SlideShare a Scribd company logo

Vicente Diaz - Jorge Mieres - Fuel For Pwnage

Source Conference
Source Conference
Technology
1 of 44
Download to read offline
Fuel for pwnage: Exploit kits Jorge Mieres, Senior Malware Analyst Vicente Diaz, Senior Malware Analyst April 21, 2011, Source Conference
Introduction Something about us Vicente Díaz Jorge Mieres @trompi @jorgemieres PAGE 2 | Source Conference Boston 2011 | April 21, 2011
Exploit Packs PAGE 3 | Source Conference Boston 2011 | April 21, 2011
What we are talking about Exploit Kits inside! PAGE 4 | Source Conference Boston 2011 | April 21, 2011
What we are talking about Redirections iFrames, Badness Surfing Exploiting Attack! Victim Malicious server PAGE 5 | Source Conference Boston 2011 | April 21, 2011
A simple plan PAGE 6 | Source Conference Boston 2011 | April 21, 2011
Attack process of a conventional Exploit Kit Server side What browser is it? What OS is it? Index.php CVE-XXXX-XXXX Statistics Malicious Code PAGE 7 | Source Conference Boston 2011 | April 21, 2011
Detecting the browser Get the browser FirePack PAGE 8 | Source Conference Boston 2011 | April 21, 2011
Detecting the OS Get the OS PAGE 9 | Source Conference Boston 2011 | April 21, 2011
Choose the exploit kit And launch it PAGE 10 | Source Conference Boston 2011 | April 21, 2011
You might have not noticed but … They are everywhere imagen PAGE 11 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits in the media PAGE 12 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits in the media PAGE 13 | Source Conference Boston 2011 | April 21, 2011
Back to the old times Mpack – mid 2006 Developed by DreamCoders (russian gang) Discovered in DreamDownloader campaign First version by 700 USD 5 exploits: MDAC (CVE-2006-0003) WinZip ActiveX (CVE-2006-6884) Microsoft WebViewFolderIcon ActiveX (CVE-2006-3730) Microsoft Management Console (CVE-2006-3643) Windows Media Player Plug-In Firefox & Opera (CVE-2006-0005) PAGE 14 | Source Conference Boston 2011 | April 21, 2011
Evolution Arabella (private) Liberty MPack Eleonore Modern Napoleon Phoenix (2.5) Unique Eleonore (1.6) JustExploit Fragus 2006 2008 2009 2010 2011 2007 Mpack ElFiesta BlackHole AdPack LuckySploit NeoSploit (Reload) IcePack CRiMEPACK Impact (Ex SEO) Armitage BOMBA (private) Siberia (Ex Napoleon) FirePack BleedinLife NeoSploit iPack PAGE 15 | Source Conference Boston 2011 | April 21, 2011
Let´s see some numbers PAGE 16 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers 7 out of 10 botnets use Exploit Packs PAGE 17 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers Play time How many Exploit Kits do you think there are around? PAGE 18 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers Play time How many servers serving these kits during 2010? 35000 + PAGE 19 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers Play time How many Exploits are necessary for this? However … just in case PAGE 20 | Source Conference Boston 2011 | April 21, 2011
Exploit Kits by numbers Play time How many 0 day exploits used in exploit kits? They are just incorporated later PAGE 21 | Source Conference Boston 2011 | April 21, 2011
Let´s check if there are vulnerabilities around PAGE 22 | Source Conference Boston 2011 | April 21, 2011
How many vulnerable systems? In a given period of time, it could be 100% (0-day vulns) During 2010, exposition window was 21 days in average for Adobe Vulnerabilities. PAGE 23 | Source Conference Boston 2011 | April 21, 2011
