2. ABOUT ME
§ Joe Desimone - @dez_
§ Malware Researcher at Endgame
§ BS/MS RIT; > 5 years info sec experience
§ Interested in: RE, malware, threat intelligence, endpoint hunting, and today’s talk:
exploit kits
2
3. OVERVIEW
§ Quick Primer on exploit kits
§ Maxwell high level design
§ Virtual machine configuration
§ Anti-researcher issues
§ Exploit detection
§ Post processing, signatures
§ Demo / Code
3
4. EXPLOIT KITS
§ Second only to malspam as an infection vector [1]
§ Lower user interaction
§ Business model – Malware as a Service.
§ Lurk example – good money when other sources dry up [2]
§ The big names: Angler, Nuclear, Neutrino, RIG, Magnitude, Sundown
§ Traffic distribution service or gates – afraid gate, psuedo darkleech, EITEST
4
6. PROBLEM: COLLECTION ON EXPLOIT KITS
§ Large enterprise – easy
• Snort/other at boundary
§ AV/endpoint company – easy
• telemetry
§ Thrifty researcher - ???
• Maxwell!
6
7. MAXWELL
§ Automated exploit kit collection and detection
§ Crawls the web autonomously and finds evil stuff
§ Automated analysis to determine metadata
• What kit is responsible?
• What domains and IPs are involved
7
15. VIRTUAL MACHINE CONFIG
§ Follow the market share
• Windows 7, Internet Explorer, Flash, Silverlight
§ Remove virtual machine tools or extensions
• Delete any drivers left behind
§ Patch levels
• What is the latest flash version commonly exploited? [5]
§ Disabled WPAD, disable all updates, disable IE protected mode
15
17. EXPLOIT DETECTION
§ ROP Detection – used to be great, not so much anymore
• Call stack walking, stack pivot
§ EAF++
• Improves upon EMET EAF+ techniques to catch evasions [8]
• Guard pages on (MZ header, EAT, IAT)
• Catch shellcode and memory disclosures (read primitives)
17
18. EXPLOIT DETECTION cont.
§ Behavioral
• File and registry writes
• New process creation
• Researcher evasion detection
§ Turn this into high confidence data
• Customizable whitelisting of benign activity
18
19. POST PROCESSING
§ PCAP – execute tcpflow
§ Regex across GET/POST requests
§ All files scanned with yara
• From traffic, dropped in VM, and shellcode
§ Signature tips:
• Compare samples over time
• Focus on exploits; use JPEX FFDEC
• Follow @kafeine, @malware_traffic, and @BroadAnalysis
19
20. PUTTING IT ALL TOGETHER
§ Setup your infrastructure
• vSphere, RabbitMQ server, ElasticSearch server
§ Websites to browse
• Top websites
• Sites previously compromised
• User submitted
20
24. SUMMARY
§ Maxwell - Fully automated exploit kit discovery and analysis
§ For the Red guys in the audience
• Something to be said for the efficiency of exploit kits for gaining access
• There is use learning from their techniques
• Adversary emulation
§ Code: https://github.com/endgameinc/Maxwell
• MIT license
24