John Bambenek-Tracking Exploit Kits中国第八届云计算大会_第1页
John Bambenek-Tracking Exploit Kits中国第八届云计算大会_第2页
John Bambenek-Tracking Exploit Kits中国第八届云计算大会_第3页
John Bambenek-Tracking Exploit Kits中国第八届云计算大会_第4页
John Bambenek-Tracking Exploit Kits中国第八届云计算大会_第5页
已阅读5页,还剩41页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

TrackingExploitKitsJohnBambenekManagerofThreatSystemsFidelisCybersecurity•ManagerofThreatSystemswithFidelisCybersecurity•Part-TimeFacultyatUniversityofIllinoisinCS•Providerofopen-sourceintelligencefeeds•Runseveraltakedownorientedgroupsandsurveilthreats•Email:john.bambenek@Whytrackexploitkits?newmalwarealwaysshowsuptotakeitsplace.Whytrackexploitkits?•Lawenforcementoperationsforcybercrimetakemonthsoryearsandonlypursuealimitedamountofthreats.•However,almostallcriminalmalwarecomesviatwomethods,spambotnetsorexploitkits.•Whatifyoucouldsmashtheentiremalwaredeliveryecosysteminstead?Whytrackexploitkits?•Earlierthisyear,RussianauthoritiesarrestedLurkgroupwhohaddirectconnectionstoAnglerExploitKit(EK)operations.•AnglerEKwentawayovernight.•Priority1:EnsurecurrentproductsdetectnewmalwareandchangesinEKstoprotectcustomers.•Priority2:group.DevelopintelligencetotrackEKoperatorsandcustomerstodisruptanentireecosysteminsteadofonesmallcrimeWhatisanExploitKit?•Setoftools(prominentlyweb-based)thatexploitvulnerabilitiesinsoftware(browser,Adobe,Java,etc)tospreadmalware.•Relativelystaticlistofexploitseachkitusesandtheyvary.•Rarely(butsometimes)use0-days.•Theyoperateasacriminalserviceand“sellinfections”ofwhateverprovidedmalware.•Primarydefense:patchyourOSandapplications.•RIGCampaignIDs•Many,butnotall,malwareoperatorsusemultiplemeansofdeliveryandtheycompartmentalizeusingCampaignIDs.•SometimesthecampaignIDreferstoanaffiliate.•Sometimesit’sjustforaspecificrunoftheirmalware.•Correlatingaffiliatesacrossmalwaredeliverymechanismscanprovideinterestinginsightsintothemarketplacebehindthemalwaredelivery.re•Takingdataderivedfrommalware,youcanripconfigsandgetinformation.•Spokeaboutthisherelastyear.•Cross-correlatebasedondeliverymethodandnowyouhaveinsightinwhoisbuyingservicefromwhom.•NowyouhaverawbuildingblocksforanoperationsimilartowhatRussiadidtotheLurkgroupthatendedAngler.•Victimclickson(usuallycompromised)webpage.•Thereisvalidationofsuitability.•Geo-blacklisting•Likelyvulnerablebrowser•Blacklistingofsuspectedsandboxes,securityresearchers•Victimisdirectedtoactualexploit.•Victimdownloadsandinstallsmalware.MagnitudetoCerberexampleFrom–hasgreatblogsonEKtrafficExploitKitURLsoftenhavepatterns•SomeolderNuclearEKURLpatternsinPCRE:•\.(su|ru)\/mod\_articles-auth.*\d\/(ajax|jquery)\/\/b\/shoe\/[0-9]{4,10}•^[^\/\n]{1,99}?\/url\?([\w]+=([\w\.]+)?&){5,10}url=https:\/\/[\w]+\.[a-z]{2,3}&([\w]+=([\w\.]+)?&){2,6}[\w]+=[\w\.]+$•^[^\/\n]{1,99}?\/search\?(?=.*[a-z]+=utf-8&)(?=.*ei=.*(\p{Ll}\p{Lu}|\p{Lu}\p{Ll}))(?=.*ei=.{20,})(?!=\/)([a-z_]{1,8}=[\w\+-\.\x20]+&?){2,5}$•^[^\/\n]{1,99}?\/(?-i)([a-z0-9]+\/){0,3}\d{2,3}(_|-)[a-z]+(_|-)\d+\.[a-z]{3,6}$•^[^\/\n]{1,99}?\/(?-i)([a-z0-9]+\/){0,3}[a-z-]+\?(([a-z_-]|[0-9]){3,}=([a-z_-]|[0-9]){3,}&){1,5}[a-z0-9_-]{2,}=[a-z0-9]{8,}$Non-AttributableNetworks•EKsdohaveatendencytoblockobvioussecurityresearchersandsecuritycompanynetblocks.•Theydon’tdoagoodjobblockingcommodityVPNservices.•Youcanpickwhatcountryyouwanttoappearfrom.•StilllimitstowhatyoucanretrieveusingaVPN.•VPNinsideoroutsidecuckooVM?Non-AttributableNetworksNon-AttributableNetwork•Atpresent,thereisnoeasycentralwaytomanagemultiplecuckooinstancesthatreachouttomultiplegeographiesfromthesameinstance.•SolutionistorunmultiplephysicalcuckooinstanceswithVPNoutsidetheVMandrotateIPsinsideageoeachbatchrun.•Eachexploitkithasapartiallyoverlappingbutuniquesetofexploitstheyuse.•Togetcuckootoexecutetheexploit,somecareneedstobespentinchoosingtheimagesandvulnerablesoftwarebasedonexploitkit.•Anoldertrackingspreadsheetisavailableat:/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhTmphLUE#gid=10butanewversionshouldbeatContagioDsoon.•EasiestwayistohaveasetofVMimagesforspecificexploitkits.•Stillneedtomonitorforadditionofnewexploits.•0-dayshappenmaybeonceayear.DecodingEKlandingpages•Opensourcetoolsavailablehere:/mak/ekdecoforNeutrino,NuclearandAngler.•Canexportconfigandencryptionkeys,intermediateflashfiles,andtheexploitoutputsthatareusedandsavethosetofiles.•RequireslandingpagesorfirstSWFfile(availableinPCAPorviaCuckoo).•$pythonneutrino.py-dout-e-istrong-special-green-tread-motive-happiness-warm-stre-slap-happy.swf•[+]embededswf(SHA256:d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82)extracted,andsavedtoout/d977a418fa1cf5a0a78c768fade3223ead531ee25d766fa64a2e27ade0616a82.swf•[+]cfgkey:uturwhahhdm820991,exploitkey:czynukeclllu385015•{u'debug':{u'flash':False},•u'exploit':{u'nw22':{u'enabled':True},•u'nw23':{u'enabled':True},•u'nw24':{u'enabled':True},•u'nw25':{u'enabled':True},•u'nw8':{u'enabled':True}},•u'key':{u'payload':u'yykrnnfwet'},•u'link':{u'backUrl':u'',•u'bot':u'http://muusikkopruflin.earclearclinic.co.uk/1994/05/16/jump/loom/have-september-meal-borrow-normal.html',•u'flPing':u'http://muusikkopruflin.earclearclinic.co.uk/wobbler/1440055/carrot-every-hasten',•u'jsPing':u'http://muusikkopruflin.earclearclinic.co.uk/1978/12/12/alley/knock-trial-guilty-knee-younger-sigh-suffer-fault-lamp.html',•u'pnw22':u'http://muusikkopruflin.earclearclinic.co.uk/dull/aXF4Y21nYw',•u'pnw23':u'http://muusikkopruflin.earclearclinic.co.uk/consciousness/clever-13253660',•u'pnw24':u'http://muusikkopruflin.earclearclinic.co.uk/hospital/d2dxY3dkZw',•u'pnw25':u'http://muusikkopruflin.earclearclinic.co.uk/disappointment/battle-31593215',•u'pnw8':u'http://muusikkopruflin.earclearclinic.co.uk/another/hideous-33550406',•u'soft':u'http://muusikkopruflin.earclearclinic.co.uk/belong/animal-none-western-14473008'},•u'marker':u'rtConfig'}•[+]Exploitsavedto….•$xxd7ccc54cd4e819ee0a8b291917cf321acc058ccc6e4d35ad6f21db09491e05332.ek.bin•0000000:5a575312c7410000682000005d000020ZWS..A..h..]..•0000010:00003bfffc8e19fadfe76608a03d3e85..;f..=>.•0000020:f5756fd07e61351b1a8b164ddf0532fe.uo.~a5M..2.•0000030:a44c4649b77b6b75f92b5c37290b9137.LFI.{ku.+\7)..7•0000040:01370ee9f2e1fc9e64da6c112133eda0.7d.l.!3..•0000050:0e7670a0cd982e7680f0e059560608e9.vpv...YV...•0000060:caeba2c6db5a867b47de995d68763816Z.{G..]hv8.•0000070:bd933cd3d09ed355635adab0db27e67c..<UcZ...'.|•0000080:213daccc90a176587308c85895d6680b!