Most common targets (1) Different targeted vulnerabilities among kits 3% 3% 1% 5% IE 6% 30% Adobe Reader 8% Java Firefox 16% Browser complement 28% Adobe Flash Quicktime Windows Other PAGE 24 | Source Conference Boston 2011 | April 21, 2011
Most common targets (2) New unique exploits added during 2010 8% 8% 39% Java 15% Adobe Reader Windows IE 15% 15% Adobe Flash Quicktime PAGE 25 | Source Conference Boston 2011 | April 21, 2011
Typical attacking vector Attacking vector 2010 3% 3% 3% 1% 7% Adobe Reader 28% IE 9% Java Adobe Flash 19% Firefox 27% Quicktime Windows Browser complement Other PAGE 26 | Source Conference Boston 2011 | April 21, 2011
How effective are the attacks? Attacking perspective 36.16% PAGE 27 | Source Conference Boston 2011 | April 21, 2011
How effective are the attacks? Attacking perspective PAGE 28 | Source Conference Boston 2011 | April 21, 2011
Do they need 0-days? What is the all-time most common exploit among all kits? CVE 2006-003 IE 6 MDAC Remote Code Execution Phoenix 2.5, 2011 brand new release PAGE 29 | Source Conference Boston 2011 | April 21, 2011
What makes an exploit kit successful? PAGE 30 | Source Conference Boston 2011 | April 21, 2011
What makes an exploit kit successful? •  First Price •  Then Exploits •  Today Additional services: VirTest Domain reputation Special offers: Get a bullet proof domain Also: Piracy/easy customization! PAGE 31 | Kaspersky Lab PowerPoint Template | April 21, 2011
New trends (1) Phoenix 2.5 (2011) 15 exploits Target distribution 7% 6% 7% 40% Adobe Reader Adobe Flash 20% Java IE 20% Windows Quicktime PAGE 32 | Source Conference Boston 2011 | April 21, 2011
New trends (2) Phoenix 2.5 (2011) 15 exploits Vulnerabilities age 7% 13% 7% Y2010 53% Y2009 Y2008 20% Y2007 Y2006 PAGE 33 | Source Conference Boston 2011 | April 21, 2011
New trends (3) Phoenix 2.5 (2011) IN OUT JAVA (Skyline) 2010 Java (JRE Calendar) 2008 Java (MIDI) 2010 Java JRE 2009 Java (javagetval) 2010 PDF newPlayer 2009 New fresh Java exploits replace old ones PAGE 34 | Source Conference Boston 2011 | April 21, 2011
Java as new attacking vector There is a good reason for that 87.91 % PAGE 35 | Source Conference Boston 2011 | April 21, 2011
The business behind PAGE 36 | Source Conference Boston 2011 | April 21, 2011
The business behind PAGE 37 | Source Conference Boston 2011 | April 21, 2011
Evolution of business Marketing " Underground forums " Dedicated websites " Social networks: Facebook / Twitter " Pastebin Protection and antipiracy " Malware as a service model " Zend / IonCube " Randomization " Packing/polymorphism PAGE 38 | Source Conference Boston 2011 | April 21, 2011
Evolution of business PAGE 39 | Source Conference Boston 2011 | April 21, 2011
Copycats PAGE 40 | Source Conference Boston 2011 | April 21, 2011
Copycats Find the 7 differences PAGE 41 | Source Conference Boston 2011 | April 21, 2011
The future? Let me see PAGE 42 | Source Conference Boston 2011 | April 21, 2011
Some conclusions •  Exploiting is the business, and the business is good •  However something is changing: increased demand on security •  New services make the difference, added value •  Exploits for new platforms will be common •  Resurrection of old kits, rearmed with new stuff PAGE 43 | Source Conference Boston 2011 | April 21, 2011
Thank You Vicente Díaz Jorge Mieres vicente.diaz@kaspersky.com jorge.mieres@kaspersky.com @trompi @jorgemieres

