EKFiddle: a framework to study Exploit Kits

Jérôme Segura, @jeromesegura, Lead Malware Intelligence Analyst

BSides Vancouver March 13-14 2017 2017

Agenda

•Quick primer on Exploit Kits and drive-by downloads•Tools to view and capture malicious traffic•Introducing EKFiddle for the Fiddler web debugger•Researching and cataloging EKs with EKFiddle

Exploit Kits: a quick definition

An exploit kit is a set of tools designed to facilitate the

exploitation of client-side vulnerabilities most commonly

found in browsers and their plugins in order to execute

malicious code on end users’ machines.

Exploit Kits: basic flow

Landing page

Exploits Payload

Exploit Kits: some names

•Angler EK (defunct)

•Nuclear Pack (defunct)

•Astrum EK

•RIG EK

•Neutrino EK

•Sundown EK

•Magnitude EK

Drive-by campaigns: traffic to exploit kits

•Compromised websites

•EITest, Pseudo-Darkleech

•Malvertising

• [ insert various ad networks here ]

Compromised sites and Exploit Kits

Legitimate siteGate

(optional) Exploit Kit Malware

Malvertising and Exploit Kits

Malicious ad Exploit Kit MalwareGate

(optional)

Tools for traffic analysis

•Full packet capture (tcpdump, WireShark, etc.)•Security Suites (Security Onion)•IDS/IPS (Suricata)•HTTP/S (Fiddler, Charles, etc.)

What about EK traffic only?

•Full packet captures are nice but not required•Web debugger easier to inspect/replay web traffic•Personal preference?

EKFiddle

•Based on Telerik’s Fiddler Web Debugger•Multi OS compatibility via C# CustomRules•Extends Fiddler’s ContextAction•Adds support for custom EK regexes

The standard Fiddler UI

Extend Fiddler’s UI with EKFiddle

Set up EKFiddle: Install Fiddler

•Download and install the latest version of Fiddler from http://www.telerik.com/fiddler

•For Mac and Linux, you will need to set up the Mono framework firsthttp://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1http://www.telerik.com/blogs/fiddler-for-linux-beta-is-here

Download EKFiddle (CustomRules.cs)

•Download/clone CustomRules.cs from the GitHub pagehttps://github.com/malwareinfosec/EKFiddle

• Windows (7/10)C:\Users\[username]\Documents\Fiddler2\Scripts\

• Ubuntu/home/[username]/Fiddler2/Scripts/

• Mac/Users/[username]/Fiddler2/Scripts/

Change the default Text Editor (optional) (Tools -> Telerik Fiddler options -> Tools)

Change the default scripting language to C# (Windows only: Tools -> Telerik Fiddler options -> Scripting)

Finalize EKFiddle’s installation

Get traffic captures

•Malware Traffic Analysis (PCAPs) http://www.malware-traffic-analysis.net/

• Broad Analysis (PCAPs) http://www.broadanalysis.com/

• PacketTotal (PCAPs) https://www.packettotal.com/

•Malware Don’t Need Coffee (SAZ) http://malware.dontneedcoffee.com/

• VirusTotal (need API) https://www.virustotal.com/

Import traffic captures

Main features: ContextAction items

•A list of useful ‘shortcuts’•Designed to collect IOCs and artifacts•Inspect each session and create signatures

Check Host (pDNS, Whois) on VT

Check IP (Geo, pDNS) on VT

Extract IOCs

Extract artifacts

Main features: Regular expressions

•Regex matching in 3 different ways:

•URL patterns (URLRegexes.txt)

•Source code patterns (SourceCodeRegexes.txt)

•Server Headers patterns (HeadersRegexes.txt)

Build URL Regex (paste from clipboard)

Build source code Regex (paste from clipboard)

View/edit Regexes

Save Regexes

•One signature per line: [Name of sig] TAB [regex]

Run Regexes against traffic

Visualize results

•Each matched session is colour coded and commented•Malware type (Landing Page, Flash Exploit, Malware Payload) is ‘guessed’ automatically

Demo

Recap

•EKFiddle extends the Fiddler web debugger for EK analysis•Get it here: https://github.com/malwareinfosec/EKFiddle•Questions? @jeromesegura

Thank You!