Tracking Exploit Kits - Virus Bulletin 2016
Download as PPTX, PDF1 like880 views
John Bambenek discusses tracking exploit kits by monitoring their infrastructure and operations. He explains that by disrupting entire exploit kit ecosystems, more can be done than taking down individual malware operators. Bambenek describes how exploit kits work and outlines strategies for gathering intelligence on exploit kits, such as decoding landing pages, using PCREs to find new sites, and leveraging resources like Bing's malicious URL feed to collect potential targets for dynamic analysis. The goal is to develop intelligence that can be used to disrupt the operations of exploit kit operators and affiliates.
![© Fidelis Cybersecurity
Exploit Kit URLs often have patterns
• Some older Nuclear EK URL patterns in PCRE:
• .(su|ru)/mod_articles-auth.*d/(ajax|jquery)//b/shoe/[0-9]{4,10}
• ^[^/n]{1,99}?/url?([w]+=([w.]+)?&){5,10}url=https://[w]+.[a-
z]{2,3}&([w]+=([w.]+)?&){2,6}[w]+=[w.]+$
• ^[^/n]{1,99}?/search?(?=.*[a-z]+=utf-
8&)(?=.*ei=.*(p{Ll}p{Lu}|p{Lu}p{Ll}))(?=.*ei=.{20,})(?!=/)([a-
z_]{1,8}=[w+-.x20]+&?){2,5}$
• ^[^/n]{1,99}?/(?-i)([a-z0-9]+/){0,3}d{2,3}(_|-)[a-z]+(_|-)d+.[a-z]{3,6}$
• ^[^/n]{1,99}?/(?-i)([a-z0-9]+/){0,3}[a-z-]+?(([a-z_-]|[0-9]){3,}=([a-z_-
]|[0-9]){3,}&){1,5}[a-z0-9_-]{2,}=[a-z0-9]{8,}$
16](https://image.slidesharecdn.com/vb2016-ektracking-161006204203/85/Tracking-Exploit-Kits-Virus-Bulletin-2016-16-320.jpg){kind=tracking}
![© Fidelis Cybersecurity
Example$ python neutrino.py -d out -e -i strong-special-green-tread-motive-happiness-warm-stre-slap-happy.swf
[+] embeded swf (SHA256: d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82) extracted,and saved to
out/d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82.swf
[+] cfg key: uturwhahhdm820991, exploit key: czynukeclllu385015
{u'debug': {u'flash': False},
u'exploit': {u'nw22': {u'enabled': True},
u'nw23': {u'enabled': True},
u'nw24': {u'enabled': True},
u'nw25': {u'enabled': True},
u'nw8': {u'enabled': True}},
u'key': {u'payload': u'yykrnnfwet'},
u'link': {u'backUrl': u'',
u'bot': u'http://muusikkopruflin.earclearclinic.co.uk/1994/05/16/jump/loom/have-september-meal-borrow-normal.html',
u'flPing': u'http://muusikkopruflin.earclearclinic.co.uk/wobbler/1440055/carrot-every-hasten',
u'jsPing': u'http://muusikkopruflin.earclearclinic.co.uk/1978/12/12/alley/knock-trial-guilty-knee-younger-sigh-suffer-fault-lamp.html',
u'pnw22': u'http://muusikkopruflin.earclearclinic.co.uk/dull/aXF4Y21nYw',
u'pnw23': u'http://muusikkopruflin.earclearclinic.co.uk/consciousness/clever-13253660',
u'pnw24': u'http://muusikkopruflin.earclearclinic.co.uk/hospital/d2dxY3dkZw',
u'pnw25': u'http://muusikkopruflin.earclearclinic.co.uk/disappointment/battle-31593215',
u'pnw8': u'http://muusikkopruflin.earclearclinic.co.uk/another/hideous-33550406',
u'soft': u'http://muusikkopruflin.earclearclinic.co.uk/belong/animal-none-western-14473008'},
u'marker': u'rtConfig'}
[+] Exploit saved to ….
24](https://image.slidesharecdn.com/vb2016-ektracking-161006204203/85/Tracking-Exploit-Kits-Virus-Bulletin-2016-24-320.jpg){kind=tracking}
![© Fidelis Cybersecurity
Example
$ xxd 7ccc54cd4e819ee0a8b291917cf321acc058ccc6e4d35ad6f21db09491e05332.ek.bin
0000000: 5a57 5312 c741 0000 6820 0000 5d00 0020 ZWS..A..h ..]..
0000010: 0000 3bff fc8e 19fa dfe7 6608 a03d 3e85 ..;.......f..=>.