Recommended

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxSebastián Guerrero Selma
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Dcm#8 elastic search
Dcm#8 elastic searchDcm#8 elastic search
Dcm#8 elastic searchIvan Wallarm
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.shChandrapal Badshah
 

Recommended

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxSebastián Guerrero Selma
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Dcm#8 elastic search
Dcm#8 elastic searchDcm#8 elastic search
Dcm#8 elastic searchIvan Wallarm
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.shChandrapal Badshah
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAbhijeth D
 
Ceph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelCeph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelRed_Hat_Storage
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Esteganografia
EsteganografiaEsteganografia
EsteganografiaSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 

More Related Content

Viewers also liked

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAbhijeth D
 
Ceph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelCeph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelRed_Hat_Storage
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 

Viewers also liked (6)

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
 
Ceph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelCeph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to Jewel
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

Vicente Diaz - Jorge Mieres - Fuel For Pwnage

  • 1. Fuel for pwnage: Exploit kits Jorge Mieres, Senior Malware Analyst Vicente Diaz, Senior Malware Analyst April 21, 2011, Source Conference
  • 2. Introduction Something about us Vicente Díaz Jorge Mieres @trompi @jorgemieres PAGE 2 | Source Conference Boston 2011 | April 21, 2011
  • 3. Exploit Packs PAGE 3 | Source Conference Boston 2011 | April 21, 2011
  • 4. What we are talking about Exploit Kits inside! PAGE 4 | Source Conference Boston 2011 | April 21, 2011
  • 5. What we are talking about Redirections iFrames, Badness Surfing Exploiting Attack! Victim Malicious server PAGE 5 | Source Conference Boston 2011 | April 21, 2011
  • 6. A simple plan PAGE 6 | Source Conference Boston 2011 | April 21, 2011
  • 7. Attack process of a conventional Exploit Kit Server side What browser is it? What OS is it? Index.php CVE-XXXX-XXXX Statistics Malicious Code PAGE 7 | Source Conference Boston 2011 | April 21, 2011
  • 8. Detecting the browser Get the browser FirePack PAGE 8 | Source Conference Boston 2011 | April 21, 2011
  • 9. Detecting the OS Get the OS PAGE 9 | Source Conference Boston 2011 | April 21, 2011
  • 10. Choose the exploit kit And launch it PAGE 10 | Source Conference Boston 2011 | April 21, 2011
  • 11. You might have not noticed but … They are everywhere imagen PAGE 11 | Source Conference Boston 2011 | April 21, 2011
  • 12. Exploit Kits in the media PAGE 12 | Source Conference Boston 2011 | April 21, 2011
  • 13. Exploit Kits in the media PAGE 13 | Source Conference Boston 2011 | April 21, 2011
  • 14. Back to the old times Mpack – mid 2006 Developed by DreamCoders (russian gang) Discovered in DreamDownloader campaign First version by 700 USD 5 exploits: MDAC (CVE-2006-0003) WinZip ActiveX (CVE-2006-6884) Microsoft WebViewFolderIcon ActiveX (CVE-2006-3730) Microsoft Management Console (CVE-2006-3643) Windows Media Player Plug-In Firefox & Opera (CVE-2006-0005) PAGE 14 | Source Conference Boston 2011 | April 21, 2011
  • 15. Evolution Arabella (private) Liberty MPack Eleonore Modern Napoleon Phoenix (2.5) Unique Eleonore (1.6) JustExploit Fragus 2006 2008 2009 2010 2011 2007 Mpack ElFiesta BlackHole AdPack LuckySploit NeoSploit (Reload) IcePack CRiMEPACK Impact (Ex SEO) Armitage BOMBA (private) Siberia (Ex Napoleon) FirePack BleedinLife NeoSploit iPack PAGE 15 | Source Conference Boston 2011 | April 21, 2011
  • 16. Let´s see some numbers PAGE 16 | Source Conference Boston 2011 | April 21, 2011
  • 17. Exploit Kits by numbers 7 out of 10 botnets use Exploit Packs PAGE 17 | Source Conference Boston 2011 | April 21, 2011
  • 18. Exploit Kits by numbers Play time How many Exploit Kits do you think there are around? PAGE 18 | Source Conference Boston 2011 | April 21, 2011
