SlideShare una empresa de Scribd logo

Manufacturing Compromise The Emergence of Exploit-as-a-Service

JITENDRA KUMAR PATEL
JITENDRA KUMAR PATEL

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, Author performed a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, they analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which they ran in a contained environment.

Educación
1 de 28
Manufacturing Compromise The Emergence of Exploit-as-a-Service Jitendra Kumar Patel Wednesday, July 22 , 2015
An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
INTRODUCTION.... Exploit-as-a-service economy World of for-profit malware Host compromise is now decoupled from host monetization Pay-per-install model of malware distribution Driveby downloads
Analysis.... 77,000 malicious URLs received from Google Safe Browsing Crowd-sourced feed of blacklisted URLs 10,000 variants from the course of March 1, 2012 until April 20, 2012
Contributions of Authors.... For each driveby site, they identify the most popular exploit kit used and the malware family served by the site, including its monetization scheme. Using passive DNS data they estimate the relative popularity of malware families distributed via driveby exploits. They report on operational aspects of driveby compromises; specifically, the lifetime of domains used to distribute malware (hours on average), and the effectiveness of interventions like Google Safe Browsing
Infection Chain.... The process begins with a victim visiting a compromised website or otherwise malicious page The victim’s browser receives a series of redirections through a chain of intermediate pages That obscures the final landing page, which hosts an exploit kit This final page attempts to exploit a victim’s browser, targeting either vulnerabilities in the browser, or browser plugins such as Adobe Flash and Java. If an unpatched version of the vulnerable software exists, the victim’s machine is compromised and any variety of malware can be installed.
Infection Chain....
Business Models.... Exploit kit model - miscreants either purchase exploit kits (software only) or rent access to pre-configured exploit servers (hardware and exploit software). This business model fulfills all the requirements of step 3 and 5 in the driveby chain.Clients are responsible for luring their own victims and determining which malware to distribute. Traffic-PPI - service take the exploit pack model one step further and can be considered an evolution of the pay-per-install service model. In this model, clients simply purchase installs and provide their binaries (4), while the Traffic- PPI service takes care of the entire process of generating traffic, redirecting, and exploiting a victim’s browsers (1,2,3) until finally installing the client’s software (5).
Exploit Kits and Servers.... Exploit kits (or packs) to refer to software packages that bundle multiple exploits targeted at vulnerabilities in web browsers and their plugins (e.g., Flash, PDF and Java). Popular exploit kits include Blackhole, Eleonore, and Phoenix Attackers install exploit kits on web servers, and we term the combination of server plus exploit kit as an exploit server. Upon a visit to a domain hosted in an exploit server, the exploit kit automatically profiles the browser and delivers an exploit based on the operating system, browser, and plugin configuration. If the exploit succeeds, it downloads a binary that then executes on the user’s computer.
Traffic-PPI Services.... Natural evolution of the classic pay-perinstall (PPI) service adapted to the drive-by-download ecosystem Key difference between the models is that in the classic PPI model, the PPI service outsources the task of exploiting the target hosts to affiliates. In contrast, the service that runs a Traffic-PPI marketplace is in charge of exploitation exclusively through drivebys
Examples of Traffic-PPI services .... SellMeYourTraffic : The Traffic-PPI program SellMeYourTraffic states that they buy any type of traffic from affiliates, regardless of quality, paying affiliates between $0.80–$3.00 USD per thousand visits Traffbiz : Traffbiz is a Russian Traffic-PPI service. They also run an affiliate service and pay affiliate webmasters $1.6 USD per thousand visits from users in Russia.The JavaScript snippet contains a link to a banner picture. In reality, the banner is the start of a redirect sequence that eventually leads the user’s browser to an exploit server running the Blackhole exploit kit. Users outside of Russia are simply presented with a normal banner
Monetization Approaches.... Spamming Fake Software Proxies & Hosting Droppers Browser Hijacking Clickfraud Information Theft
Feeds.... Email Attachments Live Network Traffic Torrents Feed Overlap Driveby Downloads Droppers
Contained Execution.... They executed each binary in a virtualized environment provided by the GQ honeyfarm, which supports monitoring malware execution while providing a flexible network policy Used Windows XP Service Pack 3 for all executions The system can process thousands of binaries per day.
Contained Execution....
Automated Clustering .... Domains HTTP Arguments System Modifications Screen-shots
Manual Classification.... Manual analysis of cluster reports Analysts (e.g., conscripted security researchers) review large clusters of binaries with similar behaviour and compare them against public reports. Also examine a sample’s screenshot, file modifications, and network behavior to determine how a sample monetizes an infected host In the event we could not locate a corresponding public family name, we apply a generic cluster label
Comparison of Infection Vectors....
Components of a Driveby Download....
The Role of Exploit Packs.... Identifying Exploit Packs Exploit Kit Popularity Malware Families by Exploit Pack
Estimating DNS Traffic.... dataset of passive DNS lookups recorded by the Security Information Exchange (SIE) Imprecision : Caching errors Revisit errors Unrelated query errors
Domain Duration.... The uptime duration of a domain as the time between the first lookup that returns a valid A record until the time of the last valid lookup. Final domains are short lived, with a median duration of 2.5 hours.
Safe Browsing Performance & Impact.... Derive from DNS lookups concerns the impact of Google Safe Browsing on the lifetime of final domains hosting exploits Only 22% of final domains appear in the list, and these exhibit a bias toward longer living domains, with a median duration of 2 days compared to 2.5 hours.
Lessons learned.... Malware diversity Crawler-based detection Pay-per-install vs. exploit-as-a-service
RELATED WORK.... Related Whitepapers : – A Criminal Perspective on Exploit Packs – Team Cymru – Exploring the Blackhole exploit kit – Sophos Moshchuk et al. crawled 18 million URLs in an attempt to identify malicious content. They found that of 5.9% of the URLs crawled were driveby downloads, while 13.4% lead to spyware. Curtsinger et al. trained a classifier to detect heap spray exploits in JavaScript, and use the classifier to detect and blacklist malicious pages. Cova et al. Use a modified browser to analyze web pages and extract features that can aid in identifying exploits that lead to driveby downloads.
REFERENCES.... "Manufacturing Compromise: The Emergence of Exploit-as-a-Service" Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, Geoffrey M. Voelke ACM CCS, 2012 Link : http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Jitendra Kumar Patel www.jitendrapatel.in jitendra.patel@iiitb.org Wednesday, July 22 , 2015
Manufacturing Compromise The Emergence of Exploit-as-a-Service

