CIT 485: Exploit Kits

CIT 485/585 Exploit Kits

The primary objective of this assignment is to learn how exploit kits act to compromise victims and how such malware attempts to hide itself. This lesson comes with a set of ﬁles containing captured packets in either the PCAP or PCAPNG formats. Sections of the lesson will refer to the appropriate packet capture ﬁles to use by name. Use the references in the References section at the bottom of the lesson when needed to answer questions about the protocols in the lesson.

STUDENT LEARNING OUTCOMES

1. Identify malware activity in captured network traffic. 2. Extract files transferred over HTTP. 3. Determine if files are malicious using local and cloud anti-malware tools.

INTRODUCTION

The objective of this assignment is to learn how to use network data to detect and respond to malware attacks. We will use PCAP tools like Wireshark, the snort IDS, and a two new tools: Clam AV and justniffer. To install ClamAV, run the following commands on your Kali VM. # apt-get update # apt-get install clamav # freshclam

Clam AV is a free anti-virus program, which we can use to determine whether executables found in network traffic are malware or not. In addition to ClamAV, we can upload extracted files (or entire pcap files) to VirusTotal to evaluate files using dozens of anti-virus programs. Note that VirusTotal archives uploaded files, so the site should only be used with files that do not contain confidential or sensitive information. Uploading malware executables or example PCAPs from this assignment is fine. Packet captures from corporate networks typically need to have data removed or altered to avoid giving away confidential data and non-confidential but still sensitive data like IP addresses. To install Justniffer, run the following commands: # apt-get install libboost-all-dev libnids-dev python-nids libpcap0.8-dev # git clone https://github.com/onotelli/justniffer # cd justniffer # ./configure --prefix /usr/local # make && make install # cd python # python setup.py

Justniffer is a command line network sniffer with a focus on HTTP. We will use justniffer HTTP protocol analysis features to more easily investigate HTTP traffic than we can using Wireshark or tcpdump. Justniffer also comes with a script to extract files from HTTP traffic. This script has some advantages over using Wiresharks Export HTTP Objects feature.

1 EXPLOIT KIT STRUCTURE

Exploit kits are toolkits for cybercriminals to exploit systems and install malware on them. Exploit kits are typically deployed on web servers and have the following components. 1. Contact. The attacker uses social engineering to entice a user to click on a link to the server hosting the exploit kit. The ﬁrst contact server may be owned by the criminal or it may be a legitimate web site compromised by the criminal. 2. Redirect. The software component on the web server screens the users browser to see if it matches certain criteria desired by the criminal, such as being located in a certain country. Browsers that pass the screening are redirected to the exploit kits landing page. 3. Exploit. The landing page examines information about the users browser and OS, starting with the browsers User-Agent string, to determine which vulnerabilities are present that match exploits in the kit. If a match is found, the landing page sends an appropriate exploit to the victims browser. 4. Infect. After successfully exploiting a vulnerability, the attacker now downloads and executes malware on the victim system.

EXPLOIT KIT ANALYSIS

The data for this section can be found in 2014-11-16-traffic-analysis-exercise.pcap. Load the data in Wireshark and start by identifying the participants, including the victim and the web servers hosting exploit kit components. Since most of the traffic is web-based, the display filter http.request in Wireshark can be useful in getting an overview of what is happening. When using this filter, I recommend adding the web server hostname as a column in the packet overview pane, by selecting the HTTP data from one packet, left clicking on the HTTP Host header, then right clicking and selecting the Apply as Column from the right-click menu. Answer the following questions about the victim using Wireshark. Information about the victim PC can be found in DHCP and HTTP packets. When examining HTTP packets, user agent strings provide the most information about a client. Information about how to interpret user agent strings can be found at sites like http://www.useragentstring.com/ or https://udger.com/resources/ua-list. 1. What is the IP address of the victim PC? 2. What is the hostname of the victim PC? Check DHCP packets for this information. 3. Which web browser is the victim using? Include version number. 4. Which version of Windows is running on the victim PC? Note that it is often reported as Windows NT x.y. Translate that to a named Windows version like XP, 7, Vista, etc.If a users OS and browser have all currently available security patches, then it will be highly unlikely that an exploit kit can infect that user. Zero day exploits can infect fully patched systems but are highly valuable and used only on the most valuable targets. Criminals can purchase exploit kits for around $1000, while sale prices of zero day vulnerabilities start at $5000 and go up to $250,000. Fortunately for users of exploit kits, relatively few users have fully patched systems at all times.

2 JUSTNIFFER ANALYSIS

Use justniffer to analyze the HTTP traffic in the file with the command below. The -u option indicates to print binary characters as periods, while the pipe to grep eliminates most binary only data lines that describe non-HTTP flows. The -l option lets us specify what features of each HTTP flow to print. Use man justniffer to learn about all the possible data to print with this option. We print the webserver hostname, the URL being accessed, and the HTTP response code. Remember that 2xx response codes indicate success, 3xx are redirects, and 4xx and 5xx are errors. See RFC 2616 for details on the meaning of individual response codes. $ justniffer -u -l "%request.header.host %request.url %response.code" -f 2014-11-16-traffic-analysis-exercise.pcap | fgrep -v ... | less www.ciniholland.nl /wp-content/plugins/contact-form-7/includes/css/styles.css? ver=3.7.2 200 www.ciniholland.nl /wp-content/plugins/sitemap/css/page-list.css?ver=4.2 200 www.ciniholland.nl /wp-content/themes/cini/js/functions.js 200 www.ciniholland.nl / 200 www.ciniholland.nl /wp-content/themes/cini/style.css 200

