During his Black Hat briefing, Jason Jones, the Team Lead for ASI at HP DVLabs, presents a professional extensive analysis of the present-day web exploit kits.
I’m going to be talking about the state of web exploit toolkits, which is a lot of what I’ve been doing on my job. I’m the Lead for Advanced Security Intelligence Team at HP DVLabs. A lot of what my job is – is to deal with malware, analyze it, try to figure out ways to determine reputation. We do a lot of malicious content harvesting. And web exploit toolkits are becoming more popular, more prevalent in the wild – it’s something that popped up on my radar and became a very interesting topic for me to continue researching.
If you’re not familiar with them, web exploit toolkits are pre-packaged software that generally consists of installer; a lot of them are PHP-based and they have database backend, it’s normally MySQL. They include a large number of exploits, and most of these exploits actually target known vulnerabilities that are already patched and are rarely 0-day. There is one instance of a 0-day vulnerability being in these things.
Another interesting and important thing is we can actually get some of these PHP files in raw form, but they are actually using the ionCube PHP Encoder which encrypts a PHP file so that it’s difficult to recover. There are services out there that claim to be able to decrypt this encoding but we never found any that actually really work.
A lot of these also have fancy control panels where you can go through and they’ll show statistics that will be about what countries your visitors are coming from, what browsers they are using, what exploits have been launched and successful. So, you can get quite a bit of information from that. And then also you can configure which exploits you want to use and which payloads you actually want to also launch. So, it ends up being very similar to a normal web application. Where they differ is their whole goal is to install a malicious payload, some piece of malware. They have been used a lot to build up botnets, Trojans, fake AV, ransomware type of stuff. At the end of the day, it’s just a way for any cyber criminal to easily build something up and make money.
A lot of these kits can cost thousands of dollars; some of them are free but some of them are very expensive. You can also do rentals: daily, weekly, monthly type of stuff. And they actually do a similar model of maybe a day costing $100, but for a week it costs $500; so they’ll offer you a discount to try to get you to go up. They also do bullet-proof hosting, which is hosting on their hosting servers where you are not going to get taken down because it’s hosted by cyber criminals, so they are not going to obey law enforcement’s request to remove it.
And a lot of times they’ll contain agreements like EULAs stating that you have permission to do this with their kit, you cannot resell it, you cannot disclose what’s in it – it’s like what you expect to see with normal software. And that’s where it becomes really interesting because the economy is built up like a legitimate software business, but in the underground. It gets really interesting because there’s also marketing and competitiveness between kits, where one kit will say: “We’re better than this kit because we have exploits A, B and C”, and the other kit will say: “Well, they stole those from us”. So it’s just like the whole back and forth between these guys.
The other way that they mimic normal software is they do a lot of bug fixes; they do reliability updates for exploits if people complain; and they also do aesthetic changes when a new version comes out, like “Oh, we added a new spinner into our control panel; we made the statistics look nicer”. So it ends up being very interesting just from that perspective of there being a feedback loop between them and customers.
This (see left-hand graphic) is an image that I borrowed from Kahu Security’s blog who talks a lot about these things and who’s definitely been someone who – if I’m kind of stuck on something and I’m trying to find something new, trying to verify a trend – he is one of the guys who has definitely been of big help. So, he’s talking about a lot of the active kits that are out there. I’m going to talk about BlackHole a lot, also Phoenix; and you also see some of the older kits like Eleonore or Bleedinglife; you also see RedKit which I don’t cover but actually I believe it has some bytecode obfuscation that’s Java exploits, so it’s just some other interesting features that are coming around in these kits.
The first kit I’m really going to delve into is BlackHole. It’s been around for a couple of years. It’s definitely become the most popular kit on the market, and I’m basing a lot of that on what I’ve seen on sites like Malwaredomainlist, urlQuery, also all the samples that we collect from other places. We’re actually seeing lots and lots of instances of this kit versus other kits. I believe the last version was 1.2.3, they may have just recently updated it because they added a few exploits; and a lot of the exploits that they’ve been using have been targeting Java vulnerabilities, and I’ll get into that a little bit more.
Also, there was Microsoft XML vulnerability discovered in June; at the time it was 0-day that was actively exploited. Researchers we able to find copies of this page that were in the wild and actively targeting people. People were posting about this and the kit authors also saw this, and they took these pages and they adapted them and got them into their kit. So they were actually able to get it into BlackHole while it was still unpatched. Thankfully, there is now protection out there for it.
These are news stories from 2011 (see left-hand image). BlackHole was in the news a lot. In mid-May of 2011 they made a version free while they still kept the newer versions paid, so it was like ?”Here’s a sample; if you like this come back to us and buy the full version”. They also were able to compromise the United States Postal Service and redirect a lot of visitors there to versions of their kit. And they also did the same thing with MySQL.com. They are also doing lots of spam campaigns these days, trying to install various versions of SpyEye, ZeuS, Carberp using fake Facebook friend request.
This (see right-hand image) is kind of a timeline of a lot of events that happened in 2011. Some of them I’ve just talked about; earlier in the year there was an ad server network compromised, and that was one of the first big stories we saw about BlackHole. They also did a lot of SEO poisoning. They ended up releasing three different versions of their kit in 2011. There was also the mass WordPress compromise in November, targeting the WordPress plugin called TimThumb. That was a vulnerability where you could actually upload any kind of file and get it executed. There was a patch released for this in August, and a large number of people running WordPress were not updating this plugin, so there was a mass compromise campaign launched by people running BlackHole and they got hundreds of thousands of WordPress blogs compromised and redirecting to BlackHole.
I saw a paper last month from Trend Micro where they delve into the spam campaigns that BlackHole has been using, and I have been collecting quite a bit of information myself. The reason they’re using spam over trying to compromise a site is because it’s a lot easier. It’s easier to get a list of a million people and send out an email to them trying to get them to click on the link than trying to find a popular enough website that has a vulnerability you can exploit – SQL injection, cross-site scripting – to get your stuff in there to redirect them. The amount of spam that they are generating is significantly rising. A lot of these that I’ve seen have been fake delivery notices for UPS and FedEx, and I saw a lot of them around the holidays, so they’re definitely using contextual stuff like that: fake IRS notices around tax time in April for people from the U.S.; also, fake orders from Amazon or other places. So you go there, you see a link saying “Hey, click here to go see more info”, and it’s going to a BlackHole site and you end up getting owned.
This is a screenshot of the control panel that BlackHole uses (see left-hand image). I actually borrowed it from Xylitol’s blog, he also does a lot of work on exploit kits and he’s really awesome. Here on the upper right you see different exploit percentages, you’ll see visitor browsers and the percent of exploit rates. You see countries visiting, you see operating systems and just some general statistics that they show. What you’ll see with this versus Phoenix and some other kits is they definitely have tried to create a much nicer-looking feel than a lot of other kits in their control panel.
In this kit you’ll actually see (right-hand image) that the top vulnerability was Java/CVE-2011-3544 (Java Rhino), and there was a patch released late last year. This was about a month after it was patched. It has 83% success rate in the wild, which is crazy. Also, another interesting thing is that the most exploited operating system at that time was Windows 7. You look through all the others, and there’s 10% for a PDF vulnerability, then 3% – you know, extremely low. And this actually seemed to start the trend where they added another Java exploit in early 2012, about a month after a patch was released. Then they just did the same thing again.
So, I was trying to figure out why people aren’t patching it. Why is it being so successful? You know, I love Reddit; I was browsing the /r/funny/ stuff on Reddit – and, basically, the perfect image popped up (see left-hand pic). “What do we say to the Java update? Not today”. So, it’s just people ignoring, saying “Oh, there’s a Java update in the system tray? No, go away!” And so I saw that, I laughed, and then I facepalmed. I was just something that perfectly exemplified the problem that we see in the wild.
Now I’ll actually get a little bit more into how it works. Running all these things through our sandbox, we’ve looked a lot at URLs that it uses, redirects to where it loads its payloads. We actually found it’s quite predictable, at the moment at least. A lot of times it’s a PHP file; it’s normally showthread.php, main.php. It normally has one URL parameter, and a lot of times it’s actually ‘page=’, and then it’s, like, a 16-character hex string. So it’s something that’s very detectable, but it’s like I can look at a URL and I can say: “I’m pretty sure that’s BlackHole”, but then it’s also close enough to some normal URL, and you kind of get into that spot of “I can’t just stop someone from visiting that because it could be a legitimate page, and I would end up getting yelled at if I did that”. So, once that’s loaded and it ends up redirecting to its malware payload, a lot of times it’s a 1-letter PHP file – w.php is what I’ve observed a lot; t.php is also another common one.
So, it’s very predictable but it can easily block a lot of legitimate traffic. It’s like – you have ‘f’ and ‘e’ as URL parameters, the values are all within very small ranges – I can tell what you’re doing, but it ends up becoming very hard to only block that.
Here (see right-hand image) is an example. The left side is deobfuscated and the right side is the obfuscated shellcode. In the right-hand part you can see it’s actually subtracting a negative number to get the number of bytes that it wants to patch, and that number of bytes ends up being positive. Right there it’s doing its XOR loop, and then that part on the right side is actually becoming what’s on the left, which ends up being the assembly code where it does a bunch of jumps before it starts executing.
And recently they implemented pseudo-random DNS generation algorithm (see left-hand image), and this makes it harder than something like recent examples of Flashback, but actually everything with Flashback uses the same DNS generation algorithm, connects to the same servers, whereas every instance of BlackHole has slightly different generation algorithms, it changes every twelve hours, and this makes it a lot more difficult to catch every kit. Before, it was like “Hey, I know. So, if you bulletproof-host this DNS name – I can block it”. Now it changes every twelve hours for thousands of installs. At the bottom you’ll actually see there’s a call to make frame, which then ends up generating a pseudo-random string. And this one is using DNSstuff.com which is free dynamic DNS service.