Recomendados

The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Ransomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRansomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRAMEEZ SHAHZADA
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 

Recomendados

The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Ransomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRansomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRAMEEZ SHAHZADA
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...journalBEEI
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-PatchworkBrandon Levene
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksVitor Jesus
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016Rod Soto
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?Vikas Phonsa
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS AttackGopi Krishnan S
 
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksImproving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksJITENDRA KUMAR PATEL
 
Docker meetup-jan-2015
Docker meetup-jan-2015Docker meetup-jan-2015
Docker meetup-jan-2015JITENDRA KUMAR PATEL
 
Secure 2 Party AES
Secure 2 Party AESSecure 2 Party AES
Secure 2 Party AESJITENDRA KUMAR PATEL
 
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedIntroduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedJITENDRA KUMAR PATEL
 

Más contenido relacionado

La actualidad más candente

Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...journalBEEI
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
 
AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016Rod Soto
 

La actualidad más candente (18)

Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
 
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddos
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
 

Destacado

Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksImproving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksJITENDRA KUMAR PATEL
 
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedIntroduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedJITENDRA KUMAR PATEL
 
Introduction to node.js aka NodeJS
Introduction to node.js aka NodeJSIntroduction to node.js aka NodeJS
Introduction to node.js aka NodeJSJITENDRA KUMAR PATEL
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 

