4. What we are talking about
Exploit Kits
inside!
PAGE 4 | Source Conference Boston 2011 | April 21, 2011
5. What we are talking about
Redirections
iFrames,
Badness
Surfing
Exploiting Attack!
Victim
Malicious server
PAGE 5 | Source Conference Boston 2011 | April 21, 2011
7. Attack process of a conventional Exploit Kit
Server side
What browser is it?
What OS is it?
Index.php
CVE-XXXX-XXXX
Statistics
Malicious Code
PAGE 7 | Source Conference Boston 2011 | April 21, 2011
8. Detecting the browser
Get the browser
FirePack
PAGE 8 | Source Conference Boston 2011 | April 21, 2011
9. Detecting the OS
Get the OS
PAGE 9 | Source Conference Boston 2011 | April 21, 2011
10. Choose the exploit kit
And launch it
PAGE 10 | Source Conference Boston 2011 | April 21, 2011
11. You might have not noticed but … They are everywhere
imagen
PAGE 11 | Source Conference Boston 2011 | April 21, 2011
12. Exploit Kits in the media
PAGE 12 | Source Conference Boston 2011 | April 21, 2011
13. Exploit Kits in the media
PAGE 13 | Source Conference Boston 2011 | April 21, 2011
14. Back to the old times
Mpack – mid 2006
Developed by DreamCoders (russian gang)
Discovered in DreamDownloader campaign
First version by 700 USD
5 exploits:
MDAC (CVE-2006-0003)
WinZip ActiveX (CVE-2006-6884)
Microsoft WebViewFolderIcon ActiveX (CVE-2006-3730)
Microsoft Management Console (CVE-2006-3643)
Windows Media Player Plug-In Firefox & Opera (CVE-2006-0005)
PAGE 14 | Source Conference Boston 2011 | April 21, 2011
15. Evolution
Arabella (private)
Liberty
MPack Eleonore
Modern
Napoleon
Phoenix (2.5)
Unique
Eleonore (1.6)
JustExploit
Fragus
2006
2008 2009 2010 2011
2007
Mpack ElFiesta BlackHole
AdPack LuckySploit NeoSploit (Reload)
IcePack CRiMEPACK Impact (Ex SEO)
Armitage BOMBA (private) Siberia (Ex Napoleon)
FirePack BleedinLife
NeoSploit iPack
PAGE 15 | Source Conference Boston 2011 | April 21, 2011
16. Let´s see some numbers
PAGE 16 | Source Conference Boston 2011 | April 21, 2011
17. Exploit Kits by numbers
7 out of 10 botnets
use Exploit Packs
PAGE 17 | Source Conference Boston 2011 | April 21, 2011
18. Exploit Kits by numbers
Play time
How many Exploit Kits do you think there are around?
PAGE 18 | Source Conference Boston 2011 | April 21, 2011
19. Exploit Kits by numbers
Play time
How many servers serving these kits during 2010?
35000 +
PAGE 19 | Source Conference Boston 2011 | April 21, 2011
20. Exploit Kits by numbers
Play time
How many Exploits are necessary for this?
However … just in case
PAGE 20 | Source Conference Boston 2011 | April 21, 2011
21. Exploit Kits by numbers
Play time
How many 0 day exploits used in exploit kits?
They are just incorporated later
PAGE 21 | Source Conference Boston 2011 | April 21, 2011
22. Let´s check if there are vulnerabilities around
PAGE 22 | Source Conference Boston 2011 | April 21, 2011
23. How many vulnerable systems?
In a given period of time, it could be 100% (0-day vulns)
During 2010, exposition window was 21 days in average for
Adobe Vulnerabilities.
PAGE 23 | Source Conference Boston 2011 | April 21, 2011
24. Most common targets (1)
Different targeted vulnerabilities among kits
3% 3% 1%
5% IE
6%
30% Adobe Reader
8% Java
Firefox
16% Browser complement
28% Adobe Flash
Quicktime
Windows
Other
PAGE 24 | Source Conference Boston 2011 | April 21, 2011
25. Most common targets (2)
New unique exploits added during 2010
8%
8%
39% Java
15% Adobe Reader
Windows
IE
15%
15% Adobe Flash
Quicktime
PAGE 25 | Source Conference Boston 2011 | April 21, 2011
26. Typical attacking vector
Attacking vector 2010
3% 3% 3% 1%
7% Adobe Reader
28% IE
9% Java
Adobe Flash
19% Firefox
27% Quicktime
Windows
Browser complement
Other
PAGE 26 | Source Conference Boston 2011 | April 21, 2011
27. How effective are the attacks? Attacking perspective
36.16%
PAGE 27 | Source Conference Boston 2011 | April 21, 2011
28. How effective are the attacks? Attacking perspective
PAGE 28 | Source Conference Boston 2011 | April 21, 2011
29. Do they need 0-days?
What is the all-time most common exploit among all kits?
CVE 2006-003
IE 6 MDAC Remote Code Execution
Phoenix 2.5, 2011 brand new release
PAGE 29 | Source Conference Boston 2011 | April 21, 2011
30. What makes an exploit kit successful?
PAGE 30 | Source Conference Boston 2011 | April 21, 2011
31. What makes an exploit kit successful?
• First
Price
• Then
Exploits
• Today
Additional services:
VirTest
Domain reputation
Special offers: Get a bullet proof domain
Also: Piracy/easy customization!
PAGE 31 | Kaspersky Lab PowerPoint Template | April 21, 2011
32. New trends (1)
Phoenix 2.5 (2011)
15 exploits
Target distribution
7%
6% 7%
40% Adobe Reader
Adobe Flash
20% Java
IE
20% Windows
Quicktime
PAGE 32 | Source Conference Boston 2011 | April 21, 2011
33. New trends (2)
Phoenix 2.5 (2011)
15 exploits
Vulnerabilities age
7%
13%
7% Y2010
53% Y2009
Y2008
20%
Y2007
Y2006
PAGE 33 | Source Conference Boston 2011 | April 21, 2011
34. New trends (3)
Phoenix 2.5 (2011)
IN OUT
JAVA (Skyline) 2010 Java (JRE Calendar) 2008
Java (MIDI) 2010 Java JRE 2009
Java (javagetval) 2010 PDF newPlayer 2009
New fresh Java exploits replace old ones
PAGE 34 | Source Conference Boston 2011 | April 21, 2011
35. Java as new attacking vector
There is a good reason for that
87.91 %
PAGE 35 | Source Conference Boston 2011 | April 21, 2011
38. Evolution of business
Marketing
" Underground forums
" Dedicated websites
" Social networks: Facebook / Twitter
" Pastebin
Protection and antipiracy
" Malware as a service model
" Zend / IonCube
" Randomization
" Packing/polymorphism
PAGE 38 | Source Conference Boston 2011 | April 21, 2011
41. Copycats
Find the 7 differences
PAGE 41 | Source Conference Boston 2011 | April 21, 2011
42. The future? Let me see
PAGE 42 | Source Conference Boston 2011 | April 21, 2011
43. Some conclusions
• Exploiting is the business, and the business is good
• However something is changing: increased demand on security
• New services make the difference, added value
• Exploits for new platforms will be common
• Resurrection of old kits, rearmed with new stuff
PAGE 43 | Source Conference Boston 2011 | April 21, 2011