  • 19. Exploit Kits by numbers Play time How many servers serving these kits during 2010? 35000 + PAGE 19 | Source Conference Boston 2011 | April 21, 2011
  • 20. Exploit Kits by numbers Play time How many Exploits are necessary for this? However … just in case PAGE 20 | Source Conference Boston 2011 | April 21, 2011
  • 21. Exploit Kits by numbers Play time How many 0 day exploits used in exploit kits? They are just incorporated later PAGE 21 | Source Conference Boston 2011 | April 21, 2011
  • 22. Let´s check if there are vulnerabilities around PAGE 22 | Source Conference Boston 2011 | April 21, 2011
  • 23. How many vulnerable systems? In a given period of time, it could be 100% (0-day vulns) During 2010, exposition window was 21 days in average for Adobe Vulnerabilities. PAGE 23 | Source Conference Boston 2011 | April 21, 2011
  • 24. Most common targets (1) Different targeted vulnerabilities among kits 3% 3% 1% 5% IE 6% 30% Adobe Reader 8% Java Firefox 16% Browser complement 28% Adobe Flash Quicktime Windows Other PAGE 24 | Source Conference Boston 2011 | April 21, 2011
  • 25. Most common targets (2) New unique exploits added during 2010 8% 8% 39% Java 15% Adobe Reader Windows IE 15% 15% Adobe Flash Quicktime PAGE 25 | Source Conference Boston 2011 | April 21, 2011
  • 26. Typical attacking vector Attacking vector 2010 3% 3% 3% 1% 7% Adobe Reader 28% IE 9% Java Adobe Flash 19% Firefox 27% Quicktime Windows Browser complement Other PAGE 26 | Source Conference Boston 2011 | April 21, 2011
  • 27. How effective are the attacks? Attacking perspective 36.16% PAGE 27 | Source Conference Boston 2011 | April 21, 2011
  • 28. How effective are the attacks? Attacking perspective PAGE 28 | Source Conference Boston 2011 | April 21, 2011
  • 29. Do they need 0-days? What is the all-time most common exploit among all kits? CVE 2006-003 IE 6 MDAC Remote Code Execution Phoenix 2.5, 2011 brand new release PAGE 29 | Source Conference Boston 2011 | April 21, 2011
  • 30. What makes an exploit kit successful? PAGE 30 | Source Conference Boston 2011 | April 21, 2011
  • 31. What makes an exploit kit successful? •  First Price •  Then Exploits •  Today Additional services: VirTest Domain reputation Special offers: Get a bullet proof domain Also: Piracy/easy customization! PAGE 31 | Kaspersky Lab PowerPoint Template | April 21, 2011
  • 32. New trends (1) Phoenix 2.5 (2011) 15 exploits Target distribution 7% 6% 7% 40% Adobe Reader Adobe Flash 20% Java IE 20% Windows Quicktime PAGE 32 | Source Conference Boston 2011 | April 21, 2011
  • 33. New trends (2) Phoenix 2.5 (2011) 15 exploits Vulnerabilities age 7% 13% 7% Y2010 53% Y2009 Y2008 20% Y2007 Y2006 PAGE 33 | Source Conference Boston 2011 | April 21, 2011
  • 34. New trends (3) Phoenix 2.5 (2011) IN OUT JAVA (Skyline) 2010 Java (JRE Calendar) 2008 Java (MIDI) 2010 Java JRE 2009 Java (javagetval) 2010 PDF newPlayer 2009 New fresh Java exploits replace old ones PAGE 34 | Source Conference Boston 2011 | April 21, 2011
  • 35. Java as new attacking vector There is a good reason for that 87.91 % PAGE 35 | Source Conference Boston 2011 | April 21, 2011
  • 36. The business behind PAGE 36 | Source Conference Boston 2011 | April 21, 2011
  • 37. The business behind PAGE 37 | Source Conference Boston 2011 | April 21, 2011
  • 38. Evolution of business Marketing " Underground forums " Dedicated websites " Social networks: Facebook / Twitter " Pastebin Protection and antipiracy " Malware as a service model " Zend / IonCube " Randomization " Packing/polymorphism PAGE 38 | Source Conference Boston 2011 | April 21, 2011
  • 39. Evolution of business PAGE 39 | Source Conference Boston 2011 | April 21, 2011
  • 40. Copycats PAGE 40 | Source Conference Boston 2011 | April 21, 2011
  • 41. Copycats Find the 7 differences PAGE 41 | Source Conference Boston 2011 | April 21, 2011
  • 42. The future? Let me see PAGE 42 | Source Conference Boston 2011 | April 21, 2011
  • 43. Some conclusions •  Exploiting is the business, and the business is good •  However something is changing: increased demand on security •  New services make the difference, added value •  Exploits for new platforms will be common •  Resurrection of old kits, rearmed with new stuff PAGE 43 | Source Conference Boston 2011 | April 21, 2011
  • 44. Thank You Vicente Díaz Jorge Mieres vicente.diaz@kaspersky.com jorge.mieres@kaspersky.com @trompi @jorgemieres