what is exploit kit and how does it work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · snort...

8
AbstractIn the Year 2016 to mid-2017, the analysts have claimed those years as the years of Malware especially Ransomware. The number, spread, infection and impact of malware have caused many users, businesses, governments, and organizations to be anxious, one of the tools to spread it by using exploit kits. A popular method of mass distribution used the perpetrators of cyber criminals is using the exploit kit. Exploit kit has become more effective, cheaper and sophisticated tools to spread malware to their victims. Therefore, in this paper, we provide this research using the Network Forensic Method. The results which are done will explain the chain of events about what the exploit kit is and how the exploit kit works, including actors, campaigns, payload, and terminology involved in the spreading of malware Index TermsExploit Kit, Payload, Malware, Ransomware, and Chain of events . I. I NTRODUCTION In our digital era, everything is connected and everyone is vulnerable. Th e development, dependability, and complexity of computer software have brought immediate implications for global safety and security, especially physical objects such as cars, airplanes, cars, medical devices and others [1]. The results of a study by Carnegie Mellon University's CyLab Sus tai nabl e Computing Consortium found 20-30 bugs' every 1000 lines of computer code (LOC) [2]. The discovery of bugs in Commercial software makes operating systems, web browsers, applications, or other software components installed on computers vulnerable to be exploited by cybercriminals [3]. This vulnerability is exploited by cyber criminals to spread and infect malware using Exploit kits (EKs) which have resulted in financial damage, and disruption of services in government, private and community organizations [4][5][6]. In general, Internet infections, 60-70% attacks and spread of malware such as Ransomware, Backdoor, Trojans, and rootkits use the Network based method using exploit kit [7][8][9][10]. Exploit kits become popular among Cyber Criminal due to the ease to use, cheap, fast, and effectiveness when th e perpetrator launches every action [11][12][7]. Exploit kit (EK) is used to automate vulnerabilities and security vulnerabilities that have been found on victim devices when the user performs a web browsing activity [11][12][13]. Therefore, this paper aim is to provide an overview and recent developments in Exploit Kit capability, we describe the chain of events about what the exploit kit is and how the exploit kits works by using Network Forensics Method. Network forensics is a part of Digital Forensic conducted with scientific methods to identify, analyse and reconstruct events based on digital evidence/logs from the network [14][15][16]. Network forensics is highly reliable for capturing, evaluating, and reconstructing data streams through one host to multiple hosts on a network. [17][18]. Furthermore, the results of a study are using the Network Forensic method revealed that EKs is a sophisticated method of infection, delivery, distribution of malware, difficult to detect and involved several other components in the chain of events including actors, campaigns, payload, and terminology involved in the spreading malware. II. BASIC THEORY A. Exploit Kit Exploit kit is a fil e, code or software whi ch automates and takes advantage of vulnerabilities in the application or operating system [4][11][13]. The landscape for distributing malware changed in 2016 since the exploit kit "MPack" was first created by Russian programmer discovered [19]. For creators, providers and users of exploit kits are business opportunities which can generate huge and large business profits. The three main underlying reasons why Exploit kit are attractive to cybercriminals [20]: First, Stealthy malware infection: Exploit kits are designed to work behind the scenes of victims during normal web browsing, by using hidden code to redirect the victim's browser traffic to an EK Server. Second, Automatic exploitation: EK checks vulnerabilities such as browser-based applications and exploits What is Exploit Kit and How Does it Work? [1] Ade Kurniawan, [2] AhmadFitriansyah [1][2] Department of Informatics Engineering, Universal University,Batam, Indonesia International Journal of Pure and Applied Mathematics Volume 118 No. 20 2018, 509-516 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu 509

Upload: others

Post on 12-May-2020

9 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: What is Exploit Kit and How Does it Work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · Snort detects RIG EK exploiting a landing page . The RIG Exploit Kit (RIG EK) is a server

Abstract— In the Year 2016 to mid-2017, the analysts have claimed those years as the years of Malware especially

Ransomware. The number, spread, infection and impact of malware have caused many users, businesses, governments, and

organizations to be anxious, one of the tools to spread it by using exploit kits. A popular method of mass distribution used the perpetrators of cyber criminals is using the exploit kit. Exploit kit has become more effective, cheaper and sophisticated

tools to spread malware to their victims. Therefore, in this paper, we provide this research using the Network Forensic

Method. The results which are done will explain the chain of events about what the exploit kit is and how the exploit kit

works, including actors, campaigns, payload, and terminology involved in the spreading of malware

Index Terms—Exploit Kit, Payload, Malware, Ransomware, and Chain of events.