Destacado (7)

Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksImproving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
 
Docker meetup-jan-2015
Docker meetup-jan-2015Docker meetup-jan-2015
Docker meetup-jan-2015
 
Secure 2 Party AES
Secure 2 Party AESSecure 2 Party AES
Secure 2 Party AES
 
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedIntroduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
 
Glyph-Placement-Strategy
Glyph-Placement-StrategyGlyph-Placement-Strategy
Glyph-Placement-Strategy
 
Introduction to node.js aka NodeJS
Introduction to node.js aka NodeJSIntroduction to node.js aka NodeJS
Introduction to node.js aka NodeJS
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 

Similar a Manufacturing Compromise The Emergence of Exploit-as-a-Service

Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile AttackIRJET Journal
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESKatherine Duffy
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...AshishDPatel1
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...RSIS International
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Editor IJMTER
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Gand crab ransomware analysis
Gand crab ransomware analysisGand crab ransomware analysis
Gand crab ransomware analysisPoduralla Tarun
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksDamaineFranklinMScBE
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 

Similar a Manufacturing Compromise The Emergence of Exploit-as-a-Service (20)

Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
Secure client
Secure clientSecure client
Secure client
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
 
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Gand crab ransomware analysis
Gand crab ransomware analysisGand crab ransomware analysis
Gand crab ransomware analysis
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Defining Cyber Crime
Defining Cyber CrimeDefining Cyber Crime
Defining Cyber Crime
 

Último

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 

Último (20)

Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 

Manufacturing Compromise The Emergence of Exploit-as-a-Service

  • 1. Manufacturing Compromise The Emergence of Exploit-as-a-Service Jitendra Kumar Patel Wednesday, July 22 , 2015
  • 2. An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
  • 3. INTRODUCTION.... Exploit-as-a-service economy World of for-profit malware Host compromise is now decoupled from host monetization Pay-per-install model of malware distribution Driveby downloads
  • 4. Analysis.... 77,000 malicious URLs received from Google Safe Browsing Crowd-sourced feed of blacklisted URLs 10,000 variants from the course of March 1, 2012 until April 20, 2012
  • 5. Contributions of Authors.... For each driveby site, they identify the most popular exploit kit used and the malware family served by the site, including its monetization scheme. Using passive DNS data they estimate the relative popularity of malware families distributed via driveby exploits. They report on operational aspects of driveby compromises; specifically, the lifetime of domains used to distribute malware (hours on average), and the effectiveness of interventions like Google Safe Browsing
  • 6. Infection Chain.... The process begins with a victim visiting a compromised website or otherwise malicious page The victim’s browser receives a series of redirections through a chain of intermediate pages That obscures the final landing page, which hosts an exploit kit This final page attempts to exploit a victim’s browser, targeting either vulnerabilities in the browser, or browser plugins such as Adobe Flash and Java. If an unpatched version of the vulnerable software exists, the victim’s machine is compromised and any variety of malware can be installed.
  • 8. Business Models.... Exploit kit model - miscreants either purchase exploit kits (software only) or rent access to pre-configured exploit servers (hardware and exploit software). This business model fulfills all the requirements of step 3 and 5 in the driveby chain.Clients are responsible for luring their own victims and determining which malware to distribute. Traffic-PPI - service take the exploit pack model one step further and can be considered an evolution of the pay-per-install service model. In this model, clients simply purchase installs and provide their binaries (4), while the Traffic- PPI service takes care of the entire process of generating traffic, redirecting, and exploiting a victim’s browsers (1,2,3) until finally installing the client’s software (5).
  • 9. Exploit Kits and Servers.... Exploit kits (or packs) to refer to software packages that bundle multiple exploits targeted at vulnerabilities in web browsers and their plugins (e.g., Flash, PDF and Java). Popular exploit kits include Blackhole, Eleonore, and Phoenix Attackers install exploit kits on web servers, and we term the combination of server plus exploit kit as an exploit server. Upon a visit to a domain hosted in an exploit server, the exploit kit automatically profiles the browser and delivers an exploit based on the operating system, browser, and plugin configuration. If the exploit succeeds, it downloads a binary that then executes on the user’s computer.
  • 10. Traffic-PPI Services.... Natural evolution of the classic pay-perinstall (PPI) service adapted to the drive-by-download ecosystem Key difference between the models is that in the classic PPI model, the PPI service outsources the task of exploiting the target hosts to affiliates. In contrast, the service that runs a Traffic-PPI marketplace is in charge of exploitation exclusively through drivebys
  • 11. Examples of Traffic-PPI services .... SellMeYourTraffic : The Traffic-PPI program SellMeYourTraffic states that they buy any type of traffic from affiliates, regardless of quality, paying affiliates between $0.80–$3.00 USD per thousand visits Traffbiz : Traffbiz is a Russian Traffic-PPI service. They also run an affiliate service and pay affiliate webmasters $1.6 USD per thousand visits from users in Russia.The JavaScript snippet contains a link to a banner picture. In reality, the banner is the start of a redirect sequence that eventually leads the user’s browser to an exploit server running the Blackhole exploit kit. Users outside of Russia are simply presented with a normal banner
  • 12. Monetization Approaches.... Spamming Fake Software Proxies & Hosting Droppers Browser Hijacking Clickfraud Information Theft
  • 13. Feeds.... Email Attachments Live Network Traffic Torrents Feed Overlap Driveby Downloads Droppers
  • 14. Contained Execution.... They executed each binary in a virtualized environment provided by the GQ honeyfarm, which supports monitoring malware execution while providing a flexible network policy Used Windows XP Service Pack 3 for all executions The system can process thousands of binaries per day.
  • 16. Automated Clustering .... Domains HTTP Arguments System Modifications Screen-shots
  • 17. Manual Classification.... Manual analysis of cluster reports Analysts (e.g., conscripted security researchers) review large clusters of binaries with similar behaviour and compare them against public reports. Also examine a sample’s screenshot, file modifications, and network behavior to determine how a sample monetizes an infected host In the event we could not locate a corresponding public family name, we apply a generic cluster label
  • 18. Comparison of Infection Vectors....
  • 19. Components of a Driveby Download....
  • 20. The Role of Exploit Packs.... Identifying Exploit Packs Exploit Kit Popularity Malware Families by Exploit Pack
  • 21. Estimating DNS Traffic.... dataset of passive DNS lookups recorded by the Security Information Exchange (SIE) Imprecision : Caching errors Revisit errors Unrelated query errors
  • 22. Domain Duration.... The uptime duration of a domain as the time between the first lookup that returns a valid A record until the time of the last valid lookup. Final domains are short lived, with a median duration of 2.5 hours.
  • 23. Safe Browsing Performance & Impact.... Derive from DNS lookups concerns the impact of Google Safe Browsing on the lifetime of final domains hosting exploits Only 22% of final domains appear in the list, and these exhibit a bias toward longer living domains, with a median duration of 2 days compared to 2.5 hours.
  • 24. Lessons learned.... Malware diversity Crawler-based detection Pay-per-install vs. exploit-as-a-service
  • 25. RELATED WORK.... Related Whitepapers : – A Criminal Perspective on Exploit Packs – Team Cymru – Exploring the Blackhole exploit kit – Sophos Moshchuk et al. crawled 18 million URLs in an attempt to identify malicious content. They found that of 5.9% of the URLs crawled were driveby downloads, while 13.4% lead to spyware. Curtsinger et al. trained a classifier to detect heap spray exploits in JavaScript, and use the classifier to detect and blacklist malicious pages. Cova et al. Use a modified browser to analyze web pages and extract features that can aid in identifying exploits that lead to driveby downloads.
  • 26. REFERENCES.... "Manufacturing Compromise: The Emergence of Exploit-as-a-Service" Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, Geoffrey M. Voelke ACM CCS, 2012 Link : http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf