anatomy of exploit kits
TRANSCRIPT
Sameer Patil
(sameerpatilmsgmailcom)
SecurityXploded
Exploit Kit Introduction
Phases
Exploits used
Access Filters
Detection
Analysis of exploits
Content
Fiesta
FlashPack
Magnitude
Rig
Nuclear
Angler
Sweet Orange
Neutrino
Exploit Kits
Exploit Kit Naming
Compromised site
Redirector
Landing page
Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-
adminusersphppage=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjsfuncionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Exploit Kit Introduction
Phases
Exploits used
Access Filters
Detection
Analysis of exploits
Content
Fiesta
FlashPack
Magnitude
Rig
Nuclear
Angler
Sweet Orange
Neutrino
Exploit Kits
Exploit Kit Naming
Compromised site
Redirector
Landing page
Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-
adminusersphppage=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjsfuncionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Fiesta
FlashPack
Magnitude
Rig
Nuclear
Angler
Sweet Orange
Neutrino
Exploit Kits
Exploit Kit Naming
Compromised site
Redirector
Landing page
Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-
adminusersphppage=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjsfuncionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Exploit Kit Naming
Compromised site
Redirector
Landing page
Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-
adminusersphppage=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjsfuncionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Compromised site
Redirector
Landing page
Post-infection traffic
Phases
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-
adminusersphppage=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjsfuncionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
LFI in RevSlider plugin of Wordpress
http[compromisedcom]wp-adminadmin-ajaxphpaction=revslider_show_imageampimg=wp-configphp
XSS in Simple Security Wordpress plugin CVE-2014-9570 http[compromisedcom]wp-
adminusersphppage=access_logampdatefilter=27223E3Cscript3Ealert28HACKED293Cscript3E
Drupal Sql Injection
CDN reference compromise (Eg Operation Poisoned Helmand)
Iframe Injectors
Compromised sites
wwwsoyentrepreneurcomassetsjsfuncionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
wwwsoyentrepreneurcomassetsjsfuncionesCargajs
Compromised sites
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
wwwmediaorpicomjsscriptsjs
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Redirector (Obfuscated)
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
It checks if Silverlight plugin is installed by creating the
following ActiveXObject object
ActiveXObject(AgControlAgControl)
The presence of Flash plugin is ensured by creating the following object
swfobjectembedSWF()
Antivirus detectionif( chavs(kl1sys) || chavs(tmciescsys) || chavs(tmtdisys) || chavs(tmactmonsys) || chavs(TMEBC32sys) || chavs(tmeextsys) ||chavs(tmconnsys) || chavs(tmevtmgrsys) ) exit()
Redirector (after deobfuscating)
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Download from httpjxlpaianlarin malicious files
Landing Page
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Banking Frauds
Spying
Information Stealing
Click Fraud activities
Post-Infection
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
IE- CVE-2014-0322(zero day) CVE-2014-0324(zero day) CVE-2014-6332 CVE-2013-2551 CVE-2013-3918 CVE-2013-7331
Java- CVE-2013-2460 CVE-2013-2465 CVE-2012-1723 CVE-2012-0507 CVE-2013-0422(zero day)
Flash- CVE-2014-8440 CVE-2014-0556 CVE-2014-0569 CVE-2014-0515 CVE-2014-8439 CVE-2014-0502(zero day) CVE-2015-(zero day)
Silverlight- CVE-2013-0074 CVE-2013-3896
PDF- CVE-2010-0188
Exploits used
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Request with no referrer
Block IP addresses
Non-Windows traffic
User Agent access
Plugin-Detect scripts
URL blacklist checks
Access Filters
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Obfuscation in JS
Signatures for specific CVEs
User Agent strings
URL patterns
ltdomaingtindexphpreq=mp3ampnum=37ampPHPSSESID=
ltdomaingtindexphpreq=swfampnum=8413ampPHPSSESID=
ltdomaingtindexphpreq=xapampPHPSSESID=
ltdomaingt1phpr
Detection
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Java Exploit- CVE-2013-2465
Javascript deobfuscation
Demo
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Vectorltintgt array of size 0x90 bytes
Vector size resized to 0 resulting in holes between vector objects
Vulnerability exploited
Memory Corruption
Spraying FileReference objects
Modify FileReference object function pointer table
cancel() is called -gt call to VirtualProtect()
Flash Exploit CVE-2014-0515
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
VectorltIntgt Object Memory Layout
Source HP security Blog
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
DPBG tool
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
CVE-2013-2465 Java Exploit
Java obfuscators
PixelBender Exploit
Malware donrsquot need Coffee
Malware Traffic Analysis
References
Thank You
Thank You