I. INTRODUCTION

In our digital era, everything is connected and everyone is vulnerable. The development, dependability, and complexity of computer software have brought immediate implications for global

safety and security, especially physical objects such as cars, airplanes, cars, medical devices and others [1]. The results of a study by Carnegie Mellon University's CyLab Sustainable Computing

Consortium found 20-30 bugs' every 1000 lines of computer code (LOC) [2].

The discovery of bugs in Commercial software makes operating systems, web browsers, applications, or other software components installed on computers

vulnerable to be exploited by cybercriminals [3]. This vulnerability is exploited by cyber criminals to spread and infect malware using Exploit kits (EKs) which

have resulted in financial damage, and disruption of services in government, private and community organizations [4][5][6].

In general, Internet infections, 60-70% attacks and spread of malware such as Ransomware, Backdoor,

Trojans, and rootkits use the Network based method using exploit kit [7][8][9][10]. Exploit kits become popular among Cyber Criminal due to the ease to use, cheap, fast, and effectiveness when the

perpetrator launches every action [11][12][7]. Exploit kit (EK) is used to automate vulnerabilities and security vulnerabilities that have been found on

victim devices when the user performs a web browsing activity [11][12][13].

Therefore, this paper aim is to provide an overview and recent developments in Exploit Kit capability, we describe the chain of events about what the exploit

kit is and how the exploit kits works by using

Network Forensics Method. Network forensics is a part of Digital Forensic conducted with scientific methods to identify, analyse and reconstruct events based on digital evidence/logs from the network

[14][15][16]. Network forensics is highly reliable for capturing, evaluating, and reconstructing data streams through one host to multiple hosts on a network. [17][18]. Furthermore, the results of a

study are using the Network Forensic method revealed that EKs is a sophisticated method of infection, delivery, distribution of malware, difficult

to detec t and involved several other components in the chain of events including actors, campaigns, payload, and terminology involved in the spreading malware.

II. BASIC THEORY A. Exploit Kit

Exploit kit is a file, code or software which automates and takes advantage of vulnerabilities in the application or operating system [4][11][13]. The landscape for distributing malware changed in 2016

since the exploit kit "MPack" was first created by Russian programmer discovered [19]. For creators, providers and users of exploit kits are business opportunities which can generate huge and large business profits.

The three main underlying reasons why Exploit kit are attractive to cybercriminals [20]: First, Stealthy malware infection: Exploit kits are designed to work

behind the scenes of victims during normal web browsing, by using hidden code to redirect the victim's browser traffic to an EK Server. Second, Automatic exploitation: EK checks vulnerabilities

such as browser-based applications and exploits

What is Exploit Kit and How Does it Work? [1]Ade Kurniawan, [2]AhmadFitriansyah

[1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia

International Journal of Pure and Applied MathematicsVolume 118 No. 20 2018, 509-516ISSN: 1314-3395 (on-line version)url: http://www.ijpam.euSpecial Issue ijpam.eu

509

Page 2: What is Exploit Kit and How Does it Work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · Snort detects RIG EK exploiting a landing page . The RIG Exploit Kit (RIG EK) is a server

victim computer devices automatically, then they send appropriate exploits and cyber criminals can

monitor their effectiveness via a control panel. Third, Outsourcing. Cyber criminals do not build their own EK systems, they just hire a Server Exploit kit with user-friendly control panel and a much cheaper cost

is the method used by a cybercriminal for malware distribution.

The basic concept of EK is using exploits to target users' computer vulnerabilities If the exploit succeeds in getting infected the next step is the

malware installation. According to Lockheed Martin [21] known as The Lockheed Martin Kill Chain, there are 7 stages of cyber-attack as shown and described in Figure 1.

Figure 1 Lockheed Martin “Cyber Kill Chain” [22]

B. Network Forensics

Network forensic is a branch of Digital Forensic that focuses on capturing, recording and analyzing data from networks and detecting intrusions and

investigating [14][15][23]. Network forensics are present due to the increasing number of cyber incidents and the increasingly sophisticated tools used by cybercriminals [24]. There have been many

techniques and Framework Network Forensics produced to help investigators solve Cybercrime cases [24][25]. The Network Forensic Investigative

Methodology framework used in this Exploit kit research is OSCAR (Obtain information, Strategize, Collect Evidence, Analyse, and Report). [26]. Using OSCAR Framework will be able to answer basic

questions in Network Forensics investigation, as follows [23]:

Who: who is to be blamed or who the first

victim was infected? What: the attackerhas finished the attack

When: when did the attack occur?

