bsides angler-evolution talk
TRANSCRIPT
Evolution of the Angler Exploit Kit
About Myself
• Earl Carter • Threat Researcher, Talos Group • Over 20 Years in Network
Security • 3rd Degree Black Belt
Taekwondo
Cloud to Core Visibility web requests a day
16 BILLION
email messages a day
500 BILLION Endpoint malware queries a day
18.5 BILLION
Basic Terminology
Drive-by Download Attacks
Malvertising
Exploit Kits Landing Page
Exploit Payload
Drive-by Download Attacks
• The act of downloading something unintentionally, usually malicious
• No need to click to download • Malvertising is a common vector
Malvert is ing
• Content varies by system • Content varies by user • Content varies by visit
Lots of Noise
CNN 26 Domains 39 Hosts 171 Objects 557 Connections
What is an exploit k i t?
• A software package designed to exploit vulnerable browsers and plugins
• Blackhole was the first major exploit kit
Angler Exposed
Attacker Innovat ion
• Angler is the most successful exploit kit • Demonstrates continued innovation • New Functionality Quickly Spreads
– Exploit kits competing for business
• Exploits kits get overlooked as a sophisticated threat
Monetizat ion of Hacking
There are three main payload types: • Ransomware
• Cryptowall, Teslacrypt
• Click-fraud agents • Bedep
• Miscellaneous • trojans, keyloggers, spyware
Domain Shadowing
• Static IP Address • Registered Domains • Fast Flux DNS • Dynamic DNS • Domain Shadowing
Jan-Feb 2015
URL Structure Landing Page
Jan-Jul 2015
/lists/18026519312117497906
/polymorphism-relate-disambiguation-probation/807433931184758078
/search?q=pmOmaU2uh_me&e2=Cp4-iyeALf7zBKFL35SjcU&4VHps=LLnyCmlfcZ5gKB&98=pUuxRyaYW-xQPyh&
/fizziest.php?q=G0PP8NWqU2pJgBkEkkb4nR&h=SHY&c=el7AqmPg-LYqbGJkbLhw&s=AeIDQZMgbummm1RYkwJB&az=zpv3C6laNuDACeto8OYvUTQu&ea=p&i=a1twO7co5&g=F
/viewtopic.php?f=1&t=015806680
URL Structure Exploit Page
Jan-Jul 2015
/L8Vz9fnAJQ-NIIEeBal7h7QTEL5YpvcKfrOMuBGcE7sOA4Xt
/0V2e2PeF9XDbT_uCRPA43XEZexvaFojkBGfja5kEHDT28-u-Vkko5AB04Ht6w4AV
/AVmBMYOz8hkFOC9zv9APM-UAx35zDy31CHZNI5aVT388hbag.pycharm?two=PgIqiVNOqsq&seven=yKj0ku
/change.xfdl?model=4cAwSLa0TZ&sound=iCIuP7&street=&sort=Ew3TGK&American=3__xZmrR&right=&animal=rfWXuq2Gf&two=UufQU4W-e
302 Cushioning
• iFrame vs Malvertising • 302 Redirection • Return to Dynamic DNS (DDNS)
May 2015
Digging Deeper
Jul 2015
Taking a Close Look
• Deep Data Analytics July 2015 • Telemetry from compromised users • ~1000 Sandbox Runs
• July 2015 • Angler Underwent several URL
Changes • Multiple “Hacking Team” 0-Days added
• Ended with tons of data
Detect ion Challenges
• Hashes • Found 3,000+ Unique Hashes • 6% in VT
• Most detection <10 • Encrypted Payloads
• Using Diffie Helman Encryption for IE Exploit • Unique to each user
• Domain Behavior • DDNS • Domain Shadowing • Adversary Owned Domains • Hard Coded IP
Exploit Detai ls
“Hacking Team” Adobe Flash 0days CVE-2015-5119, CVE-2015-5122 IE 10 and 11 JScript9 Memory Corruption Vulnerability CVE-2015-2419 IE OLE Vulnerability CVE 2014-6332
Adobe Flash
CVE 2014-6332
Silverlight
Unique Referers
Unique Referers By Day July 2015
Unique IP Addresses Per Day
IP Address / ASN Relat ionship
Angler HTTP Requests by Provider July 2015
Shutt ing Down the Source • Partnered with Limestone Networks
• Angler Infeastructure • Level-3
• Magnitude and Scale • Collaborated with OpenDNS
• Visibility into DNS Infrastructure
New Insight The Bigger Picture
The Backend Infrastructure
Angler Vict ims
Potent ial Revenue
To play with the numbers, please visit: http://talosintel.com/angler-exposed/
Angler Exploit K it Evolves Again
• Parameter Changes: • New Gate • Registered Domains
Jan 2016
URL Changes
Previous index.php viewtopic.php search.php viewforum.php
Jan 2016
Added view.php viewthread.php
URL Changes
Jan 2016
Old Format
New Format
New Gate
New Gate
Uti l iz ing Free Domains
New Actor
Summary
• Angler Changed • Rules Updated • Customer Protected • No Coverage Lapse
• New Gate • Method to direct users to
EK • Leveraging .tk TLD
• Free Domains • New Actor
• 95+% .top TLD • 700+ Domains in ~14 days
Protect ing Yourself
Install security patches as soon as possible
Use anti-malware software
Make periodic backups of your system that are kept offline
Conclusion
• Angler Continues to Evolve • Other Exploit Kits Quickly Follow Suit • Detection must Evolve to Keep Pace • Collaboration Provides Greater Visibility • Exploit Kits Industrialized – Big Money