HTTP requests are listed in the order they occurred. Add %request.timestamp to your -l option string if you want to know the time an HTTP ﬂow occurred. Adding %source.ip to the -l option is useful in most situations, but this particular PCAP has data for only a single browser using HTTP, so the IP address is always that of the victim. As a result, the list of HTTP ﬂows provided by Justniffer is an ordered list of the servers and URLs the victim contacted during their web browsing session. Answer the following questions about the exploit kit using Wireshark and justniffer: 1. What is the IP address of the contact server? 2. What is the domain name of the contact server? 3. What web servers does the victim contact in order? To answer this easily, you can eliminate everything from the justniffer -l string except %request.header.host. When looking at the list of web servers in your answer to question 7, the hostnames of three web servers appear many times, whereas a couple of web servers like www.youtube.com appear only once. The servers that appear only once are most likely advertisements or trackers that are not part of the exploit kit. The web servers that are components of the exploit kit are the servers that appear multiple times. Based on this information, answer the following questions: 1. What is the domain name of the EKs redirect server? 2. What is the domain name of the EKs server that contains the exploit? Looking at the output of the original Justniffer command, there is only one HTTP redirect (as indicated by a 301 response code). How is users browser transferred from one component of the exploit kit to the next without HTTP redirects? Use the ngrep command in the form ngrep -I filename hostname where hostname represents the name of the one of the EKs components. The hostname of the redirect server must be found somewhere in the HTML, CSS, or JavaScript content of the contact page in order for the contact page to transfer control to the redirect server. Similarly, the hostname of the server with the exploit server must be found somewhere in the content provided by the redirect server.

3 1. What type of content is the URL of the redirect server found in? 2. What is the IP address of the server that sends the redirect to the redirect server? Does this IP address match that of the contact server? 3. What type of content is the URL of the exploit server found in? 4. What is the IP address of the server that redirects the browser to the exploit server? Does this IP address match that of the redirect server?

HTTPFILE CARVING

We have two options for carving files from HTTP traffic. We can use Wireshark’s Export HTTP Objects feature or we can use the script justniffer-grab-http-traffic that comes with justniffer. The justniffer script has a couple of advantages over Wireshark: it organizes files by domain, and it gives files names based on URL paths with appropriate suffixes by MIME type. Lets extract files from the exploit kit capture using this script: $ mkdir http-files $ justniffer-grab-http-traffic -U student -d http-files -f 2014-11-16-traffic- analysis-exercise.pcap >/dev/null $ ls -l http-files total 16 drwxr-xr-x 2 student student 4096 Nov 3 13:14 24corp-shop.com drwxr-xr-x 2 student student 4096 Nov 3 13:14 adultbiz.in drwxr-xr-x 2 student student 4096 Nov 3 13:14 stand.trustandprobaterealty.com drwxr-xr-x 2 student student 4096 Nov 3 13:14 www.ciniholland.nl $ find http-files -type f | wc -l 33

We see that justniffer finds 33 files from 4 different web servers. Use grep and less to examine files in the directories associated with the appropriate web servers to answer the following questions. Note that HTML elements can and often are created by JavaScript adding components to the DOM in the browser, so do not limit your searches to just HTML files. 1. Which HTML element is used by the contact server to redirect the user to the redirect server? 2. Which HTML element is used by the redirect server to redirect the user to the exploit server? 3. Using your knowledge of the web or by looking up materials online, what is the purpose of the HTML element(s) used in the redirections above? Use the file command as follows to identify file types while in the just directory. Notice that two of the types are filetypes that can be executed in a browser with appropriate plugins: Java archive data (JAR) and Macromedia Flash data (compressed), version 22. $ file -b */* HTML document, ASCII text, with CRLF line terminators GIF image data, version 89a, 348 x 378 HTML document, ASCII text, with very long lines Java archive data (JAR) Java archive data (JAR) data

4 data data Macromedia Flash data (compressed), version 22 Macromedia Flash data (compressed), version 22

Omit the -b option to see the names of the files. The four executable files consist of two pairs of identical files, indicating that the SWF (Macromedia Flash) and JAR (Java) executables were each sent twice to the victim. Upload the files to www.virustotal.com and also scan them with clamscan to see if they are malicious. 1. Which server sent the SWF and JAR files to the victim? 2. What is the SHA-256 hash of the SWF file? The command sha256sum can compute this hash. 3. Was the SWF file malware according to VirusTotal? If it was, provide one of its names. 4. Was the SWF file malware according to clamscan? If it was, what was the name? 5. What is the SHA-256 hash of the JAR file? 6. Was the JAR file malware? If it was, provide one of its names. 7. Was the JAR file malware according to clamscan? If it was, what was the name? 8. Which step of the exploit kit process do these files carry out?

FILES

1. 2014-11-16-traffic-analysis-exercise.pcap 2. 2014-11-23-traffic-analysis-exercise.pcap

REFERENCES

1. Berkeley Packet Filter (BPF) syntax. https://biot.com/capstats/bpf.html. 2. IETF. RFC 2616: Hypertext Transfer Protocol – HTTP/1.1. https://tools.ietf.org/html/ rfc2616. 1999. 3. Palo Alto Networks. Exploit Kit Report. https://www.paloaltonetworks.com/resources/ research/exploit-kits 4. Chris Sanders. Practical Packet Analysis, Third Edition. Chapter 9. No Starch Press. 2017. 5. Udger User-Agent Database. https://udger.com/resources/ua-list. 6. User Agent String.com. http://www.useragentstring.com/. 7. Wireshark. Wireshark User’s Guide. https://www.wireshark.org/docs/.