ekfiddle: a framework to study exploit kits
TRANSCRIPT
EKFiddle: a framework to study Exploit Kits
Jérôme Segura, @jeromesegura, Lead Malware Intelligence Analyst
BSides Vancouver March 13-14 2017 2017
Agenda
•Quick primer on Exploit Kits and drive-by downloads•Tools to view and capture malicious traffic•Introducing EKFiddle for the Fiddler web debugger•Researching and cataloging EKs with EKFiddle
Exploit Kits: a quick definition
An exploit kit is a set of tools designed to facilitate the
exploitation of client-side vulnerabilities most commonly
found in browsers and their plugins in order to execute
malicious code on end users’ machines.
Exploit Kits: basic flow
Landing page
Exploits Payload
Exploit Kits: some names
•Angler EK (defunct)
•Nuclear Pack (defunct)
•Astrum EK
•RIG EK
•Neutrino EK
•Sundown EK
•Magnitude EK
Drive-by campaigns: traffic to exploit kits
•Compromised websites
•EITest, Pseudo-Darkleech
•Malvertising
• [ insert various ad networks here ]
Compromised sites and Exploit Kits
Legitimate siteGate
(optional) Exploit Kit Malware
Malvertising and Exploit Kits
Malicious ad Exploit Kit MalwareGate
(optional)
Tools for traffic analysis
•Full packet capture (tcpdump, WireShark, etc.)•Security Suites (Security Onion)•IDS/IPS (Suricata)•HTTP/S (Fiddler, Charles, etc.)
What about EK traffic only?
•Full packet captures are nice but not required•Web debugger easier to inspect/replay web traffic•Personal preference?
EKFiddle
•Based on Telerik’s Fiddler Web Debugger•Multi OS compatibility via C# CustomRules•Extends Fiddler’s ContextAction•Adds support for custom EK regexes
The standard Fiddler UI
Extend Fiddler’s UI with EKFiddle
Set up EKFiddle: Install Fiddler
•Download and install the latest version of Fiddler from http://www.telerik.com/fiddler
•For Mac and Linux, you will need to set up the Mono framework firsthttp://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1http://www.telerik.com/blogs/fiddler-for-linux-beta-is-here
Download EKFiddle (CustomRules.cs)
•Download/clone CustomRules.cs from the GitHub pagehttps://github.com/malwareinfosec/EKFiddle
• Windows (7/10)C:\Users\[username]\Documents\Fiddler2\Scripts\
• Ubuntu/home/[username]/Fiddler2/Scripts/
• Mac/Users/[username]/Fiddler2/Scripts/
Change the default Text Editor (optional) (Tools -> Telerik Fiddler options -> Tools)
Change the default scripting language to C# (Windows only: Tools -> Telerik Fiddler options -> Scripting)
Finalize EKFiddle’s installation
Get traffic captures
•Malware Traffic Analysis (PCAPs) http://www.malware-traffic-analysis.net/
• Broad Analysis (PCAPs) http://www.broadanalysis.com/
• PacketTotal (PCAPs) https://www.packettotal.com/
•Malware Don’t Need Coffee (SAZ) http://malware.dontneedcoffee.com/
• VirusTotal (need API) https://www.virustotal.com/
Import traffic captures
Main features: ContextAction items
•A list of useful ‘shortcuts’•Designed to collect IOCs and artifacts•Inspect each session and create signatures
Check Host (pDNS, Whois) on VT
Check IP (Geo, pDNS) on VT
Extract IOCs
Extract artifacts
Main features: Regular expressions
•Regex matching in 3 different ways:
•URL patterns (URLRegexes.txt)
•Source code patterns (SourceCodeRegexes.txt)
•Server Headers patterns (HeadersRegexes.txt)
Build URL Regex (paste from clipboard)
Build source code Regex (paste from clipboard)
View/edit Regexes
Save Regexes
•One signature per line: [Name of sig] TAB [regex]
Run Regexes against traffic
Visualize results
•Each matched session is colour coded and commented•Malware type (Landing Page, Flash Exploit, Malware Payload) is ‘guessed’ automatically
Demo
Recap
•EKFiddle extends the Fiddler web debugger for EK analysis•Get it here: https://github.com/malwareinfosec/EKFiddle•Questions? @jeromesegura
Thank You!