Malware Most Wanted: Evil Bunny
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (7)
Quem viu também gostou (10)
Semelhante a MMW June 2016: The Rise and Fall of Angler (20)
Mais recentes (20)
MMW June 2016: The Rise and Fall of Angler
- 1. Rise and Fall of Angler Exploit Kit NICK BILOGORSKIY @belogor
- 2. Your speakers today Nick Bilogorskiy @belogor Sr. Director of Threat Operations Marci Kusanovich Marketing Communications Manager
- 3. Agenda o What is an Exploit Kit o Map Exploit Kits to payloads o Case Studies: Nuclear, Rig o Angler story o Wrap-up and Q&A CyphortLabsT-shirt
- 4. Housekeeping • You are on mute • Enter questions • Can order t-shirt
- 5. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
- 6. What is an Exploit Kit Exploit Kit is an easy-to-use toolkit for infecting computers over the web. It contains many exploits targeting apps like Adobe Reader, Java or Flash Player. Exploit Kit can be fitted with any malware payload.
- 7. Exploit Kit Business Model o Exploits-as-a-service platform o All browsers vulnerable o Plug in your own malware o Can defeat IDS and Antivirus o Obfuscation constantly changing o Try to drive up conversion rate to increase prices
- 8. o Exploit Kits infect you without a “click” o Angler, Sweet Orange, Nuclear, RIG Fox-it.com Exploit Kits Workflow McAfee Labs
- 9. How do Users get to Exploit Kits? Osterman research Exploit Kits Malvertising
- 10. Malvertising
- 11. Malvertising Distributes Exploit Kits df User Visits a popular website, gets infected via exploit kit Website Serves a banner Ad, sometimes malicious Attacker Creates and injects malware ads into Advertising Network Advertising Network Selects an ad based on auction, sends to the website
- 12. Redirection 1. www.articlefield.com 2. w1ns.com 3. thfire.com 5. adsppperv.com 6. www.blog-hits.com 7. tracking1112.com 8. townsearchguides.com 9. tracki112.com 10. c.feed-xml.com 11. 109.206.188.72 12. 216.172.54.28 13. scriptforclick.com 15. spreadsheets.wiaawy.eu 14. dealsadvlist.com 4. www.thfire.com
- 13. Archie Angler Astrum Blackhole Bleeding life CkVip Cool Crime Boss CritX Dotkachef Fiesta/Neosploit List of Exploit Kits Flashpack Flimkit Glazunov GongDa Grandsoft Hanjuan HiMan Infinity KaiXin LightsOut Magnitude Neutrino Nuclear NullHole Rawin Redkit RIG Sakura Sednit Styx Sweet Orange White Lotus 2013* 2014* 2015*2016* 2016* 2013*
- 14. Nuclear Russia Locky, Cryptowall Magnitude Russia Cerber, CryptXXX RIG Russia CryptoWall, TeslaCrypt Neutrino Russia CryptXXX, Necurs, Vawtrak Angler Russia CryptXXX, Locky, Teslacrypt Exploit Kit to Payload Mapping
- 15. Nuclear Exploit Kit o 10% conversion rate o 2 million victims o Installed Locky, Teslacrypt other ransomware o Disappeared in May ‘16
- 16. df 1. Compromised site 2. Landing Page o Multi-stage Javascript obfuscation o Exploit Containers o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability) o Flash exploit is not embedded in the landing page, it is downloaded and executed in a modular fashion: CVE-2016-1910, CVE-2015-7645, CVE- 2015-5122 3. Payload: ( Locky, CryptoWall ) Nuclear Flow
- 17. Nuclear Exploit Kit
- 18. Nuclear Exploit Kit
- 19. df 1. Compromised site 2. Landing Page o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability) o Flash exploit CVE-2015-5122 (Hacking Team exploit) first stage flash exploit is very obfuscated to evade static AV engine detection and confuse malware analyst. This first stage runs and loads second stage flash exploit in memory and exploit the browser’s flash plugin and infect the machine. o Decrypt the Payload: Shellcode is XOR encrypted with key: 19. 3. Payload: ( Cerber , Tofsee ) Rig Flow
- 20. Angler Exploit Kit o Discovered in 2013, quickly rose to dominate all exploit kits o 40% conversion rate (!) o Installed Locky, Teslacrypt, Kovter o $34 million annually o Went dead in June ’16 Sophos
- 21. Malware-Traffic-Analysis Angler stats Overall Angler Stats 0 2 4 6 8 10 12 14 16 18 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Angler 6 5 6 7 8 8 14 17 13 11 2 Angler Stats
- 22. df 1. Compromised site 2. 3 Gates (Afraid Gate | EI Test |Pseudo Darkleech) 3. Landing Page o Browser Check o AV and VM detection o Exploit Containers o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability) o Flash Exploit (CVE-2015-3090, CVE-2015-5122, CVE-2015-5119) 4. Payload: (Teslacrypt | Locky | CryptXXX) Angler Flow
- 23. Angler Landing Page
- 24. Angler Payloads
- 25. TeslaCrypt
- 26. Timeline o Apr 12, 2016 - Blackhole's author Paunch Sentenced to 7 Years in Russian Penal Colony o June 1, 2016 – Kaspersky helps FSB arrest 50 hackers in Russia - Lurk gang, which stole 3 Billion rubles from Russian banks. Lurk was distributed by Angler! o June 7, 2016 – Angler last seen in the wild Paunch
- 27. June 2016 Arrests in Russia
- 28. The Fall of Angler in June F-Secure Labs
- 29. Fall of Angler in June TrendMicro
- 30. Cyphort Labs data: Domains which were serving Angler now serving Neutrino: o Jkanime.net o Visajourney.com o Novini.bg
- 31. Angler‘s Keys to Success Versatility. Evasion. Update speed.
- 32. Tips to Defend from Exploit Kits o Strong antispam and antiphishing procedures. o Automatic Windows updates, keep operating systems patched o Upgrade to latest version of Windows o Install patches from other software manufacturers as soon as they are distributed. o A fully patched computer behind a firewall is the best defense against Exploit Kits
- 33. Tips to Defend from Exploit Kits o Never open unsolicited emails, or unexpected attachments—even from known people. o Beware of spam-based phishing schemes. Don’t click on links in emails or instant messages. o Use a browser plug-in to block the execution of scripts and iframes
- 34. Summary 1. Exploit Kits are the most effective way today to infect user’s computers automatically at large scale. 2. Angler dominated all exploit kits throughout 2015 and 2016 until suddenly disappearing in June. 3. Arrests in Russia may have contributed to the recent decline in Angler and other russian Exploit Kits. 4. Use defense-in-depth powered by machine learning to defend from Exploit Kit attacks.
- 35. Q&A Thank You! Twitter: @belogor Previous MMW slides on cyphort.com/labs/malwares-wanted/