=vXs..X..h.•0000090:f2b8c7c712554087e759c04edf21aee8U@..Y.N.!..•00000a0:a06a8ec4ecd83838a5f455b9284e31d5.j88..U.(N1.•00000b0:12565f00c2ea9c36e8beb7105aa62909.V_6Z.).•00000c0:3d4934711ec514ee224f7b3140e3fb00=I4q"O{1@...•00000d0:d5f1bfe22fbe445810a801f43108fa24/.DX1..$e:0d9aaefdc5cfcfa2350baeeddc4139c8 5A9. OtherCuckooconsiderations•Cuckoostorestonsofinformation,butforEKsweareonlyinterestedingettingthedroppedbinary.•Turnoffalltheloggingexceptthatdirectlyrelatedtodroppedfiles.•RunningYaraandusingvolatilitycanhelpquicklyidentifydroppedfiles.•Remember,useanon-attributablenetwork.:)FindingEKlandingpages•Allthisautomationstillhastobefedwithtargetstosandbox.•Workbackwardsfromaninfectionevent.•Usewebproxylogs/telemetryandPCREs.•Useacrawler.•TrickEKtogiveyoutheinitialgates.Workingbackwardsfromaninfection•Leastefficientwayofdoingitbutinsomecases(newEK,significantchangestoanexistingEK)it’sallwecando.•Initialgatesaretransientresources,somanuallyidentifyingthemhaslimitedutility.•Alsolimitedonlybywhatisattackingyouoryourcustomer.ngPCREstohunt•Stillrequiresuserstovisitbutcanbeprogrammaticallypipelinedintoasandboxsystemforrelativelyrealtimeanalysis.•Everyonehasauser-baseandtelemetrythathasgeographicordemographicbiasesthatcreateholesinvisibility.•Inefficientbecauseitwillrequestmorethanwhatyouarelookingfor.•Crawlersarealsoresourceintensivethebroaderyouarelookingforbehavior.•Itcan,however,haveaglobalfootprintandbethorough.•Luckily,wedon’thavetomakeourowncrawlerwhenMicrosoftwillgiveBingcrawlermaliciousURLstoMAPP/VIAmembers.•On4August2016,over26MmaliciouswebpageswereseenwhichMicrosoftgivesa99%confidenceintervaltoo.•MuchmorethanEKs.UsingBingMaliciousURLs8/4/20164:58:27PMhttp://0000-.ar/2011/03/my-defragmenter-ydefragmenteresklinkswidgetIdBlogwidgetTypeBlogresponseTypejspostID.58.216.193us15169MalwareNetwork8/4/20164:51:46PMhttp://0000-.ar/2011/03/pocopique-tv-rogramaparavertvhtmlactionbacklinkswidgetIdBlog1&widgetType=Blog&responseType=js&postID=78418329us15169ES8/4/20166:06:13PMhttp://0000-.ar/2011/07/reparacion-de-8/4/20166:26:04PMhttp://0000-.ar/2011_02_24_archive.html8/4/20164:34:23PMhttp://0000-.es/2011/02/descarga-chat-para-facebook.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseType=js&postID=ousURLs•On4August,524,713ofthoseURLspointedtoIPsinsideChina.•NumberismisleadingbecauseitincludesmultipleURLsundersamedomain.•Alsoflags“interesting”advertiserbehavior.•NeedtofilterbasedonthePCREswehaveseenbeforeorotheralertingtechnology.•WearerunningalltheseURLsthroughcURLwithaspoofeduseragentjusttoseerequestandfirstresponse.URLs•Dealingwithcompromisedwebsitesandbulkmaliciousbehaviorishardtodo.•Withproperfilteringoftheabove,italsobecomespossibletoprogrammaticallystartdersofsuchcontentsotheycanstartcleaningthesewebsitesowserversNetblockReportingServicetogetalertsonmaliciousactivityseenonyournetwork.ousURLsingmUrlstsvhttp://melnoosh.narod.ru/p3aa1.html/indexEN.htmlhttp://peterbronkhorst.rusa.nl/pag013l.htm/vk3en62w.htmhttp://portvein777.narod.ru/MirChiselChast10.htmhttp://portvein777.narod.ru/MirChiselChast26.htm/fadi7a.htmlhttp://re

人人文库> 全部分类> 专业文献 > 金融证券

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论