SlideShare una empresa de Scribd logo

Manufacturing Compromise The Emergence of Exploit-as-a-Service

JITENDRA KUMAR PATEL
JITENDRA KUMAR PATEL

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, Author performed a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, they analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which they ran in a contained environment.

Educación
1 de 28
Manufacturing Compromise The Emergence of Exploit-as-a-Service Jitendra Kumar Patel Wednesday, July 22 , 2015
An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
INTRODUCTION.... Exploit-as-a-service economy World of for-profit malware Host compromise is now decoupled from host monetization Pay-per-install model of malware distribution Driveby downloads
Analysis.... 77,000 malicious URLs received from Google Safe Browsing Crowd-sourced feed of blacklisted URLs 10,000 variants from the course of March 1, 2012 until April 20, 2012
Contributions of Authors.... For each driveby site, they identify the most popular exploit kit used and the malware family served by the site, including its monetization scheme. Using passive DNS data they estimate the relative popularity of malware families distributed via driveby exploits. They report on operational aspects of driveby compromises; specifically, the lifetime of domains used to distribute malware (hours on average), and the effectiveness of interventions like Google Safe Browsing
Infection Chain.... The process begins with a victim visiting a compromised website or otherwise malicious page The victim’s browser receives a series of redirections through a chain of intermediate pages That obscures the final landing page, which hosts an exploit kit This final page attempts to exploit a victim’s browser, targeting either vulnerabilities in the browser, or browser plugins such as Adobe Flash and Java. If an unpatched version of the vulnerable software exists, the victim’s machine is compromised and any variety of malware can be installed.
Infection Chain....
Business Models.... Exploit kit model - miscreants either purchase exploit kits (software only) or rent access to pre-configured exploit servers (hardware and exploit software). This business model fulfills all the requirements of step 3 and 5 in the driveby chain.Clients are responsible for luring their own victims and determining which malware to distribute. Traffic-PPI - service take the exploit pack model one step further and can be considered an evolution of the pay-per-install service model. In this model, clients simply purchase installs and provide their binaries (4), while the Traffic- PPI service takes care of the entire process of generating traffic, redirecting, and exploiting a victim’s browsers (1,2,3) until finally installing the client’s software (5).
Exploit Kits and Servers.... Exploit kits (or packs) to refer to software packages that bundle multiple exploits targeted at vulnerabilities in web browsers and their plugins (e.g., Flash, PDF and Java). Popular exploit kits include Blackhole, Eleonore, and Phoenix Attackers install exploit kits on web servers, and we term the combination of server plus exploit kit as an exploit server. Upon a visit to a domain hosted in an exploit server, the exploit kit automatically profiles the browser and delivers an exploit based on the operating system, browser, and plugin configuration. If the exploit succeeds, it downloads a binary that then executes on the user’s computer.
Traffic-PPI Services.... Natural evolution of the classic pay-perinstall (PPI) service adapted to the drive-by-download ecosystem Key difference between the models is that in the classic PPI model, the PPI service outsources the task of exploiting the target hosts to affiliates. In contrast, the service that runs a Traffic-PPI marketplace is in charge of exploitation exclusively through drivebys
Examples of Traffic-PPI services .... SellMeYourTraffic : The Traffic-PPI program SellMeYourTraffic states that they buy any type of traffic from affiliates, regardless of quality, paying affiliates between $0.80–$3.00 USD per thousand visits Traffbiz : Traffbiz is a Russian Traffic-PPI service. They also run an affiliate service and pay affiliate webmasters $1.6 USD per thousand visits from users in Russia.The JavaScript snippet contains a link to a banner picture. In reality, the banner is the start of a redirect sequence that eventually leads the user’s browser to an exploit server running the Blackhole exploit kit. Users outside of Russia are simply presented with a normal banner
Monetization Approaches.... Spamming Fake Software Proxies & Hosting Droppers Browser Hijacking Clickfraud Information Theft
Feeds.... Email Attachments Live Network Traffic Torrents Feed Overlap Driveby Downloads Droppers
Contained Execution.... They executed each binary in a virtualized environment provided by the GQ honeyfarm, which supports monitoring malware execution while providing a flexible network policy Used Windows XP Service Pack 3 for all executions The system can process thousands of binaries per day.
Contained Execution....
Automated Clustering .... Domains HTTP Arguments System Modifications Screen-shots
Manual Classification.... Manual analysis of cluster reports Analysts (e.g., conscripted security researchers) review large clusters of binaries with similar behaviour and compare them against public reports. Also examine a sample’s screenshot, file modifications, and network behavior to determine how a sample monetizes an infected host In the event we could not locate a corresponding public family name, we apply a generic cluster label
Comparison of Infection Vectors....
Components of a Driveby Download....
The Role of Exploit Packs.... Identifying Exploit Packs Exploit Kit Popularity Malware Families by Exploit Pack
Estimating DNS Traffic.... dataset of passive DNS lookups recorded by the Security Information Exchange (SIE) Imprecision : Caching errors Revisit errors Unrelated query errors
Domain Duration.... The uptime duration of a domain as the time between the first lookup that returns a valid A record until the time of the last valid lookup. Final domains are short lived, with a median duration of 2.5 hours.
Safe Browsing Performance & Impact.... Derive from DNS lookups concerns the impact of Google Safe Browsing on the lifetime of final domains hosting exploits Only 22% of final domains appear in the list, and these exhibit a bias toward longer living domains, with a median duration of 2 days compared to 2.5 hours.
Lessons learned.... Malware diversity Crawler-based detection Pay-per-install vs. exploit-as-a-service
RELATED WORK.... Related Whitepapers : – A Criminal Perspective on Exploit Packs – Team Cymru – Exploring the Blackhole exploit kit – Sophos Moshchuk et al. crawled 18 million URLs in an attempt to identify malicious content. They found that of 5.9% of the URLs crawled were driveby downloads, while 13.4% lead to spyware. Curtsinger et al. trained a classifier to detect heap spray exploits in JavaScript, and use the classifier to detect and blacklist malicious pages. Cova et al. Use a modified browser to analyze web pages and extract features that can aid in identifying exploits that lead to driveby downloads.
REFERENCES.... "Manufacturing Compromise: The Emergence of Exploit-as-a-Service" Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, Geoffrey M. Voelke ACM CCS, 2012 Link : http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Jitendra Kumar Patel www.jitendrapatel.in jitendra.patel@iiitb.org Wednesday, July 22 , 2015
Manufacturing Compromise The Emergence of Exploit-as-a-Service

Recomendados

The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Ransomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRansomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRAMEEZ SHAHZADA
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 

Recomendados

The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Ransomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRansomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRAMEEZ SHAHZADA
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...journalBEEI
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-PatchworkBrandon Levene
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksVitor Jesus
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016Rod Soto
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?Vikas Phonsa
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS AttackGopi Krishnan S
 
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksImproving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksJITENDRA KUMAR PATEL
 
Docker meetup-jan-2015
Docker meetup-jan-2015Docker meetup-jan-2015
Docker meetup-jan-2015JITENDRA KUMAR PATEL
 
Secure 2 Party AES
Secure 2 Party AESSecure 2 Party AES
Secure 2 Party AESJITENDRA KUMAR PATEL
 
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedIntroduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedJITENDRA KUMAR PATEL
 

Más contenido relacionado

La actualidad más candente

Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...journalBEEI
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
 
AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016Rod Soto
 

La actualidad más candente (18)

Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
 
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Ne...
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddos
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
 

Destacado

Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksImproving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksJITENDRA KUMAR PATEL
 
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedIntroduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedJITENDRA KUMAR PATEL
 
Introduction to node.js aka NodeJS
Introduction to node.js aka NodeJSIntroduction to node.js aka NodeJS
Introduction to node.js aka NodeJSJITENDRA KUMAR PATEL
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 

Destacado (7)

Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-NetworksImproving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
 