Then it does a random number generator based on the time, and if it’s less than 12 then it’s 0 otherwise it’s 1, so that’s actually where it’s using two cycles of the DNS name per day. Also, it gets a color out of the string, uses its pseudo-random number generator to grab tinker so that it ends up being a color-(10-number character).dnsstuff.com domain name at the end of it. They just recently added this, so they are definitely trying to add more things and keep their position as the most popular kit.
Phoenix Exploit Kit
The next kit I’m going to talk about is Phoenix. It’s been around since 2007, it’s pretty old, it’s up to version 3. They do mini and full versions. The difference between mini and full isn’t that they offer you more exploits, it’s more of just you can do multiple affiliates; they do things that I’ve seen other kits do: they track if you visited the page once, and if you visited the page one time – then they don’t actually launch the exploit again. When I was first playing around with these kits I ran into a problem where I visited a page for an exploit and then I tried to hit it again and wasn’t able to get the exploit, so I was like: what happened? It’s because: “Oh, we might have exploited you once already, so we don’t want to try to exploit you again; or we don’t want to serve the page up to you more than once to keep you from getting more information.” Also, because Phoenix is so old, it actually has quite a few exploits but they are fairly old exploits.
So, here you’ll see some of the statistics that Phoenix uses (see left-hand image). This is their advanced statistics page where they give you a lot of information about browsers and operating systems. On other pages you can see some exploits statistics and some more browser statistics. So, it’s not nearly as interesting or as nice to look at as BlackHole is.
Other Exploit Toolkits
Now I’ll move on to some of the other exploit kits that have been coming out. In late 2011 – early 2012, it seems like a lot of people have witnessed how popular these kits are becoming, how successful they’ve been, and there’re lots and lots of new kits coming out. There have actually been quite a few coming out from China, I’m going to talk about one of them and talk about some of the characteristics that it exhibits and other kits from China exhibit. An interesting thing with that is a lot of the kits have been coming out from Eastern Europe and Russia. So, kits coming out from China are just kind of a new wrinkle on the game. They came out with a small number of exploits but they are actually targeting more recent vulnerabilities than the other established kits. We’re also seeing kits pop up and disappear, but overall it’s just there being a very large number of these things to keep up with. It’s kind of like a start-up where everyone has a great idea, a lot of people try to follow it, but then a lot of people fail, so they just go away and you never see them again.
The next kit I want to talk about is Sweet Orange (see right-hand image), and this was a kit that I have not yet witnessed in the wild, and I haven’t seen anyone else except for Dancho Danchev talk about it, and one post on Webroot. But I want to talk about it here because they’ve actually managed to keep their kit out of researchers’ hands and very hidden, so it’s kind of a very hard question of whether they are being successful with this kit or it’s just some sort of marketing fluff: “We’re not going to even show a demo of this kit to you at all, if you’re not an established member of the underground we don’t feel like we trust you at all.” They set a high price for buying the exploit kit – $2500, and renting it for $1400. And none of the researchers I’ve talked to have seen this in the wild, but then, again, we may easily have samples of it, we just haven’t been able to tie them to this kit.
So, this is one of the screenshots of the Sweet Orange (see left-hand image), and you see it’s very similar to Phoenix: they just throw out their numbers, they’re not trying to make it look nearly as nice as BlackHole. You see country statistics, browser statistics – you’ll actually see some browser version statistics as well.
The last kit I’m going to talk about is Nuclear Pack (see right-hand image), which is actually one that popped up and disappeared, and it didn’t reappear until this year. It only has 4 exploits with it, but the interesting thing about this one was they added an anti-honeyclient/webcrawling feature into it just to try to prevent people from collecting any information about their page, collecting their exploits. They actually use mouse moving as a sign of a human using the web browser. So, this feature is really to detect you kind of need more interactive things to do it.
In conclusion, the exploit kits are getting more sophisticated in terms of adding newer exploits and more recent exploits and trying to do more evasions and obfuscations. One of the reasons they’re doing this is because it’s their business, and the guys who write these kits are trying to make money and they’re trying to protect their business model. They definitely want to figure out ways to keep making more money.
But they are not sophisticated in the sense of the – unfortunately I have to use this term – APT attacks that are trying to stay under the radar and silently exfiltrate data. These are the guys that are just trying to get past the first level of detection to infect a computer and add it to a botnet and then figure out ways to make money. So, detecting the ways that they are adding techniques and the ways that they are doing stuff takes a lot of work and takes constant work. And there are a lot of recent mitigations that web browsers are trying to add, like blacklisting plugins; and you also see things like Flash adding in, silent update features – Firefox has been looking to adding that in, Chrome does it. So they’re definitely combating these guys and trying to combat them in many ways. And it will be interesting, from my perspective, to see how the exploit authors react to these things, because they’re definitely going to react. But I don’t expect them to react with 0-days – they don’t need to use 0-days because what they are doing works, and it’s going to keep working as long as people won’t patch, or as long as we can’t make people patch.
I just want to give thanks to a lot of people, a couple of people work with – Marc Eisenbarth, Joanna Burkey and the rest of DVLabs people, they’ve definitely been great per support and ideas; and some ex-coworkers – Alen Puzic who actually turned me onto this stuff originally; and a lot of the researcher communities – you see them all up there.
So, thank you!