EXPLOIT KITS. Tech Talk - Fall Josh Stroschein - Dakota State University

Similar documents
Cisco Advanced Malware Protection (AMP) for Endpoints


Phishing with Office 365. *Minecraft, also a Microsoft product

ID: Sample Name: ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751.evaljs.js Cookbook: default.jbs Time: 16:44:00 Date:

CSCE 813 Internet Security Case Study II: XSS

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

ID: Sample Name: maintools.js Cookbook: default.jbs Time: 15:43:35 Date: 17/02/2018 Version:

Copyright 2014 NTT corp. All Rights Reserved.

Information Security CS 526 Topic 11

NET 311 INFORMATION SECURITY

ITEC 350: Introduction To Computer Networking Midterm Exam #2 Key. Fall 2008

MRG Effitas Trapmine Exploit Test

Portable Document Malware, the Office, and You

ID: Sample Name: 21PO jpg...js Cookbook: default.jbs Time: 14:32:06 Date: 21/11/2017 Version:

BlackHole Exploit Kit Spam Runs in 2012 Presented at Ruxcon. Jon Oliver trendmicro.com

WEB SECURITY: XSS & CSRF

ID: Sample Name: Swift details.xls Cookbook: defaultwindowsofficecookbook.jbs Time: 17:14:48 Date: 21/06/2018 Version: 22.0.

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

POWERSHELL: FROM ATTACKERS' TO DEFENDERS' PERSPECTIVE

Malicious s. How to Identify Them and How to Protect Yourself

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

Client Side Injection on Web Applications

[Rajebhosale*, 5(4): April, 2016] ISSN: (I2OR), Publication Impact Factor: 3.785

Information Security CS 526 Topic 8

CIS 4360 Secure Computer Systems XSS

ID: Sample Name: fly.jse Cookbook: default.jbs Time: 18:17:26 Date: 11/11/2017 Version:

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

SECURING OFFICE 365 WITH ISOLATION

Top 10 AJAX security holes & driving factors

Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

The Rise and Fall of

Web Application Security. Philippe Bogaerts

PhishEye: Live Monitoring of Sandboxed Phishing Kits. Xiao Han Nizar Kheir Davide Balzarotti

FREE ONLINE WEBSITE MALWARE SCANNER WEBSITE SECURITY

Jsunpack: An Automatic JavaScript Unpacker

New Wave of Hancitor Malware Comes with New Evasive Techniques

Comparing Javascript Engines. Xiang Pan, Shaker Islam, Connor Schnaith

Attacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.

Bug-Alcoholic Untamed World of Web Vulnerabilities. OWASP AppSec 2010, University of California Irvine, CA, USA September 10, 2010

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

The security of Mozilla Firefox s Extensions. Kristjan Krips

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

John Coggeshall Copyright 2006, Zend Technologies Inc.

Stop Ransomware In Its Tracks. Chris Chaves Channel Sales Engineer

Phishing in the Age of SaaS

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Machine Learning and Next-Generation Intrusion Prevention System (NGIPS)

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Next Generation Endpoint Security Confused?

The 2017 State of Endpoint Security Risk

Attack Vectors in Computer Security

WHITE PAPER A DAILY GRIND: Filtering Java Vulnerabilities. Authors: Varun Jain, Josh Gomez and Abhishek Singh SECURITY REIMAGINED

J-FORCE: FORCED EXECUTION ON JAVASCRIPT

P2_L12 Web Security Page 1

THE RISE OF GLOBAL THREAT INTELLIGENCE

Detection of Cross Site Scripting Attack and Malicious Obfuscated Javascript Code

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Protection FAQs

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Fig.1 Malvertising scenario. Kovter file is digitally signed by trusted COMODO under the company name Itgms Ltd.

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

Protecting from Attack in Office 365

So Many Ways to Slap a YoHo: Hacking Facebook & YoVille

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Computer Security CS 426 Lecture 41

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CSE 127 Computer Security

Digital Forensics Lecture 02B Analyzing PDFs. Akbar S. Namin Texas Tech University Spring 2017

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

ID: Sample Name: emotet.exe Cookbook: defaultwindowsofficecookbook.jbs Time: 07:07:14 Date: 07/11/2017 Version:

ID: Sample Name: modulecheck.js Cookbook: default.jbs Time: 17:46:31 Date: 01/02/2018 Version:

Chrome Extension Security Architecture

ID: Sample Name: dronefly.apk Cookbook: default.jbs Time: 10:24:54 Date: 07/06/2018 Version:

ID: Sample Name: MSM- 24_Supply_List RU_518.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 17:15:48 Date: 19/06/2018 Version: 22.0.

