Fuel for pwnage: Exploit kitsJorge Mieres, Senior Malware AnalystVicente Diaz, Senior Malware AnalystApril 21, 2011, Sourc...
IntroductionSomething about us                Vicente Díaz                                  Jorge Mieres             @trom...
Exploit PacksPAGE 3 | Source Conference Boston 2011   | April 21, 2011
What we are talking about                                           Exploit Kits                                          ...
What we are talking about                                                                        Redirections             ...
A simple planPAGE 6 |   Source Conference Boston 2011     | April 21, 2011
Attack process of a conventional Exploit KitServer side                                      What browser is it?          ...
Detecting the browserGet the browser                                             FirePackPAGE 8 |   Source Conference Bost...
Detecting the OSGet the OSPAGE 9 |     Source Conference Boston 2011   | April 21, 2011
Choose the exploit kitAnd launch itPAGE 10 |   Source Conference Boston 2011   | April 21, 2011
You might have not noticed but … They are everywhere                                            imagenPAGE 11 |   Source C...
Exploit Kits in the mediaPAGE 12 |   Source Conference Boston 2011   | April 21, 2011
Exploit Kits in the mediaPAGE 13 |   Source Conference Boston 2011   | April 21, 2011
Back to the old timesMpack – mid 2006Developed by DreamCoders (russian gang)Discovered in DreamDownloader campaignFirst ve...
Evolution                                                        Arabella (private)                                       ...
Let´s see some numbersPAGE 16 |   Source Conference Boston 2011   | April 21, 2011
Exploit Kits by numbers                  7 out of 10 botnets                  use Exploit PacksPAGE 17 |   Source Conferen...
Exploit Kits by numbersPlay timeHow many Exploit Kits do you think there are around?PAGE 18 |   Source Conference Boston 2...
Exploit Kits by numbersPlay timeHow many servers serving these kits during 2010?                              35000 +PAGE ...
Exploit Kits by numbersPlay timeHow many Exploits are necessary for this?However … just in casePAGE 20 |   Source Conferen...
Exploit Kits by numbers Play time How many 0 day exploits used in exploit kits?They are just incorporated later PAGE 21 | ...
Let´s check if there are vulnerabilities aroundPAGE 22 |   Source Conference Boston 2011   | April 21, 2011
How many vulnerable systems?In a given period of time, it could be 100% (0-day vulns)During 2010, exposition window was   ...
Most common targets (1)                          Different targeted vulnerabilities among kits                         3% ...
Most common targets (2)                            New unique exploits added during 2010             8%                   ...
Typical attacking vector                                             Attacking vector 2010                 3% 3% 3% 1%    ...
How effective are the attacks? Attacking perspective                           36.16%PAGE 27 |   Source Conference Boston ...
How effective are the attacks? Attacking perspectivePAGE 28 |   Source Conference Boston 2011   | April 21, 2011
Do they need 0-days?  What is the all-time most common exploit among all kits?                       CVE 2006-003         ...
What makes an exploit kit successful?PAGE 30 |   Source Conference Boston 2011   | April 21, 2011
What makes an exploit kit successful?•  First            Price•  Then            Exploits•  Today            Additional se...
New trends (1)Phoenix 2.5 (2011)  15 exploits                                                  Target distribution        ...
New trends (2)Phoenix 2.5 (2011)  15 exploits                                              Vulnerabilities age            ...
New trends (3)Phoenix 2.5 (2011)                               IN                                        OUT            JA...
Java as new attacking vectorThere is a good reason for that                                    87.91 %PAGE 35 |   Source C...
The business behindPAGE 36 |   Source Conference Boston 2011   | April 21, 2011
The business behindPAGE 37 |   Source Conference Boston 2011   | April 21, 2011
Evolution of businessMarketing" Underground forums" Dedicated websites" Social networks: Facebook / Twitter" PastebinProte...
Evolution of businessPAGE 39 |   Source Conference Boston 2011   | April 21, 2011
CopycatsPAGE 40 |   Source Conference Boston 2011   | April 21, 2011
CopycatsFind the 7 differencesPAGE 41 |   Source Conference Boston 2011   | April 21, 2011
The future? Let me seePAGE 42 |   Source Conference Boston 2011   | April 21, 2011
Some conclusions•  Exploiting is the business, and the business is good•  However something is changing: increased demand ...
Thank You       Vicente Díaz               Jorge Mieres vicente.diaz@kaspersky.com   jorge.mieres@kaspersky.com      @trom...
