EXPLOIT KITS. Tech Talk - Fall Josh Stroschein - Dakota State University

Size: px

Start display at page:

Download "EXPLOIT KITS. Tech Talk - Fall Josh Stroschein - Dakota State University"

Bartholomew Tyler
6 years ago
Views:

1 EXPLOIT KITS Tech Talk - Fall 2016 Josh Stroschein - Dakota State University

2 Delivery Methods Spam/Spear-phishing

3 Delivery Methods Spam/Spear-phishing

4 Office Documents Generally refer to MS office suite Excel, PowerPoint, Word Focus is on the macros OLE Object Linking and Embedding Allows for compound documents Embed information from a number of different sources Embed a spreadsheet in a Word doc, spreadsheet keeps all original properties User edits the embedded data, Windows activates the originating application

5 MS Protections Protections associated with macros now standard with office suite Block execution of macros

6 But let s not forget about SE! Source:

7 VBA Malware VBA malware usually isn t self-contained, acts as a downloader Purpose is to download and execute another malicious program (EXE) Does this silently user doesn t know it s happening Some common techniques: URLDownloadToFile() XMLHTTP object What if it s embedded in the document? Finally time to discuss obfuscation

8 Office Documents 8

9 Obfuscation Per Wikipedia: Obfuscation is the obscuring of intended meaning in communication, making the message confusing, willfully ambiguous, or harder to understand. What does that mean for us? Work!

10 10 Malicious Attachments - JavaScript Not just office documents and URLs, may also include JavaScript

11 Scan001.js 11

12 12 JavaScript Attachments JS in the browser is mitigated by features such as the Same Origin Policy JS can only download files from where it came Browser JS can only run in the browser, can t do things like read data from your hard drive However, once saved to disk, Windows will run it outside your browser using WSH - Windows Script Host Wscript.exe (Cscript.exe) Treated as normal executable

13 13 JavaScript Attachments Similar to methods used in Office macros Image Source:

14 What is an Exploit Kit (EK)? A malicious infrastructure Constantly evolving to avoid detection EK = Toolkit that automates the exploitation of client-side vulnerabilities Typically targets the browser and programs that a website can invoke via the browser Flash, Java and Adobe Reader Off-the shelf software package Does not require technical proficiency Generally target out-of-date software May contain zero-day and known vulnerabilities

15 General Flow of an EK 1. User visits malicious site compromised or purposeful 2. User is redirected to malicious server 1. This may be via an iframe 3. Victim lands at EK is served a landing page 1. EK gathers info on user, determines exploit to deliver 4. Exploit! 1. If successful, malware is downloaded 5. Last step is considered a drive-by download

16 Angler EK Concept of Operations EK Gate

17 Angler EK Research by Palo Alto posted in January 2016 found: > 90,000 compromised websites 30 in Alexa top 100, million visits per month Ability of network to update code on compromised sites All sites? Ability to target certain IPs and configurations You may visit an infected site and not receive the malicious JS Very difficult to track, most URLs not identified as malicious on VT

18 Angler EK Palo Alto

19 19 EK - Compromised Site Injected Script in compromised site

20 Which Decodes To:

21 Which Decodes To:

22 If Everything Is Good- Landing Page

23 Landing Page

24 24 EK - Dropping Flash What is the future of EKs with the move away from Flash?

25 Flash It Is...

26 Exploitation

27 And Finally Ransomware :(

28 Deobfuscating JavaScript A difficult problem JSDetox tool to support the manual analysis of malicious JavaScript code Uses a browser-based interface Analyzes JS in the backend Provides DOM Emulation

29 JSDetox Malicious JS typically makes use of the document object This is emulated by JSDetox You can install on REMnux Or find the code at:

30 Once Installed.

31 Problems Though Hmm, manually pull-out the tags (I could probably script that though )

32 Analysis

33 Analysis

34 Analysis You can also use your browsers built-in debugger

35 Analysis

36 Analysis Let the code de-obfuscate itself I ll run in a browser and then extract the <script> tags

37 Landing Page Decode Methods

38 De-obfuscation

39 De-Obfuscation

Cisco Advanced Malware Protection (AMP) for Endpoints

Cisco Advanced Malware Protection (AMP) for Endpoints Endpoints continue to be the primary point of entry for attacks! 70% of breaches start on endpoint devices WHY? Gaps in protection Gaps in visibility