Vicente Diaz - Jorge Mieres - Fuel For Pwnage

Jorge Mieres, Senior Malware Analyst

Vicente Diaz, Senior Malware Analyst April 21, 2011, Source Conference

Fuel for pwnage: Exploit kits

Introduction Something about us

Source Conference Boston 2011 PAGE 2 |

Vicente Díaz Jorge Mieres

@jorgemieres @trompi

| April 21, 2011


Exploit Packs

| April 21, 2011

What we are talking about


Exploit Kits inside!

| April 21, 2011

What we are talking about


Redirections iFrames, Badness

Surfing

Victim

Malicious server

Exploiting Attack!

| April 21, 2011


A simple plan

| April 21, 2011


Index.php

What browser is it?

What OS is it?

CVE-XXXX-XXXX

Malicious Code

Statistics

Attack process of a conventional Exploit Kit Server side

| April 21, 2011

Detecting the browser Get the browser


FirePack

| April 21, 2011

Detecting the OS Get the OS

Source Conference Boston 2011 PAGE 9 | | April 21, 2011

Choose the exploit kit And launch it


| April 21, 2011


imagen

You might have not noticed but … They are everywhere

| April 21, 2011

Exploit Kits in the media


| April 21, 2011

Back to the old times

Mpack – mid 2006 Developed by DreamCoders (russian gang) Discovered in DreamDownloader campaign First version by 700 USD 5 exploits: MDAC (CVE-2006-0003) WinZip ActiveX (CVE-2006-6884) Microsoft WebViewFolderIcon ActiveX (CVE-2006-3730) Microsoft Management Console (CVE-2006-3643) Windows Media Player Plug-In Firefox & Opera (CVE-2006-0005) Source Conference Boston 2011 PAGE 14 | | April 21, 2011

Evolution

PAGE 15 |

2006

2007 2009 2011 2010 2008

MPack

Mpack

AdPack

IcePack

Armitage

FirePack

NeoSploit

Arabella (private)

Liberty

Eleonore

Napoleon

Unique

JustExploit

Fragus

BlackHole

NeoSploit (Reload)

Impact (Ex SEO)

Siberia (Ex Napoleon)

BleedinLife

iPack

Modern

Phoenix (2.5)

Eleonore (1.6)

ElFiesta

LuckySploit

CRiMEPACK

BOMBA (private)

Source Conference Boston 2011 | April 21, 2011

Let´s see some numbers


Exploit Kits by numbers


7 out of 10 botnets use Exploit Packs

| April 21, 2011

Exploit Kits by numbers Play time

How many Exploit Kits do you think there are around?


Play time

How many servers serving these kits during 2010?


35000 +


| April 21, 2011

Play time

How many Exploits are necessary for this?


However … just in case


| April 21, 2011

Play time

How many 0 day exploits used in exploit kits?


They are just incorporated later


| April 21, 2011


Let´s check if there are vulnerabilities around

| April 21, 2011

How many vulnerable systems?

In a given period of time, it could be 100% (0-day vulns)

During 2010, exposition window was 21 days in average for Adobe Vulnerabilities.


Most common targets (1)


30%

28% 16%

8%

6% 5% 3% 3% 1%

Different targeted vulnerabilities among kits

IE Adobe Reader Java Firefox Browser complement Adobe Flash Quicktime Windows Other

| April 21, 2011

Most common targets (2)


39%

15% 15%

15%

8% 8%

New unique exploits added during 2010

Java Adobe Reader Windows IE Adobe Flash Quicktime

| April 21, 2011

Typical attacking vector


28%

27% 19%

9%

7% 3% 3% 3% 1%

Attacking vector 2010

Adobe Reader IE Java Adobe Flash Firefox Quicktime Windows Browser complement Other

| April 21, 2011

How effective are the attacks? Attacking perspective


36.16%

| April 21, 2011

How effective are the attacks? Attacking perspective


Do they need 0-days?


What is the all-time most common exploit among all kits?

CVE 2006-003 IE 6 MDAC Remote Code Execution

Phoenix 2.5, 2011 brand new release

| April 21, 2011

What makes an exploit kit successful?


What makes an exploit kit successful?

•  First Price

•  Then Exploits

•  Today Additional services: VirTest Domain reputation Special offers: Get a bullet proof domain

Also: Piracy/easy customization! Kaspersky Lab PowerPoint Template PAGE 31 | | April 21, 2011

New trends (1) Phoenix 2.5 (2011)


15 exploits

40%

20%

20%

6% 7%

7%

Target distribution

Adobe Reader Adobe Flash Java IE Windows Quicktime

| April 21, 2011



15 exploits

53%

20%

7% 13%

7%

Vulnerabilities age

Y2010 Y2009 Y2008 Y2007 Y2006

| April 21, 2011



New fresh Java exploits replace old ones

IN OUT

JAVA (Skyline) 2010 Java (JRE Calendar) 2008

Java (MIDI) 2010 Java JRE 2009

Java (javagetval) 2010 PDF newPlayer 2009

| April 21, 2011

Java as new attacking vector There is a good reason for that

87.91 % Source Conference Boston 2011 PAGE 35 | | April 21, 2011

The business behind


Evolution of business

Marketing " Underground forums

" Dedicated websites

" Social networks: Facebook / Twitter

" Pastebin

Protection and antipiracy " Malware as a service model

" Zend / IonCube

" Randomization

" Packing/polymorphism


Evolution of business


Copycats


Copycats Find the 7 differences


The future? Let me see


•  Exploiting is the business, and the business is good

•  However something is changing: increased demand on security

•  New services make the difference, added value

•  Exploits for new platforms will be common

•  Resurrection of old kits, rearmed with new stuff

| April 21, 2011 Source Conference Boston 2011 PAGE 43 |

Some conclusions

Thank You Vicente Díaz Jorge Mieres

@jorgemieres @trompi

[email protected] [email protected]

Vicente Diaz - Jorge Mieres - Fuel For Pwnage

Technology

Transcript of Vicente Diaz - Jorge Mieres - Fuel For Pwnage