0000020: f575 6fd0 7e61 351b 1a8b 164d df05 32fe .uo.~a5....M..2.
0000030: a44c 4649 b77b 6b75 f92b 5c37 290b 9137 .LFI.{ku.+7)..7
0000040: 0137 0ee9 f2e1 fc9e 64da 6c11 2133 eda0 .7......d.l.!3..
0000050: 0e76 70a0 cd98 2e76 80f0 e059 5606 08e9 .vp....v...YV...
0000060: caeb a2c6 db5a 867b 47de 995d 6876 3816 .....Z.{G..]hv8.
0000070: bd93 3cd3 d09e d355 635a dab0 db27 e67c ..<....UcZ...'.|
0000080: 213d accc 90a1 7658 7308 c858 95d6 680b !=....vXs..X..h.
0000090: f2b8 c7c7 1255 4087 e759 c04e df21 aee8 .....U@..Y.N.!..
00000a0: a06a 8ec4 ecd8 3838 a5f4 55b9 284e 31d5 .j....88..U.(N1.
00000b0: 1256 5f00 c2ea 9c36 e8be b710 5aa6 2909 .V_....6....Z.).
00000c0: 3d49 3471 1ec5 14ee 224f 7b31 40e3 fb00 =I4q...."O{1@...
00000d0: d5f1 bfe2 2fbe 4458 10a8 01f4 3108 fa24 ..../.DX....1..$
00000e0: 0d9a aefd c5cf cfa2 350b aeed dc41 39c8 ........5....A9.
00000f0: 4f5f 1f63 6f38 20e8 69e4 4785 e82e ba36 O_.co8 .i.G....6
25](https://image.slidesharecdn.com/vb2016-ektracking-161006204203/85/Tracking-Exploit-Kits-Virus-Bulletin-2016-25-320.jpg){kind=tracking}
Tracking Exploit Kits - Virus Bulletin 2016
- 1. Tracking Exploit Kits John Bambenek, Manager of Threat Systems Fidelis Cybersecurity Virus Bulletin 2016 – Denver, Colorado
- 2. © Fidelis Cybersecurity Introduction • Manager of Threat Systems with Fidelis Cybersecurity • Part-Time Faculty at University of Illinois in CS • Provider of open-source intelligence feeds • Run several takedown oriented groups and surveil threats 2
- 3. © Fidelis Cybersecurity Why track exploit kits? • After investigating and occasionally getting malware operators prosecuted, new malware always shows up to take its place. • Operation Tovar ended Gameover Zeus and Cryptolocker, now have Vawtrak and Locky. 3
- 4. © Fidelis Cybersecurity Why track exploit kits? • Law enforcement operations for cybercrime take months or years and only pursue a limited amount of threats. • However, almost all criminal malware comes via two methods, spam botnets or exploit kits. • What if you could smash the entire malware delivery ecosystem instead? 4
- 5. © Fidelis Cybersecurity Cybercrime ecosystem 5
- 6. © Fidelis Cybersecurity EK Ecosystem • Malware writers/operators • EK operators • Exploit writers • Traffic generators • Selling of compromised websites • “Marketplace” operators • The ecosystem behind malware (i.e. mules, carders, etc) • Bitcoin washing services 6
- 7. © Fidelis Cybersecurity Why track exploit kits? • Earlier this year, Russian authorities arrested the Lurk group who had direct connections to Angler Exploit Kit (EK) operations. • Angler EK went away overnight. 7
- 8. © Fidelis Cybersecurity Intelligence Priorities • Priority 1: Ensure current products detect new malware and changes in EKs to protect customers. • Priority 2: Develop intelligence to track EK operators and customers ultimately to disrupt an entire ecosystem instead of one small crime group. 8
- 9. © Fidelis Cybersecurity What is an Exploit Kit? • Set of tools (prominently web-based) that exploit vulnerabilities in software (browser, Adobe, Java, etc) to spread malware. • Relatively static list of exploits each kit uses and they vary. • Rarely (but sometimes) use 0-days. • They operate as a criminal service and “sell infections” of whatever provided malware. • Primary defense: patch your OS and applications. 9
- 10. © Fidelis Cybersecurity Exploit Kits • RIG • Nuclear • Neutrino • Magnitude • Angler • Many more… 10
- 11. © Fidelis Cybersecurity Campaign IDs • Many, but not all, malware operators use multiple means of delivery and they compartmentalize using Campaign IDs. • Sometimes the campaign ID refers to an affiliate. • Sometimes it’s just for a specific run of their malware. • Correlating affiliates across malware delivery mechanisms can provide interesting insights into the marketplace behind the malware delivery. 11
- 12. © Fidelis Cybersecurity Locky Example 12
- 13. © Fidelis Cybersecurity Data-mining malware • Taking data downloaded from malware, you can rip configs and get information. • Cross-correlate based on delivery method and now you have insight in who is buying service from whom. • Now you have raw building blocks for an operation similar to what Russia did to the Lurk group that ended Angler. 13
- 14. © Fidelis Cybersecurity Basic EK Process • Victim clicks on (usually compromised) webpage. • There is validation of suitability. • Geo-blacklisting • Likely vulnerable browser • Blacklisting of suspected sandboxes, security researchers • Victim is directed to actual exploit. • Victim downloads and installs malware. 14
- 15. © Fidelis Cybersecurity Magnitude to Cerber example 15 From malware-traffic-analysis.net – has great blogs on EK traffic
- 16. © Fidelis Cybersecurity Exploit Kit URLs often have patterns • Some older Nuclear EK URL patterns in PCRE: • .(su|ru)/mod_articles-auth.*d/(ajax|jquery)//b/shoe/[0-9]{4,10} • ^[^/n]{1,99}?/url?([w]+=([w.]+)?&){5,10}url=https://[w]+.[a- z]{2,3}&([w]+=([w.]+)?&){2,6}[w]+=[w.]+$ • ^[^/n]{1,99}?/search?(?=.*[a-z]+=utf- 8&)(?=.*ei=.*(p{Ll}p{Lu}|p{Lu}p{Ll}))(?=.*ei=.{20,})(?!=/)([a- z_]{1,8}=[w+-.x20]+&?){2,5}$ • ^[^/n]{1,99}?/(?-i)([a-z0-9]+/){0,3}d{2,3}(_|-)[a-z]+(_|-)d+.[a-z]{3,6}$ • ^[^/n]{1,99}?/(?-i)([a-z0-9]+/){0,3}[a-z-]+?(([a-z_-]|[0-9]){3,}=([a-z_- ]|[0-9]){3,}&){1,5}[a-z0-9_-]{2,}=[a-z0-9]{8,}$ 16
- 17. © Fidelis Cybersecurity Non-Attributable Networks • EKs do have a tendency to block obvious security researchers and security company netblocks. • They don’t do a good job blocking commodity VPN services. • You can pick what country you want to appear from. • Still limits to what you can retrieve using a VPN. • VPN inside or outside cuckoo VM? 17
- 18. © Fidelis Cybersecurity Non-Attributable Networks 18
- 19. © Fidelis Cybersecurity Non-Attributable Network • At present, there is no easy central way to manage multiple cuckoo instances that reach out to multiple geographies from the same instance. • Solution is to run multiple physical cuckoo instances with VPN outside the VM and rotate IPs inside a geo each batch run. 19
- 20. © Fidelis Cybersecurity Exploit hunting • Each exploit kit has a partially overlapping but unique set of exploits they use. • To get cuckoo to execute the exploit, some care needs to be spent in choosing the images and vulnerable software based on exploit kit. • An older tracking spreadsheet is available at: https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa 1dE9EVGhjeUhvQTNReko3c2xhTmphLUE#gid=10 but a new version should be at ContagioDump.blogspot.com soon. 20
- 21. © Fidelis Cybersecurity Exploit Hunting 21
- 22. © Fidelis Cybersecurity Exploit Hunting • Easiest way is to have a set of VM images for specific exploit kits. • Still need to monitor for addition of new exploits. • 0-days happen maybe once a year. 22
- 23. © Fidelis Cybersecurity Decoding EK landing pages • Open source tools available here: https://github.com/mak/ekdeco for Neutrino, Nuclear and Angler. • Can export config and encryption keys, intermediate flash files, and the exploit outputs that are used and save those to files. • Requires landing pages or first SWF file (available in PCAP or via Cuckoo). 23
- 24. © Fidelis Cybersecurity Example$ python neutrino.py -d out -e -i strong-special-green-tread-motive-happiness-warm-stre-slap-happy.swf [+] embeded swf (SHA256: d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82) extracted,and saved to out/d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82.swf [+] cfg key: uturwhahhdm820991, exploit key: czynukeclllu385015 {u'debug': {u'flash': False}, u'exploit': {u'nw22': {u'enabled': True}, u'nw23': {u'enabled': True}, u'nw24': {u'enabled': True}, u'nw25': {u'enabled': True}, u'nw8': {u'enabled': True}}, u'key': {u'payload': u'yykrnnfwet'}, u'link': {u'backUrl': u'', u'bot': u'http://muusikkopruflin.earclearclinic.co.uk/1994/05/16/jump/loom/have-september-meal-borrow-normal.html', u'flPing': u'http://muusikkopruflin.earclearclinic.co.uk/wobbler/1440055/carrot-every-hasten', u'jsPing': u'http://muusikkopruflin.earclearclinic.co.uk/1978/12/12/alley/knock-trial-guilty-knee-younger-sigh-suffer-fault-lamp.html', u'pnw22': u'http://muusikkopruflin.earclearclinic.co.uk/dull/aXF4Y21nYw', u'pnw23': u'http://muusikkopruflin.earclearclinic.co.uk/consciousness/clever-13253660', u'pnw24': u'http://muusikkopruflin.earclearclinic.co.uk/hospital/d2dxY3dkZw', u'pnw25': u'http://muusikkopruflin.earclearclinic.co.uk/disappointment/battle-31593215', u'pnw8': u'http://muusikkopruflin.earclearclinic.co.uk/another/hideous-33550406', u'soft': u'http://muusikkopruflin.earclearclinic.co.uk/belong/animal-none-western-14473008'}, u'marker': u'rtConfig'} [+] Exploit saved to …. 24
- 25. © Fidelis Cybersecurity Example $ xxd 7ccc54cd4e819ee0a8b291917cf321acc058ccc6e4d35ad6f21db09491e05332.ek.bin 0000000: 5a57 5312 c741 0000 6820 0000 5d00 0020 ZWS..A..h ..].. 0000010: 0000 3bff fc8e 19fa dfe7 6608 a03d 3e85 ..;.......f..=>. 0000020: f575 6fd0 7e61 351b 1a8b 164d df05 32fe .uo.~a5....M..2. 0000030: a44c 4649 b77b 6b75 f92b 5c37 290b 9137 .LFI.{ku.+7)..7 0000040: 0137 0ee9 f2e1 fc9e 64da 6c11 2133 eda0 .7......d.l.!3.. 0000050: 0e76 70a0 cd98 2e76 80f0 e059 5606 08e9 .vp....v...YV... 0000060: caeb a2c6 db5a 867b 47de 995d 6876 3816 .....Z.{G..]hv8. 0000070: bd93 3cd3 d09e d355 635a dab0 db27 e67c ..<....UcZ...'.| 0000080: 213d accc 90a1 7658 7308 c858 95d6 680b !=....vXs..X..h. 0000090: f2b8 c7c7 1255 4087 e759 c04e df21 aee8 .....U@..Y.N.!.. 00000a0: a06a 8ec4 ecd8 3838 a5f4 55b9 284e 31d5 .j....88..U.(N1. 00000b0: 1256 5f00 c2ea 9c36 e8be b710 5aa6 2909 .V_....6....Z.). 00000c0: 3d49 3471 1ec5 14ee 224f 7b31 40e3 fb00 =I4q...."O{1@... 00000d0: d5f1 bfe2 2fbe 4458 10a8 01f4 3108 fa24 ..../.DX....1..$ 00000e0: 0d9a aefd c5cf cfa2 350b aeed dc41 39c8 ........5....A9. 00000f0: 4f5f 1f63 6f38 20e8 69e4 4785 e82e ba36 O_.co8 .i.G....6 25
- 26. © Fidelis Cybersecurity Other Cuckoo considerations • Cuckoo stores tons of information, but for EKs we are only interested in getting the dropped binary. • Turn off all the logging except that directly related to dropped files. • Running Yara and using volatility can help quickly identify dropped files. • Remember, use a non-attributable network. :) 26
- 27. © Fidelis Cybersecurity Finding EK landing pages • All this automation still has to be fed with targets to sandbox. • Work backwards from an infection event. • Use web proxy logs / telemetry and PCREs. • Use a crawler. • Trick EK to give you the initial gates. 27
- 28. © Fidelis Cybersecurity Working backwards from an infection • Least efficient way of doing it but in some cases (new EK, significant changes to an existing EK) it’s all we can do. • Initial gates are transient resources, so manually identifying them has limited utility. • Also limited only by what is attacking you or your customer. 28
- 29. © Fidelis Cybersecurity Using PCREs to hunt • Still requires users to visit but can be programmatically pipelined into a sandbox system for relatively real time analysis. • Everyone has a user-base and telemetry that has geographic or demographic biases that create holes in visibility. 29
- 30. © Fidelis Cybersecurity Using a crawler • Inefficient because it will request more than what you are looking for. • Crawlers are also resource intensive the broader you are looking for behavior. • It can, however, have a global footprint and be thorough. 30
- 31. © Fidelis Cybersecurity Using a crawler • Luckily, we don’t have to make our own crawler when Microsoft will give Bing crawler malicious URLs to MAPP/VIA members. • On 4 August 2016, over 26M malicious webpages were seen which Microsoft gives a 99% confidence interval too. • Much more than EKs. 31
