EXPLOIT KITS Tech Talk - Fall 2016 Josh Stroschein - Dakota State University
Delivery Methods Spam/Spear-phishing
Delivery Methods Spam/Spear-phishing
Office Documents Generally refer to MS office suite Excel, PowerPoint, Word Focus is on the macros OLE Object Linking and Embedding Allows for compound documents Embed information from a number of different sources Embed a spreadsheet in a Word doc, spreadsheet keeps all original properties User edits the embedded data, Windows activates the originating application https://support.microsoft.com/en-us/kb/86008
MS Protections Protections associated with macros now standard with office suite Block execution of macros
But let s not forget about SE! Source: https://blogs.sophos.com/2015/09/28/why-word-malware-is-basic/
VBA Malware VBA malware usually isn t self-contained, acts as a downloader Purpose is to download and execute another malicious program (EXE) Does this silently user doesn t know it s happening Some common techniques: URLDownloadToFile() XMLHTTP object What if it s embedded in the document? Finally time to discuss obfuscation
Office Documents 8
Obfuscation Per Wikipedia: Obfuscation is the obscuring of intended meaning in communication, making the message confusing, willfully ambiguous, or harder to understand. What does that mean for us? Work!
10 Malicious Attachments - JavaScript Not just office documents and URLs, may also include JavaScript
Scan001.js 11
12 JavaScript Attachments JS in the browser is mitigated by features such as the Same Origin Policy JS can only download files from where it came Browser JS can only run in the browser, can t do things like read data from your hard drive However, once saved to disk, Windows will run it outside your browser using WSH - Windows Script Host Wscript.exe (Cscript.exe) Treated as normal executable
13 JavaScript Attachments Similar to methods used in Office macros Image Source: https://nakedsecurity.sophos.com/2016/04/26/ransomware-in-your-inbox-the-rise-of-malicious-javascript-attachments
What is an Exploit Kit (EK)? A malicious infrastructure Constantly evolving to avoid detection EK = Toolkit that automates the exploitation of client-side vulnerabilities Typically targets the browser and programs that a website can invoke via the browser Flash, Java and Adobe Reader Off-the shelf software package Does not require technical proficiency Generally target out-of-date software May contain zero-day and known vulnerabilities
General Flow of an EK 1. User visits malicious site compromised or purposeful 2. User is redirected to malicious server 1. This may be via an iframe 3. Victim lands at EK is served a landing page 1. EK gathers info on user, determines exploit to deliver 4. Exploit! 1. If successful, malware is downloaded 5. Last step is considered a drive-by download
Angler EK Concept of Operations EK Gate
Angler EK Research by Palo Alto posted in January 2016 found: > 90,000 compromised websites 30 in Alexa top 100,000-11 million visits per month Ability of network to update code on compromised sites All sites? Ability to target certain IPs and configurations You may visit an infected site and not receive the malicious JS Very difficult to track, most URLs not identified as malicious on VT http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kitcontinues-to-evade-detection-over-90000-websites-compromised/
Angler EK Palo Alto
19 EK - Compromised Site Injected Script in compromised site
Which Decodes To:
Which Decodes To:
If Everything Is Good- Landing Page
Landing Page
24 EK - Dropping Flash What is the future of EKs with the move away from Flash?
Flash It Is...
Exploitation
And Finally Ransomware :(
Deobfuscating JavaScript A difficult problem JSDetox tool to support the manual analysis of malicious JavaScript code Uses a browser-based interface Analyzes JS in the backend Provides DOM Emulation
JSDetox Malicious JS typically makes use of the document object This is emulated by JSDetox You can install on REMnux Or find the code at: http://relentless-coding.org/projects/jsdetox/
Once Installed.
Problems Though Hmm, manually pull-out the tags (I could probably script that though )
Analysis
Analysis
Analysis You can also use your browsers built-in debugger
Analysis
Analysis Let the code de-obfuscate itself I ll run in a browser and then extract the <script> tags
Landing Page Decode Methods
De-obfuscation
De-Obfuscation