Upcoming SlideShare
Loading in...5
×

Vicente Diaz - Jorge Mieres - Fuel For Pwnage

1,503

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,503
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
49
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Vicente Diaz - Jorge Mieres - Fuel For Pwnage

  1. 1. Fuel for pwnage: Exploit kitsJorge Mieres, Senior Malware AnalystVicente Diaz, Senior Malware AnalystApril 21, 2011, Source Conference
  2. 2. IntroductionSomething about us Vicente Díaz Jorge Mieres @trompi @jorgemieresPAGE 2 | Source Conference Boston 2011 | April 21, 2011
  3. 3. Exploit PacksPAGE 3 | Source Conference Boston 2011 | April 21, 2011
  4. 4. What we are talking about Exploit Kits inside!PAGE 4 | Source Conference Boston 2011 | April 21, 2011
  5. 5. What we are talking about Redirections iFrames, Badness Surfing Exploiting Attack! Victim Malicious serverPAGE 5 | Source Conference Boston 2011 | April 21, 2011
  6. 6. A simple planPAGE 6 | Source Conference Boston 2011 | April 21, 2011
  7. 7. Attack process of a conventional Exploit KitServer side What browser is it? What OS is it? Index.php CVE-XXXX-XXXX Statistics Malicious CodePAGE 7 | Source Conference Boston 2011 | April 21, 2011
  8. 8. Detecting the browserGet the browser FirePackPAGE 8 | Source Conference Boston 2011 | April 21, 2011
  9. 9. Detecting the OSGet the OSPAGE 9 | Source Conference Boston 2011 | April 21, 2011
  10. 10. Choose the exploit kitAnd launch itPAGE 10 | Source Conference Boston 2011 | April 21, 2011
  11. 11. You might have not noticed but … They are everywhere imagenPAGE 11 | Source Conference Boston 2011 | April 21, 2011
  12. 12. Exploit Kits in the mediaPAGE 12 | Source Conference Boston 2011 | April 21, 2011
  13. 13. Exploit Kits in the mediaPAGE 13 | Source Conference Boston 2011 | April 21, 2011
  14. 14. Back to the old timesMpack – mid 2006Developed by DreamCoders (russian gang)Discovered in DreamDownloader campaignFirst version by 700 USD5 exploits:MDAC (CVE-2006-0003)WinZip ActiveX (CVE-2006-6884)Microsoft WebViewFolderIcon ActiveX (CVE-2006-3730)Microsoft Management Console (CVE-2006-3643)Windows Media Player Plug-In Firefox & Opera (CVE-2006-0005)PAGE 14 | Source Conference Boston 2011 | April 21, 2011
  15. 15. Evolution Arabella (private) Liberty MPack Eleonore Modern Napoleon Phoenix (2.5) Unique Eleonore (1.6) JustExploit Fragus 2006 2008 2009 2010 2011 2007 Mpack ElFiesta BlackHole AdPack LuckySploit NeoSploit (Reload) IcePack CRiMEPACK Impact (Ex SEO) Armitage BOMBA (private) Siberia (Ex Napoleon) FirePack BleedinLife NeoSploit iPackPAGE 15 | Source Conference Boston 2011 | April 21, 2011
  16. 16. Let´s see some numbersPAGE 16 | Source Conference Boston 2011 | April 21, 2011
  17. 17. Exploit Kits by numbers 7 out of 10 botnets use Exploit PacksPAGE 17 | Source Conference Boston 2011 | April 21, 2011
  18. 18. Exploit Kits by numbersPlay timeHow many Exploit Kits do you think there are around?PAGE 18 | Source Conference Boston 2011 | April 21, 2011
  19. 19. Exploit Kits by numbersPlay timeHow many servers serving these kits during 2010? 35000 +PAGE 19 | Source Conference Boston 2011 | April 21, 2011
  20. 20. Exploit Kits by numbersPlay timeHow many Exploits are necessary for this?However … just in casePAGE 20 | Source Conference Boston 2011 | April 21, 2011
  21. 21. Exploit Kits by numbers Play time How many 0 day exploits used in exploit kits?They are just incorporated later PAGE 21 | Source Conference Boston 2011 | April 21, 2011
  22. 22. Let´s check if there are vulnerabilities aroundPAGE 22 | Source Conference Boston 2011 | April 21, 2011