- 32. © Fidelis Cybersecurity Using Bing Malicious URLs 8/4/2016 4:58:27 PM http://0000-programasnet.blogspot.com.ar/2011/03/my-defragmenter-my- defragmenter-es- un.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=699478954130775 3585 216.58.216.193 us 15169 MalwareNetwork 8/4/2016 4:51:46 PM http://0000-programasnet.blogspot.com.ar/2011/03/pocopique-tv-programa-para- ver- tv.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=7841830628282890 204 216.58.192.129 us 15169 ES 8/4/2016 6:06:13 PM http://0000-programasnet.blogspot.com.ar/2011/07/reparacion-de- impresoras.html 216.58.192.129 us 15169 ES 8/4/2016 6:26:04 PM http://0000-programasnet.blogspot.com.ar/2011_02_24_archive.html 216.58.192.129 us 15169 MalwareNetwork 8/4/2016 4:34:23 PM http://0000-programasnet.blogspot.com.es/2011/02/descarga-chat-para- facebook.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=2134381520 774268527 216.58.192.225 us 15169 MalwareNetwork 32
- 33. © Fidelis Cybersecurity Bing Malicious URLs • On 4 August, 524,713 of those URLs pointed to IPs inside China. • Number is misleading because it includes multiple URLs under same domain. • Also flags “interesting” advertiser behavior. • Need to filter based on the PCREs we have seen before or other alerting technology. • We are running all these URLs through cURL with a spoofed user agent just to see request and first response. 33
- 34. © Fidelis Cybersecurity Bing Malicious URLs • Dealing with compromised websites and bulk malicious behavior is hard to do. • With proper filtering of the above, it also becomes possible to programmatically start notifying hosting providers of such content so they can start cleaning these websites. • Subscribe to Shadowserver’s Netblock Reporting Service to get alerts on malicious activity seen on your network. • https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetRe portsOnYourNetwork 34
- 35. © Fidelis Cybersecurity Bing Malicious URLs # grep –P ‘$pcre’ Bing_mUrls_2016_08_04_8.tsv http://melnoosh.narod.ru/p3aa1.html http://mr-hijacker.blogspot.com/indexEN.html http://peterbronkhorst.rusa.nl/pag013l.htm http://peterscott.0catch.com/vk3en62w.htm http://portvein777.narod.ru/MirChiselChast10.htm http://portvein777.narod.ru/MirChiselChast26.htm http://redirectionn.weebly.com/fadi7a.html http://remeslo.okis.ru/15moda2.html http://remeslo.okis.ru/15moda3.html http://ruza-gimnazia.narod.ru/p13aa1.html http://ruza-gimnazia.narod.ru/p15aa1.html 35
- 36. © Fidelis Cybersecurity Trick EKs to give you landing pages • EKs have a hierarchical structure but the deeper levels also need to be aware of the landing pages to prevent people artificially getting malware directly from the source. 2|http://amabamque-cibohpor.brazcon.co.uk/band/observe-otherwise-17797287|amabamque- cibohpor.brazcon.co.uk|212.48.74.196|168.1.99.232 3|http://raperon.drauk.com/john/1981037/mark-gasp-frequent-loss-unknown- mingle|raperon.drauk.com|184.154.146.157|185.125.168.248 4|http://tajuason.agencyconveyancing.com/measure/1381170/bare-dare-themself-corp-jump-cave- feast-disappear-flower-bush|tajuason.agencyconveyancing.com|81.21.76.62| 5|http://zaczepneepeios.sadie-maymiles.com/dwell/1960713/fair-opposite-anxiety- worst|zaczepneepeios.sadie-maymiles.com|188.138.41.20|179.43.188.214 …. 36
- 37. © Fidelis Cybersecurity Putting it together • Now we have all the pieces. Use telemetry/web logs, Bing Malicious URLs and EK bugs to put URLs into your sandbox. • Use non-attributed network from multiple geographies to maximize visibility. • Retrieve first landing page / exploit file and dropped malware. 37
- 38. © Fidelis Cybersecurity Putting it together • Tie dropped malware to country and exploit kit (note, repeat visits from same IP will not give you malware). • EKs sell “by infection” so often the same landing page will drop other malware as the infection orders are fulfilled. • Further mine dropped malware for intelligence and correlate to other malware delivery networks. 38
- 39. Questions & Thank You! John Bambenek / john.bambenek@fidelissecurity.com If you are interested in Exploit Kit tracking and disruption, please get in touch.