Quantcast

The State of Web Exploit Toolkits 4: Phoenix and Newer Kits

The presentation ends with the analysis of the Phoenix exploit kit’s features, details on newer kits from all over the world, and a summary of the research.

Phoenix Exploit Kit

Phoenix kit - key facts

Phoenix kit – key facts

The next kit I’m going to talk about is Phoenix. It’s been around since 2007, it’s pretty old, it’s up to version 3. They do mini and full versions. The difference between mini and full isn’t that they offer you more exploits, it’s more of just you can do multiple affiliates; they do things that I’ve seen other kits do: they track if you visited the page once, and if you visited the page one time – then they don’t actually launch the exploit again. When I was first playing around with these kits I ran into a problem where I visited a page for an exploit and then I tried to hit it again and wasn’t able to get the exploit, so I was like: what happened? It’s because: “Oh, we might have exploited you once already, so we don’t want to try to exploit you again; or we don’t want to serve the page up to you more than once to keep you from getting more information.” Also, because Phoenix is so old, it actually has quite a few exploits but they are fairly old exploits.

Phoenix’ statistics

Phoenix’ statistics

So, here you’ll see some of the statistics that Phoenix uses (see left-hand image). This is their advanced statistics page where they give you a lot of information about browsers and operating systems. On other pages you can see some exploits statistics and some more browser statistics. So, it’s not nearly as interesting or as nice to look at as BlackHole is.

JavaScript obfuscation peculiarities

JavaScript obfuscation peculiarities

But the way Phoenix does JavaScript obfuscation is they tend to use multiple ‘script’ tags followed by ‘textarea’ tag, followed by another ‘script’ tag. And in their ‘textarea’ tag they actually have a couple of variable initializations that they pull out and execute in one of the other ‘script’ tags. Even after you deobfuscate this code, it’s not that obvious what exactly it’s doing; like with BlackHole I saw a lot of references to things like ‘getShellcode’ or ‘heap spray’ – if you can actually figure out a way to deobfuscate it, you can say: “Oh yeah, that’s definitely malicious.” But Phoenix doesn’t quite follow the same patterns.

Obfuscated JavaScript code

Obfuscated JavaScript code

So, this is what some of their obfuscated JavaScript looks like (see left-hand image). At the top you’ll see the two ‘script’ tags together; it actually ends up being much longer and not terribly interesting, but it’s like one of those things where you look at this and you’re like: “That’s probably not going to do anything legitimate,” but with a lot of the minifying of JavaScript it ends up being much more difficult to not detect false positives related to this.

PEK’s PDF obfuscation features

PEK’s PDF obfuscation features

The PDF obfuscations that Phoenix uses (see right-hand image) resemble a lot of BlackHole’s JavaScript obfuscations; and, you know, Phoenix was first, so it’s likely that BlackHole definitely saw what they were doing at the time and decided to take it and improve upon it. So, they do the large array of integers, they run through deobfuscation routine to then launch an exploit. But the way they do deobfuscation is a little bit simpler than BlackHole, they’re not doing any kind of math. You can actually see that they index into an array that’s used to index into another array, and then they just loop over a hard-coded number of bytes. Then they do an ‘eval’ reassignment at the end. So it’s not terribly sophisticated, it’s kind of one of the things like “I can look at this, I can see it’s bad, but how do I block this without blocking other legitimate things?”

Other Exploit Toolkits

Newer kits that emerged

Newer kits that emerged

Now I’ll move on to some of the other exploit kits that have been coming out. In late 2011 – early 2012, it seems like a lot of people have witnessed how popular these kits are becoming, how successful they’ve been, and there’re lots and lots of new kits coming out. There have actually been quite a few coming out from China, I’m going to talk about one of them and talk about some of the characteristics that it exhibits and other kits from China exhibit. An interesting thing with that is a lot of the kits have been coming out from Eastern Europe and Russia. So, kits coming out from China are just kind of a new wrinkle on the game. They came out with a small number of exploits but they are actually targeting more recent vulnerabilities than the other established kits. We’re also seeing kits pop up and disappear, but overall it’s just there being a very large number of these things to keep up with. It’s kind of like a start-up where everyone has a great idea, a lot of people try to follow it, but then a lot of people fail, so they just go away and you never see them again.