Where: where was the identifyingof

location or host of the attack? Why: why couldit happen and what

wasthe motive of the offender doing the

attack? How: which source was used or

vulnerabilities abused?

III. METHODOLOGY

Preparation stage starts with the setup of hardware

and software that will be used in this study. Hardware used in this study is a Notebook Processor: Intel (R) Core (TM) i7-6700HQ CPU @ 2.60GHz, 8GB RAM, 1TB SSD, 8Gb GeForce GTX 950M Graphics

Card. Software used in this study is Wireshark Version 2.4.0 data set pcap file from http://www.malware-traffic-analysis.net/ and using OSCAR Network Forensic Investigative Methodology.

The Network Forensic OSCAR Framework stage is shown in Figure 2.

Figure 2: OSCAR Network Forensic Investigative

Methodology framework

Explanation of figure 2 as follows [26]:

Obtain information: Two important things that

investigators undertake at the beginning are gathering all the information and environments associated with attacks such as date, time, persons involved, systems and data involved, actions taken

since discovery, summary of internal discussions, legal issues, time frame for investigation/recovery/resolution, and goals. Strategize: Determining the potential strategy and

potential sources of digital evidence in network forensic investigation is crucial because evidence networks are very volatile. Collect Evidence: This

third stage is collecting digital evidence with attention to three important aspects; Document (Chain of custody), Capture (capture evidence), and Store/transport (Ensure that the evidence is stored

securely). Analyze: The analysis stage is the crucial process of Network Forensic investigation to ensure the element of scientific and legal -element

maintained by the investigator. Report: The last stage of OSCAR Framework is tocreate a report, compile and presentto the scientific principles which are easily understood by the common people.

International Journal of Pure and Applied Mathematics Special Issue

510

Page 3: What is Exploit Kit and How Does it Work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · Snort detects RIG EK exploiting a landing page . The RIG Exploit Kit (RIG EK) is a server

IV. Result and Discussion

Our research on exploit kits using the OSCAR framework focuses on Analysis and Reporting, while in Obtaining information, Strategizing, and Collecting Evidence phases have been done on the other hand. To facilitate the investigation, we created of questions based on digital evidence from log traffic with file name "2017-01-28-traffic-analysis.pcap":

1. Which personal computer name was first infected with malware, what kind of malware did infect the victim's computer, when wastheinfected date/time and the victim's internet protocol (IP)?

2. What exploits kit was used to infect the user's computer and what compromised website was kicked off

the infection chain of events? 3. Before the victim's computer gets infected by malware, what wasshe/he doing while browsing?

A. Analysis

Timestamp plays a key role and very decisive important events in Digital Forensic including on Network Forensic [27]. The application used to reveal the timestamp in this study is Wireshark. Using HTTP.request fi lter in Wireshark, shown in Figure 2 the first time the computer was infected by a malware.

Figure 3: Timestamp

As shown in Figure above, we have been able to find out who was the first infected victim's computer, the name of

the infected PC, the IP, and the victim's mac address . The first identified victim isStewie-PC as shown in Figure 3 by using the nbns filter in Wireshark.

Network forensics is a scientific method for retrieving, recording, analyzing digital evidencefrom the network and reporting the resultwhich will be presented to the court [28][24].

Figure 4: IP and Host PC infected

After successfully findingthe timestamp, IP, Mac Address, and Host-PC; we do the deep analysis ofsuspected

severaldomainswhich are usedbycyber criminals to spread malware. One of the domains used is identified as having a domain namely p27dokhpz2n7nvgr.1jw2lx.top.After a search using Google, the domain p27dokhpz2n7nvgr.1jw2lx.top is used by cybercriminal to infect a malware of Ransomware type of CerberRansomware as shown in Figure 4

International Journal of Pure and Applied Mathematics Special Issue

511

Page 4: What is Exploit Kit and How Does it Work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · Snort detects RIG EK exploiting a landing page . The RIG Exploit Kit (RIG EK) is a server

Figure 5: CerberRansomware infected to victim

In Figure 5, we find the result of PCAP that has been uploaded to https://www.virustotal.com alertwhichisshowing the results of Suricatafound an actor/cybercriminal used RIG EK (Exploit Kit)

Figure 6: https://www.virustotal.com alert results

Digital evidence named "2017-01-28-traffic-analysis.pcap is run by Snort as shown in Figure 6. Snort detects RIG EK exploiting a landing page. The RIG Exploit Kit (RIG EK) is a server-based framework for malware delivery and

distribution gateways, with an exploitation of weaknesses in software applications such as web browsers and directing victims to malware executions unnoticed by victims .

Figure 7: Snort result find RIG EK

After analyzing the TCP stream, it shows the results before the first host is infected withCerberRansomware, identified by the victim searching the Bing search engine with keywords "remodeling your kitchen cabinets"

referring to the URL http://www.bing.com/search?q= Home + improvement + remodeling + your + kitchen &qs = n &sp = -1 & PQ = home improvement + + + your remodeling '[; //' '. The site www.homeimprovement.com is identified on a compromised website in the chain of events of malware deployment using the Exploit Kit.

Basically, RIG EK with various tricks directs traffic to the server EK users before sending malware. Actors use campaigns to guide traffic to the victim server EK. Actors and campaigns are two different terms, an a ctor may use

one or several campaigns to distribute malware. One actor may have used the same campaigns to distribute various types of malware. The next stage is to determine the campaign's script used to deliver Cerberwhich is a way to export object in the packet capture as shown in Figure 7. PseudoDarkleech is a commonly used campaigns Cerber author, function to redirect traffic from the victim to Exploit Kit server with a stealth mode.

International Journal of Pure and Applied Mathematics Special Issue

512

Page 5: What is Exploit Kit and How Does it Work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · Snort detects RIG EK exploiting a landing page . The RIG Exploit Kit (RIG EK) is a server

Figure 8: PseudoDarkleech script is used campaigns Cerber

V. CONCLUSION AND FUTURE WORK

The conclusion of our research entitled "What Is Exploi t Kits and How Does It Work?" by using Network Forensic

OSCAR Framework method results inanExploit Kits is a digital weapon that has been widely used by cybercriminal

with all the ease of the use process because it does not need special expertise from the actor . The business process

of exploit kits currently uses the system Exploit Kits as a Service (EKaaS), spreading threats to its widespread and

sophisticated victims. EK automatically infected malware to victimwithout realizing by exploiting client-side

vulnerabilities.The following figure is a brief description of the chain of events from deployment until the victims

are infected with ransomware using an exploit kit as shown in Figure 8.

Figure 9: Exploit Kit Framework

The explanation of Figure 8 above is:

1. The first time victim perform a search on Bing, then visited a website URL: www.homeimprovement.com which from the results analysis has been identified as a compromised website

International Journal of Pure and Applied Mathematics Special Issue

513

Page 6: What is Exploit Kit and How Does it Work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · Snort detects RIG EK exploiting a landing page . The RIG Exploit Kit (RIG EK) is a server

2. The exploit backend contact the webserver to generate malicious javascript code and check the IP of the victim, as some Ransomwares validate the victims’ IP which are not allowed to be infected in some

countries, for example CerberRansomware. 3. Next, EK backend communication with the web server by sending malicious code javascript URL to victim

with domain .top 4. Landing pageusually creates and randomizes URL by using DGA (domain generation algorithm) and it is

controlled by an actor/actors. 5. The injected script is a Darkleechpseudo on a compromised web page and has a Cerber payload sent by

Rig EK. 6. CerberRansomware malware is sent and will be executed by the victim

7. Cerberransomware has been executed unnoticed by victim 8. The victim's computer has been in control of the cyber criminal

Because the nature of exploit kits for future work is now increasingly complex, sophis ticated, user-

friendly, subsequent research is necessary to create a framework to perform Exploit Kit analysis by utilizing a combination of dynamic and static analysis techniques.

Acknowledgement:

This research is supported by Universal University,

Batam Indonesia. We thank toOey Anton, S.TP.,M.Pd. our colleagues who provided expertise that greatly assisted the research

REFERENCES

[1] M. Goodman, FUTURE CRIMES : Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It. DOUBLEDAY, 2015.

[2] W. Humphrey, “The Software Quality Index,”

Softw. Qual. Prof., vol. VOL. 1 NO., pp. 8–18, 1998.

[3] Microsoft, “Microsoft Security Intelligence Report,” vol. 21, pp. 7–8, 2016.

[4] Kaspersky Lab, “ATTACKS WITH EXPLOITS : FROM EVERYDAY THREATS,” no. April, 2017.

[5] McAfee Labs, Understanding Ransomware & Strategies to Defeat it . 2016.

[6] A. Lilly, A. Communications, and J. Bedell -pearce, “Ransomware becomes the most prevalent form of malware and hits an ever-wider range of victims,” Netw. Secur., vol. 2017, no. 2, pp. 1–2, 2017.

[7] B. Min and V. Varadharajan, “A new technique for counteracting web browser exploits,” Proc. Aust. Softw. Eng. Conf. ASWEC, pp. 132–141, 2014.

[8] Network Security, “Ransomware: threat and response,” Netw. Secur., vol. 2016, no. 10, pp. 17–19, 2016.

[9] R. Brewer, "Ransomware attacks: detection,

prevention, and cure," Netw. Secur., vol. 2016, no. 9, pp. 5–9, 2016.

[10] A. Kurniawan and I. Riadi, “Detec tion and Analysis Cerber Ransomware Using Network

Forensics Behavior Based,” Int. J. Netw. Secur., 2017.

[11] F. Malecki, “Defending your business from exploit kits,” Comput. Fraud Secur. , vol. 2013, no. 6, pp. 19–20, 2013.

[12] W. Shim, L. Allodi, and F. Massacci, “Crime

pays if you are just an average hacker,” Proc. 2012 ASE Int. Conf. Cyber Security. CyberSecurity 2012, no. SocialInformatics, pp. 62–68, 2013.

[13] M. Hopkins and A. Dehghantanha, “Exploit

Kits: The production line of the Cybercrime economy?,” 2015 2nd Int. Conf. Inf. Secure. Cyber Forensics, InfoSec 2015, pp. 23–27, 2016.

[14] A. Kurniawan, I. Riadi, and A. Luthfi,

“Forensic Analysis and Prevent of Cross Site Scripting in Single Victim Attack Using Open Web Application Security Project (Owasp) Framework,” J. Theor. Appl. Inf. Technol., vol. 95, no. 6, pp. 1363–1371, 2017.

[15] K. Nguyen, D. Tran, W. Ma, and D. Sharma, “An Approach to Detect Network Attacks Applied for Network Forensics,” pp. 655–660, 2014.

[16] Terrence V. Lillard, Digital Forensics for

Network, Internet, and Cloud Computing: A

International Journal of Pure and Applied Mathematics Special Issue

514

Page 7: What is Exploit Kit and How Does it Work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · Snort detects RIG EK exploiting a landing page . The RIG Exploit Kit (RIG EK) is a server

Forensic Evidence Guide for Moving Targets and Data. Elsevier Inc, 2010.

[17] S. Imam Riadi, Jazi Eko Istiyanto, Ahmad Ashari, “Log Analysis Techniques using

Clustering in Network Forensics Imam,” Int. J. Comput. Sci. Inf. Secur., vol. Vol. 10, N, no. July, 2013.

[18] A. Sciences, “Wikipedia Handbook of

Computer Security and Digital Forensics 2016 - Part II - Digital Wikipedia Handbook of Computer Security and Digital Forensics 2016 Part II - Digital Forensics By Wikipedians,” no. January, 2016.

[19] B. Stock, B. Livshits, and B. Zorn, “Kizzle: A signature compiler for detecting exploit kits,” Proc. - 46th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Networks, DSN 2016, pp. 455–466, 2016.

[20] P. A. NETWORKS and U. 42, Exploit Kit Getting in by Any Means Neccasary. Palo Alto Networks, 2017.

[21] E. M. Hutchins, M. J. Cloppert, and R. M. Amin, “Intelligence-Driven Computer

Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” 6th Annu. Int. Conf. Inf. Warf.

Secur., no. July 2005, pp. 1–14, 2011.

[22] Lockheed Martin Corporation, “Seven Ways to Apply the Cyber Kill Chain ® with a Threat Intelligence Platform A White Paper

Presented by : Lockheed Martin Corporation,” 2015.

[23] M. H. Mate and S. R. Kapse, “Network Forensic Tool - Concept and Architecture,”

Proc. - 2015 5th Int. Conf. Commun. Syst. Netw. Technol. CSNT 2015, pp. 711–713, 2015.

[24] E. S. Pilli , R. C. Joshi, and R. Niyogi, “Network forensic frameworks: Survey and research

challenges,” Digit. Investig., vol. 7, no. 1 –2, pp. 14–27, 2010.

[25] S. Khan, A. Gani, A. W. A. Wahab, M. Shiraz, and I. Ahmad, “Network forensics: Review, taxonomy, and open challenges,” J. Netw. Comput. Appl., vol. 66, pp. 214–235, 2016.

[26] S. Davidof and J. Ham, “Network Forensics Tracking Hackers through Cyberspace,” in Climate Change 2013 - The Physical Science Basis, Intergovernmental Panel on Climate

Change, Ed. Cambridge: Cambridge University Press, 2012, pp. 1–30.

International Journal of Pure and Applied Mathematics Special Issue

515

Page 8: What is Exploit Kit and How Does it Work?acadpubl.eu/hub/2018-118-21/articles/21b/59.pdf · Snort detects RIG EK exploiting a landing page . The RIG Exploit Kit (RIG EK) is a server

516