE-2011-3402 CVE-2012-5076 Paunch acknowledged being responsible for the Cool kit, and said his new exploit framework costs a whopping $10,000 a month. – Krebs on Security, Brian Krebs
- 59. CIRCLETHEN MERGE ► From Redkit to CritXpack, success in the underground markets seems to be spawning the opportunity for others to create their own kits.
- 61. ► Most prevalent threats to desktop environments are mass attacks, typically over the web ► Attacks such as exploit kits occur all the time and typically use old exploits with success! ► Windows is most targeted platform due to popularity ► The growth of mobile devices will make mass mobile attacks a natural progression ► Multiple versions of Android in the market is a larger attack surface for old vulnerabilities! ► Rooted devices may not need privilege escalation MASS MOBILE COMPROMISES
- 63. THANKYOU!