  23. 23. How many vulnerable systems?In a given period of time, it could be 100% (0-day vulns)During 2010, exposition window was 21 days in average forAdobe Vulnerabilities.PAGE 23 | Source Conference Boston 2011 | April 21, 2011
  24. 24. Most common targets (1) Different targeted vulnerabilities among kits 3% 3% 1% 5% IE 6% 30% Adobe Reader 8% Java Firefox 16% Browser complement 28% Adobe Flash Quicktime Windows OtherPAGE 24 | Source Conference Boston 2011 | April 21, 2011
  25. 25. Most common targets (2) New unique exploits added during 2010 8% 8% 39% Java 15% Adobe Reader Windows IE 15% 15% Adobe Flash QuicktimePAGE 25 | Source Conference Boston 2011 | April 21, 2011
  26. 26. Typical attacking vector Attacking vector 2010 3% 3% 3% 1% 7% Adobe Reader 28% IE 9% Java Adobe Flash 19% Firefox 27% Quicktime Windows Browser complement OtherPAGE 26 | Source Conference Boston 2011 | April 21, 2011
  27. 27. How effective are the attacks? Attacking perspective 36.16%PAGE 27 | Source Conference Boston 2011 | April 21, 2011
  28. 28. How effective are the attacks? Attacking perspectivePAGE 28 | Source Conference Boston 2011 | April 21, 2011
  29. 29. Do they need 0-days? What is the all-time most common exploit among all kits? CVE 2006-003 IE 6 MDAC Remote Code Execution Phoenix 2.5, 2011 brand new releasePAGE 29 | Source Conference Boston 2011 | April 21, 2011
  30. 30. What makes an exploit kit successful?PAGE 30 | Source Conference Boston 2011 | April 21, 2011
  31. 31. What makes an exploit kit successful?•  First Price•  Then Exploits•  Today Additional services: VirTest Domain reputation Special offers: Get a bullet proof domain Also: Piracy/easy customization!PAGE 31 | Kaspersky Lab PowerPoint Template | April 21, 2011
  32. 32. New trends (1)Phoenix 2.5 (2011) 15 exploits Target distribution 7% 6% 7% 40% Adobe Reader Adobe Flash 20% Java IE 20% Windows QuicktimePAGE 32 | Source Conference Boston 2011 | April 21, 2011
  33. 33. New trends (2)Phoenix 2.5 (2011) 15 exploits Vulnerabilities age 7% 13% 7% Y2010 53% Y2009 Y2008 20% Y2007 Y2006PAGE 33 | Source Conference Boston 2011 | April 21, 2011
  34. 34. New trends (3)Phoenix 2.5 (2011) IN OUT JAVA (Skyline) 2010 Java (JRE Calendar) 2008 Java (MIDI) 2010 Java JRE 2009 Java (javagetval) 2010 PDF newPlayer 2009 New fresh Java exploits replace old onesPAGE 34 | Source Conference Boston 2011 | April 21, 2011
  35. 35. Java as new attacking vectorThere is a good reason for that 87.91 %PAGE 35 | Source Conference Boston 2011 | April 21, 2011
  36. 36. The business behindPAGE 36 | Source Conference Boston 2011 | April 21, 2011
  37. 37. The business behindPAGE 37 | Source Conference Boston 2011 | April 21, 2011
  38. 38. Evolution of businessMarketing" Underground forums" Dedicated websites" Social networks: Facebook / Twitter" PastebinProtection and antipiracy" Malware as a service model" Zend / IonCube" Randomization" Packing/polymorphismPAGE 38 | Source Conference Boston 2011 | April 21, 2011
  39. 39. Evolution of businessPAGE 39 | Source Conference Boston 2011 | April 21, 2011
  40. 40. CopycatsPAGE 40 | Source Conference Boston 2011 | April 21, 2011
  41. 41. CopycatsFind the 7 differencesPAGE 41 | Source Conference Boston 2011 | April 21, 2011
  42. 42. The future? Let me seePAGE 42 | Source Conference Boston 2011 | April 21, 2011
  43. 43. Some conclusions•  Exploiting is the business, and the business is good•  However something is changing: increased demand on security•  New services make the difference, added value•  Exploits for new platforms will be common•  Resurrection of old kits, rearmed with new stuffPAGE 43 | Source Conference Boston 2011 | April 21, 2011
  44. 44. Thank You Vicente Díaz Jorge Mieres vicente.diaz@kaspersky.com jorge.mieres@kaspersky.com @trompi @jorgemieres
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×