Yang Pack details

Yang Pack details

So, Yang Pack (see left-hand image) was actually from China. It appeared in late 2011 – early 2012. It only had three exploits in it, but they’re actually targeting fairly recent vulnerabilities. It also had very low detection rates on VirusTotal. The other interesting thing about that is they’re not using JavaScript obfuscation, they’re not using PHP and MySQL or anything at the backend, it’s just static HTML file with everything hard-coded. And they still weren’t getting detected – the detection rates were less than 10% right after it came out. The author of Kahu Security actually has quite a few more blogs about other kits from China, and I reference those in the whitepaper as well.

Things known about Sweet Orange

Things known about Sweet Orange

The next kit I want to talk about is Sweet Orange (see right-hand image), and this was a kit that I have not yet witnessed in the wild, and I haven’t seen anyone else except for Dancho Danchev talk about it, and one post on Webroot. But I want to talk about it here because they’ve actually managed to keep their kit out of researchers’ hands and very hidden, so it’s kind of a very hard question of whether they are being successful with this kit or it’s just some sort of marketing fluff: “We’re not going to even show a demo of this kit to you at all, if you’re not an established member of the underground we don’t feel like we trust you at all.” They set a high price for buying the exploit kit – $2500, and renting it for $1400. And none of the researchers I’ve talked to have seen this in the wild, but then, again, we may easily have samples of it, we just haven’t been able to tie them to this kit.

Sweet Orange - control panel

Sweet Orange – control panel

So, this is one of the screenshots of the Sweet Orange (see left-hand image), and you see it’s very similar to Phoenix: they just throw out their numbers, they’re not trying to make it look nearly as nice as BlackHole. You see country statistics, browser statistics – you’ll actually see some browser version statistics as well.

Facts on the Nuclear Pack kit

Facts on the Nuclear Pack kit

The last kit I’m going to talk about is Nuclear Pack (see right-hand image), which is actually one that popped up and disappeared, and it didn’t reappear until this year. It only has 4 exploits with it, but the interesting thing about this one was they added an anti-honeyclient/webcrawling feature into it just to try to prevent people from collecting any information about their page, collecting their exploits. They actually use mouse moving as a sign of a human using the web browser. So, this feature is really to detect you kind of need more interactive things to do it.

Anti-crawling routine implementation

Anti-crawling routine implementation

This (see left-hand image) is actually their anti-crawling routine here, where they have a ‘document.onmousemove’ function assigned. They use the ‘xyzflag’ for various purposes, and you can also see some ASCII character replacement type stuff. Then, done at the very end, is once you get a mousemove then it will end up creating a JavaScript tag that will append to a ‘head’ HTML element, so their JavaScript gets loaded, the exploit gets launched, and they hope that they compromise you.

Summing it up

Summing it up

In conclusion, the exploit kits are getting more sophisticated in terms of adding newer exploits and more recent exploits and trying to do more evasions and obfuscations. One of the reasons they’re doing this is because it’s their business, and the guys who write these kits are trying to make money and they’re trying to protect their business model. They definitely want to figure out ways to keep making more money.

But they are not sophisticated in the sense of the – unfortunately I have to use this term – APT attacks that are trying to stay under the radar and silently exfiltrate data. These are the guys that are just trying to get past the first level of detection to infect a computer and add it to a botnet and then figure out ways to make money. So, detecting the ways that they are adding techniques and the ways that they are doing stuff takes a lot of work and takes constant work. And there are a lot of recent mitigations that web browsers are trying to add, like blacklisting plugins; and you also see things like Flash adding in, silent update features – Firefox has been looking to adding that in, Chrome does it. So they’re definitely combating these guys and trying to combat them in many ways. And it will be interesting, from my perspective, to see how the exploit authors react to these things, because they’re definitely going to react. But I don’t expect them to react with 0-days – they don’t need to use 0-days because what they are doing works, and it’s going to keep working as long as people won’t patch, or as long as we can’t make people patch.

Researchers involved

Researchers involved

I just want to give thanks to a lot of people, a couple of people work with – Marc Eisenbarth, Joanna Burkey and the rest of DVLabs people, they’ve definitely been great per support and ideas; and some ex-coworkers – Alen Puzic who actually turned me onto this stuff originally; and a lot of the researcher communities – you see them all up there.

So, thank you!
 

Read previous: The State of Web Exploit Toolkits 3: How BlackHole Works

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: