Hunting Exploit Kit

Transcript

1. Hunting Exploit Kits With Open Proxy Server

2. MYSELF ❏ Ahmad Ramadhan Amizudin ❏ Analyst at MyCERT, CyberSecurity

   Malaysia ❏ LebahNET (Honeynet) & Exploit Kit Researcher ❏ Twitter: @RempahRz

3. Agenda ❏ Exploit Kit 101 ❏ High Level Design ❏

   Signature / Log Sample ❏ Challenge / Issue ❏ Summary

4. Exploit Kit 101

5. Introduction ❏ Toolkit that automates the exploitation of client-side vulnerabilities

   ❏ Client-side exploitation: browser and its plugins ❏ Low-to-zero user interaction ❏ Often using patched vulnerability, sometime zero-day ❏ Traffic Distribution Service ❏ Eg: EITest, AfraidGate, pseudoDarkLeech, etc ❏ Payload: ransomware, banking trojan, botnet, etc

6. EXPLOIT REDIRECT VISIT Infection Process Compromised Website Traffic Distribution System

   Exploit Kit INFECTION Payload

7. Problem: Getting hand on Exploit Kits ❏ Large Enterprise ❏

   Web Transaction Log, Full Packet Capture, etc. at Gateway level ❏ AV/Security Company ❏ Telemetry ❏ Researcher ❏ ???

8. EK Hunting with Open Proxy Server ❏ Full http traffic

   information logs ❏ Eg: referer, header, body content, etc ❏ Scan URL ❏ Scan Content

9. EK Hunting with Proxy Server

10. Architecture - Components ❏ Proxy Server ❏ ICAP Server ❏

    YARA

11. Architecture - Design

12. Architecture - Proxy Proxy Server ➢ Using Squid Proxy ➢

    http://www.squid-cache.org ➢ Well documented ➢ Huge community ➢ Support Internet Content Adaptation Protocol (ICAP)

13. Architecture - ICAP ICAP Server ➢ Server written in Python

    ➢ Built-in YARA scanner ➢ HTTP Request Information Stored in JSON Format

14. Configuration - Squid icap_enable on icap_preview_enable off icap_send_client_ip on icap_service_failure_limit

    -1 icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/yara adaptation_access service_resp allow all icap_enable on icap_preview_enable off icap_send_client_ip on icap_service_failure_limit -1 icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/yara adaptation_access service_resp allow all Enable ICAP Forward Client IP Fault Tolerates -1 = Unlimited

15. Configuration - Squid icap_enable on icap_preview_enable off icap_send_client_ip on icap_service_failure_limit

    -1 icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/yara adaptation_access service_resp allow all icap_enable on icap_preview_enable off icap_send_client_ip on icap_service_failure_limit -1 icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/yara adaptation_access service_resp allow all Vectoring Point Service URI Service are treated as essential Allow all client to ICAP Service

16. Configuration - ICAP [config] content_rules = ./rules/content.yar url_rules = ./rules/url.yar

    content_dir = ./save/ scan_url = True [config] content_rules = ./rules/content.yar url_rules = ./rules/url.yar content_dir = ./save/ scan_url = True Rules Location HTTP Logs Location Scan URL

17. Exploit Kit Detection ❏ Signatures ❏ Request URL ❏ Server

    Response Body ❏ Using YARA

18. Putting It All Together ❏ Setup your infrastructure ❏ Squid

    Proxy, ICAP Server ❏ Signatures ❏ Analyze samples ❏ Focus on Content; iframe generated by javascript ❏ Follow @kafeine, @malware_traffic, @nao_sec and @BroadAnalysis

19. Signature & Result Log Sample

20. Fake Chrome Popup (HoeflerText Font) rule EITest_FakeChromePopup { meta: description

    = "EITest Fake Chrome Popup" ref = "http://blog.rz.my/2017/02/yara-rule-for-eitest-fake-chrome-popup.html" author = "[email protected]" version = "1" strings: $a = "(!!window.chrome && !!window.chrome.webstore)" nocase $c = "search=unescape('%2F%5B%5E%3C%3E%5C%5C%6E%5C%5C%73%5D%2F%69%67%6D')" nocase $d = "result[i].replace(eval(search),'�')" nocase condition: all of them }

21. Result Log Sample [2017-04-06 17:20:20,583][YaraICAP][INFO] [Content][ec55a79984b7ceb1d21ae62d7c936e2c][EITest_FakeChromePopup] 128.199.xx.xx - http://amaz0ns.com/ [2017-04-06

    17:30:23,786][YaraICAP][INFO] [URL][be630919f86b944acf7734975358f26a][EK_RigV_URL] 28.199.xx.xx - http://help.bearingsofaugusta.com/?oq=h9_YuJbpVP1G0jBGBewI1noxVWgkTpqqmihT czEfOicGE_BLeNwl1z6LRVvQ42w&ct=kulture&qtuif=5576&q=wHrQMvXcJwDPFYbGMvrESa NbNknQA0KPxpH2_drZdZqxKGni1Ob5UUSk6FiCEh3

22. Result Log Sample [2017-04-06 17:20:20,583] [YaraICAP] [INFO] [Content] [ec55a79984b7ceb1d21ae62d7c936e2c] [EITest_FakeChromePopup]

    128.199.xx.xx - http://amaz0ns.com/ Timestamp Where [URL or Content] Content MD5 Hash

23. Result Log Sample [2017-04-06 17:20:20,583] [YaraICAP] [INFO] [Content] [ec55a79984b7ceb1d21ae62d7c936e2c] [EITest_FakeChromePopup]

    128.199.xx.xx - http://amaz0ns.com/ Triggered Rule Client IP URL

24. Stored HTTP Request Information { "content": "[hex encoded server response

    body]", "request_header": { "host": [ "help.[redacted].com" ], "referer": [ "http://[redacted].com/" ], -- snip -- }, "response_header": { "server": [ "nginx/1.6.2" ], -- snip -- }, "rules": [ "EK_RigV_URL" ] }

25. Challenge / Issue ❏ Expensive (Bandwidth, Computation, Resources) ❏ Legal

    Issue ❏ Fraud case, bruteforce, etc ❏ Exploit Kits / TDS Block Proxy IP

26. Summary ❏ Simple yet effective for hunting ❏ Code: https://git.io/python-icap-yara

    ❏ MIT License

27. References 1. https://blog.brillantit.com/exposing-eitest-campaign/ 2. https://www.endgame.com/blog/hunting-exploit-kits 3. https://www.trendmicro.com/vinfo/us/security/definition/exploit-kit 4. http://malware-traffic-analysis.net/ 5.

    http://malware.dontneedcoffee.com/ 6. http://www.broadanalysis.com/ 7. http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-e xploit-kit-part-1-exploit-kit-fundamentals/

28. Question & Answer

29. Thank You Ahmad Ramadhan Amizudin ramadhan.amizudin [at] gmail [dot] com

    ramadhan [at] cybersecurity [dot] my