ID: Sample Name: Luxus.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 10:22:08 Date: 09/01/2018 Version:

RKN 2015 Application Layer Short Summary

Stopping the Threat at the Door

ID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:

Web Security: Vulnerabilities & Attacks

Formatting for Justice crime doesn t pay, neither does rich text. Anthony Kasza Botconf 2017

Information Security Guideline CONFIGURING MACRO SETTINGS

Security and Compliance for Office 365

CSC 482/582: Computer Security. Cross-Site Security

Web Application Security

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

Streaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

HUAWEI TECHNOLOGIES CO., LTD. Huawei FireHunter6000 series

9 Steps to Protect Against Ransomware

HP 2012 Cyber Security Risk Report Overview

Some Facts Web 2.0/Ajax Security

deseo: Combating Search-Result Poisoning Yu USF

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures

ExeFilter. An open-source framework for active content filtering. CanSecWest /03/2008

Maximum Security with Minimum Impact : Going Beyond Next Gen

WEB BROWSER SANDBOXING: SECURITY AGAINST WEB ATTACKS

Transcription:

EXPLOIT KITS Tech Talk - Fall 2016 Josh Stroschein - Dakota State University

Delivery Methods Spam/Spear-phishing

Delivery Methods Spam/Spear-phishing

Office Documents Generally refer to MS office suite Excel, PowerPoint, Word Focus is on the macros OLE Object Linking and Embedding Allows for compound documents Embed information from a number of different sources Embed a spreadsheet in a Word doc, spreadsheet keeps all original properties User edits the embedded data, Windows activates the originating application https://support.microsoft.com/en-us/kb/86008

MS Protections Protections associated with macros now standard with office suite Block execution of macros

But let s not forget about SE! Source: https://blogs.sophos.com/2015/09/28/why-word-malware-is-basic/

VBA Malware VBA malware usually isn t self-contained, acts as a downloader Purpose is to download and execute another malicious program (EXE) Does this silently user doesn t know it s happening Some common techniques: URLDownloadToFile() XMLHTTP object What if it s embedded in the document? Finally time to discuss obfuscation

Office Documents 8

Obfuscation Per Wikipedia: Obfuscation is the obscuring of intended meaning in communication, making the message confusing, willfully ambiguous, or harder to understand. What does that mean for us? Work!

10 Malicious Attachments - JavaScript Not just office documents and URLs, may also include JavaScript

Scan001.js 11

12 JavaScript Attachments JS in the browser is mitigated by features such as the Same Origin Policy JS can only download files from where it came Browser JS can only run in the browser, can t do things like read data from your hard drive However, once saved to disk, Windows will run it outside your browser using WSH - Windows Script Host Wscript.exe (Cscript.exe) Treated as normal executable

13 JavaScript Attachments Similar to methods used in Office macros Image Source: https://nakedsecurity.sophos.com/2016/04/26/ransomware-in-your-inbox-the-rise-of-malicious-javascript-attachments

What is an Exploit Kit (EK)? A malicious infrastructure Constantly evolving to avoid detection EK = Toolkit that automates the exploitation of client-side vulnerabilities Typically targets the browser and programs that a website can invoke via the browser Flash, Java and Adobe Reader Off-the shelf software package Does not require technical proficiency Generally target out-of-date software May contain zero-day and known vulnerabilities

General Flow of an EK 1. User visits malicious site compromised or purposeful 2. User is redirected to malicious server 1. This may be via an iframe 3. Victim lands at EK is served a landing page 1. EK gathers info on user, determines exploit to deliver 4. Exploit! 1. If successful, malware is downloaded 5. Last step is considered a drive-by download

Angler EK Concept of Operations EK Gate

Angler EK Research by Palo Alto posted in January 2016 found: > 90,000 compromised websites 30 in Alexa top 100,000-11 million visits per month Ability of network to update code on compromised sites All sites? Ability to target certain IPs and configurations You may visit an infected site and not receive the malicious JS Very difficult to track, most URLs not identified as malicious on VT http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kitcontinues-to-evade-detection-over-90000-websites-compromised/

Angler EK Palo Alto

19 EK - Compromised Site Injected Script in compromised site

Which Decodes To:

Which Decodes To:

If Everything Is Good- Landing Page

Landing Page

24 EK - Dropping Flash What is the future of EKs with the move away from Flash?

Flash It Is...

Exploitation

And Finally Ransomware :(

Deobfuscating JavaScript A difficult problem JSDetox tool to support the manual analysis of malicious JavaScript code Uses a browser-based interface Analyzes JS in the backend Provides DOM Emulation

JSDetox Malicious JS typically makes use of the document object This is emulated by JSDetox You can install on REMnux Or find the code at: http://relentless-coding.org/projects/jsdetox/

Once Installed.

Problems Though Hmm, manually pull-out the tags (I could probably script that though )

Analysis

Analysis

Analysis You can also use your browsers built-in debugger

Analysis

Analysis Let the code de-obfuscate itself I ll run in a browser and then extract the <script> tags

Landing Page Decode Methods

De-obfuscation

De-Obfuscation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback