Nytro Posted January 16, 2017 Report Posted January 16, 2017 Catching Exploit Kit Landers By Brad Antoniewicz January 11, 2017 Exploit Kits play an integral role in many of the attacks we see on a daily basis. In this blog post we show how we use our data in a novel way to uncover new components of the attack infrastructure and protect our customers earlier. BACKGROUND A race unfolds each time a new WordPress, Joomla, or similar web application vulnerability is disclosed. Actors are looking to quickly craft an exploit and search the internet for vulnerable instances. Once compromised, these personal and business websites are turned against their users to become Exploit Kit Landers. Each visitor is selectively evaluated by the time of day they’re visiting the site, their source IP address, along with the versions of their browser and various plugins. If they match a specific profile, the Lander injects a single line of HTML or JavaScript code into the page. This line of code makes a call to the Exploit Kit Gate, which serves up a worthy exploit to take advantage of a vulnerability in an often outdated browser or plugin used by the visitor. We use the term ‘Gate’ to describe the attacker-controlled system which may serve the exploit itself or may be an intermediary step where the client is profiled a second time then sent to the exploit. With arbitrary execution achieved on the visitor’s system, the exploit kit has done its job. The shellcode of the exploit downloads a binary and executes the payload of the attacker’s choice which, in many cases, is ransomware. SO MANY CALLBACKS The infection chain is littered with internet callbacks between the attacker and the victim. The victim first goes to the infected Lander, then is redirected to the Gate, then downloads the payload, and then calls back to ransomware command and control (C2) to negotiate keys. We can detect this communication at the network layer and ultimately prevent an infection from succeeding by blocking communication to the hosts involved in any of these callbacks. While we have developed systems to uncover each of these callbacks, one group which is particularly interesting to us are the Landers. Articol complet: https://blog.opendns.com/2017/01/11/catching-exploit-kit-landers/ Quote