Docker meetup-jan-2015
Docker meetup-jan-2015Docker meetup-jan-2015
Docker meetup-jan-2015
 
Secure 2 Party AES
Secure 2 Party AESSecure 2 Party AES
Secure 2 Party AES
 
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExplodedIntroduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
Introduction-To-SMPC-Philips-Innovation-Campus-SecurityExploded
 
Glyph-Placement-Strategy
Glyph-Placement-StrategyGlyph-Placement-Strategy
Glyph-Placement-Strategy
 
Introduction to node.js aka NodeJS
Introduction to node.js aka NodeJSIntroduction to node.js aka NodeJS
Introduction to node.js aka NodeJS
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 

Similar a Manufacturing Compromise The Emergence of Exploit-as-a-Service

Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile AttackIRJET Journal
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESKatherine Duffy
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...AshishDPatel1
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...RSIS International
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Editor IJMTER
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Gand crab ransomware analysis
Gand crab ransomware analysisGand crab ransomware analysis
Gand crab ransomware analysisPoduralla Tarun
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksDamaineFranklinMScBE
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 

Similar a Manufacturing Compromise The Emergence of Exploit-as-a-Service (20)

Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
Secure client
Secure clientSecure client
Secure client
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
 
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Gand crab ransomware analysis
Gand crab ransomware analysisGand crab ransomware analysis
Gand crab ransomware analysis
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Defining Cyber Crime
Defining Cyber CrimeDefining Cyber Crime
Defining Cyber Crime
 

Último

SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 

Último (20)

SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 

Manufacturing Compromise The Emergence of Exploit-as-a-Service

  • 1. Manufacturing Compromise The Emergence of Exploit-as-a-Service Jitendra Kumar Patel Wednesday, July 22 , 2015
  • 2. An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
  • 3. INTRODUCTION.... Exploit-as-a-service economy World of for-profit malware Host compromise is now decoupled from host monetization Pay-per-install model of malware distribution Driveby downloads
  • 4. Analysis.... 77,000 malicious URLs received from Google Safe Browsing Crowd-sourced feed of blacklisted URLs 10,000 variants from the course of March 1, 2012 until April 20, 2012
  • 5. Contributions of Authors.... For each driveby site, they identify the most popular exploit kit used and the malware family served by the site, including its monetization scheme. Using passive DNS data they estimate the relative popularity of malware families distributed via driveby exploits. They report on operational aspects of driveby compromises; specifically, the lifetime of domains used to distribute malware (hours on average), and the effectiveness of interventions like Google Safe Browsing
  • 6. Infection Chain.... The process begins with a victim visiting a compromised website or otherwise malicious page The victim’s browser receives a series of redirections through a chain of intermediate pages That obscures the final landing page, which hosts an exploit kit This final page attempts to exploit a victim’s browser, targeting either vulnerabilities in the browser, or browser plugins such as Adobe Flash and Java. If an unpatched version of the vulnerable software exists, the victim’s machine is compromised and any variety of malware can be installed.
  • 8. Business Models.... Exploit kit model - miscreants either purchase exploit kits (software only) or rent access to pre-configured exploit servers (hardware and exploit software). This business model fulfills all the requirements of step 3 and 5 in the driveby chain.Clients are responsible for luring their own victims and determining which malware to distribute. Traffic-PPI - service take the exploit pack model one step further and can be considered an evolution of the pay-per-install service model. In this model, clients simply purchase installs and provide their binaries (4), while the Traffic- PPI service takes care of the entire process of generating traffic, redirecting, and exploiting a victim’s browsers (1,2,3) until finally installing the client’s software (5).
  • 9. Exploit Kits and Servers.... Exploit kits (or packs) to refer to software packages that bundle multiple exploits targeted at vulnerabilities in web browsers and their plugins (e.g., Flash, PDF and Java). Popular exploit kits include Blackhole, Eleonore, and Phoenix Attackers install exploit kits on web servers, and we term the combination of server plus exploit kit as an exploit server. Upon a visit to a domain hosted in an exploit server, the exploit kit automatically profiles the browser and delivers an exploit based on the operating system, browser, and plugin configuration. If the exploit succeeds, it downloads a binary that then executes on the user’s computer.
  • 10. Traffic-PPI Services.... Natural evolution of the classic pay-perinstall (PPI) service adapted to the drive-by-download ecosystem Key difference between the models is that in the classic PPI model, the PPI service outsources the task of exploiting the target hosts to affiliates. In contrast, the service that runs a Traffic-PPI marketplace is in charge of exploitation exclusively through drivebys
  • 11. Examples of Traffic-PPI services .... SellMeYourTraffic : The Traffic-PPI program SellMeYourTraffic states that they buy any type of traffic from affiliates, regardless of quality, paying affiliates between $0.80–$3.00 USD per thousand visits Traffbiz : Traffbiz is a Russian Traffic-PPI service. They also run an affiliate service and pay affiliate webmasters $1.6 USD per thousand visits from users in Russia.The JavaScript snippet contains a link to a banner picture. In reality, the banner is the start of a redirect sequence that eventually leads the user’s browser to an exploit server running the Blackhole exploit kit. Users outside of Russia are simply presented with a normal banner
  • 12. Monetization Approaches.... Spamming Fake Software Proxies & Hosting Droppers Browser Hijacking Clickfraud Information Theft
  • 13. Feeds.... Email Attachments Live Network Traffic Torrents Feed Overlap Driveby Downloads Droppers
  • 14. Contained Execution.... They executed each binary in a virtualized environment provided by the GQ honeyfarm, which supports monitoring malware execution while providing a flexible network policy Used Windows XP Service Pack 3 for all executions The system can process thousands of binaries per day.
  • 16. Automated Clustering .... Domains HTTP Arguments System Modifications Screen-shots
  • 17. Manual Classification.... Manual analysis of cluster reports Analysts (e.g., conscripted security researchers) review large clusters of binaries with similar behaviour and compare them against public reports. Also examine a sample’s screenshot, file modifications, and network behavior to determine how a sample monetizes an infected host In the event we could not locate a corresponding public family name, we apply a generic cluster label
  • 18. Comparison of Infection Vectors....
  • 19. Components of a Driveby Download....
  • 20. The Role of Exploit Packs.... Identifying Exploit Packs Exploit Kit Popularity Malware Families by Exploit Pack
  • 21. Estimating DNS Traffic.... dataset of passive DNS lookups recorded by the Security Information Exchange (SIE) Imprecision : Caching errors Revisit errors Unrelated query errors
  • 22. Domain Duration.... The uptime duration of a domain as the time between the first lookup that returns a valid A record until the time of the last valid lookup. Final domains are short lived, with a median duration of 2.5 hours.
  • 23. Safe Browsing Performance & Impact.... Derive from DNS lookups concerns the impact of Google Safe Browsing on the lifetime of final domains hosting exploits Only 22% of final domains appear in the list, and these exhibit a bias toward longer living domains, with a median duration of 2 days compared to 2.5 hours.
  • 24. Lessons learned.... Malware diversity Crawler-based detection Pay-per-install vs. exploit-as-a-service
  • 25. RELATED WORK.... Related Whitepapers : – A Criminal Perspective on Exploit Packs – Team Cymru – Exploring the Blackhole exploit kit – Sophos Moshchuk et al. crawled 18 million URLs in an attempt to identify malicious content. They found that of 5.9% of the URLs crawled were driveby downloads, while 13.4% lead to spyware. Curtsinger et al. trained a classifier to detect heap spray exploits in JavaScript, and use the classifier to detect and blacklist malicious pages. Cova et al. Use a modified browser to analyze web pages and extract features that can aid in identifying exploits that lead to driveby downloads.
  • 26. REFERENCES.... "Manufacturing Compromise: The Emergence of Exploit-as-a-Service" Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, Geoffrey M. Voelke ACM CCS, 2012 Link : http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf