1 00:00:10,180 --> 00:00:15,900 Hello everyone will come to their party of my analysis and reverse engineer course in this video. 2 00:00:15,900 --> 00:00:24,210 We are going to talk about exploit kits so exploit it is a very popular mechanism this is used by attackers 3 00:00:24,330 --> 00:00:32,560 has that delivery fees in the spam emails we discussed about two types of spams. 4 00:00:32,560 --> 00:00:36,220 One was spear fishing and one was the regular spam. 5 00:00:36,340 --> 00:00:43,060 So spearfishing was more like a targeted spam email which should be sent to specific organizations or 6 00:00:43,060 --> 00:00:50,500 specific individuals within an organization whereas a generic spam would be more like email that gets 7 00:00:50,560 --> 00:00:54,150 sent to a bunch of users in the same way. 8 00:00:54,190 --> 00:00:57,090 Ex-White kids are not usually targeted. 9 00:00:57,340 --> 00:01:05,920 They are basically hosted on a compromised website or they will be hosted on and on and so were by compromising 10 00:01:05,920 --> 00:01:07,430 the scripts on the AD. 11 00:01:07,450 --> 00:01:13,290 So the aim will be exploitative to infect as many users as possible. 12 00:01:13,390 --> 00:01:19,900 So if you look here I have tried to do Nordic traditional campaigns that were used by oxcart kids so 13 00:01:19,900 --> 00:01:24,750 they would usually host the script on one of the compromised site. 14 00:01:24,790 --> 00:01:28,200 From there the attack will get redirected to the exploited. 15 00:01:28,210 --> 00:01:35,560 So recently we have started seeing that they exploit kids have started using multiple redirects in order 16 00:01:35,560 --> 00:01:40,270 to evade the intrusion detection and prevention systems. 17 00:01:40,270 --> 00:01:47,590 So what happens is you'll visit our normal web site for example and use Lipsyte or probably a video 18 00:01:47,590 --> 00:01:55,810 hosting Web site usually be that sites will contain some kind of ads in different sections of the page. 19 00:01:55,920 --> 00:02:05,070 So the attackers are trying to weaponize those ads in order to land you to the exploit kits. 20 00:02:05,290 --> 00:02:13,940 So your Web site will redirect you to an ad and the ad will basically redirect you to multiple tedious 21 00:02:13,950 --> 00:02:21,370 gateways superior's gateways or nothing but load balancing gateways that can help in redirecting traffic 22 00:02:21,730 --> 00:02:24,000 from one server to another. 23 00:02:24,310 --> 00:02:31,960 So exploit gets use this technique to basically perform multiple redirects before the user gets infected 24 00:02:31,960 --> 00:02:36,230 by an exploit gained by visiting the site. 25 00:02:36,430 --> 00:02:42,840 So here is a snapshot of an exploit good traffic just to make it simple. 26 00:02:42,880 --> 00:02:49,750 Let us consider that we already know that the explorer get server is hosted on $185 158 or 152 or 2 27 00:02:49,750 --> 00:02:50,700 0 4. 28 00:02:51,010 --> 00:02:59,620 So I'm using this presentation to give you a rough idea about what kind of filters you can apply when 29 00:02:59,620 --> 00:03:06,930 you have been given a pre-cap that contains exploit that traffic that more should be your filter. 30 00:03:06,940 --> 00:03:10,100 How would you figure out that this was an exploit get attacked. 31 00:03:10,120 --> 00:03:13,820 What were the exploits that were launched and stuff like that. 32 00:03:13,930 --> 00:03:18,250 So let us say we know that this is the culprit IP. 33 00:03:18,250 --> 00:03:25,480 So what we can do here is that we can apply a filter at the peak hour say is that a UDP dog request 34 00:03:25,780 --> 00:03:29,590 an IP address equals to the culprit IP. 35 00:03:29,740 --> 00:03:35,740 So what we are doing here is that we are looking for all types of strictly IP requests whether it's 36 00:03:35,740 --> 00:03:41,620 a get or post that have originated from this particular IP address. 37 00:03:42,070 --> 00:03:50,590 So if you look here we have all they get requests three get requests that have been originated from 38 00:03:50,590 --> 00:03:51,860 the particular IP address. 39 00:03:51,860 --> 00:03:59,410 So this is one very critical filter to quickly see what all requests were made by your machine to this 40 00:03:59,410 --> 00:04:08,180 particular cell we're so in exploit gets the flow of event is very straightforward. 41 00:04:08,190 --> 00:04:14,460 What they do is that once you reach the landing page the landing page basically would contain a very 42 00:04:14,460 --> 00:04:22,050 obfuscator script and this script tries to enumerate your browser plugins and your browser environment. 43 00:04:22,050 --> 00:04:28,230 For example if you are using an Internet Explorer web browser the Explorer kid will try and launcher 44 00:04:28,260 --> 00:04:34,080 Internet Explorer exploit onto your machine so that they can exploit the Internet Explorer and they 45 00:04:34,080 --> 00:04:36,420 can get an unlimited privilege. 46 00:04:36,450 --> 00:04:42,300 On the other hand let's say you are using Chrome or Firefox the picture can be slightly different. 47 00:04:42,300 --> 00:04:44,580 The landing page will be explored Kilbey. 48 00:04:44,720 --> 00:04:50,970 It will be reached by following all those multiple DDX redirection or once you reached the landing page 49 00:04:51,300 --> 00:04:58,650 the landing page will no matter the browser it will try and figure out what all plugins are integrated 50 00:04:58,650 --> 00:04:59,340 in your browser. 51 00:04:59,340 --> 00:05:02,100 For example do you have a flash plugin. 52 00:05:02,100 --> 00:05:04,050 Do you have a PTF reader plug in. 53 00:05:04,050 --> 00:05:05,940 Do you have a Java reader plug in. 54 00:05:05,940 --> 00:05:11,100 Do you have Silverlight plug ins and things like that so these are some of the common plugins that they 55 00:05:11,100 --> 00:05:12,910 exploit kids usually target. 56 00:05:13,200 --> 00:05:19,890 And they have bunch of exploits hosted on their server so one landing page is able to figure out the 57 00:05:19,890 --> 00:05:26,540 version of plugins it sends that information back to the exploded server. 58 00:05:26,580 --> 00:05:35,250 For example let's say they excluded was able to figure out that you are using PTF wurden 13 which might 59 00:05:35,250 --> 00:05:36,760 be a little worrying. 60 00:05:36,900 --> 00:05:40,740 You might be using Java 7.4 or something like that. 61 00:05:40,740 --> 00:05:43,170 Which might again be a one notable version. 62 00:05:43,230 --> 00:05:50,230 So once these details are sent to the explored Gates server they exploit good server goes ahead and 63 00:05:50,230 --> 00:05:51,690 on just exploit. 64 00:05:51,690 --> 00:05:56,930 Based on these Words because not all exploits are designed. 65 00:05:56,940 --> 00:05:59,310 Do you know directly in fact any word. 66 00:05:59,400 --> 00:06:06,380 Unless it's a zero or b so what X market alters do is that they first figure out what is the worst off 67 00:06:06,430 --> 00:06:10,360 services that are plugins that are holstered on your browser. 68 00:06:10,410 --> 00:06:15,770 Once they have that information they will launch the specific exploit and wenzi ones. 69 00:06:15,840 --> 00:06:18,390 The exploitation is successful. 70 00:06:18,480 --> 00:06:25,810 The attacker is basically able to bypass the sandboxing bar when that the browser has created. 71 00:06:25,950 --> 00:06:33,600 So this is the reason why X exploit gets made to exploit your browser because of browser environment 72 00:06:33,630 --> 00:06:38,970 is a sandbox environment and it has very limited functions onto the machine. 73 00:06:39,120 --> 00:06:47,190 Once it gets exploited the browser process now has the ability to basically perform lot more actions. 74 00:06:47,190 --> 00:06:49,380 For example downloading the payload. 75 00:06:49,620 --> 00:06:55,680 So this is why exploit gauges rely heavily on exploits in order to drop their final payload.