International Journal of Pure and Applied Mathematics Volume 118 No. 20 2018, 509-516 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu

What is Exploit Kit and How Does it Work? [1]Ade Kurniawan, [2]AhmadFitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia

Abstract— In the Year 2016 to mid-2017, the analysts have claimed those years as the years of Malware especially Ransomware. The number, spread, infection and impact of malware have caused many users, businesses, governments, and organizations to be anxious, one of the tools to spread it by using exploit kits. A popular method of mass distribution used the perpetrators of cyber criminals is using the exploit kit. Exploit kit has become more effective, cheaper and sophisticated tools to spread malware to their victims. Therefore, in this paper, we provide this research using the Network Forensic Method. The results which are done will explain the chain of events about what the exploit kit is and how the exploit kit works, including actors, campaigns, payload, and terminology involved in the spreading of malware

Index Terms—Exploit Kit, Payload, Malware, Ransomware, and Chain of events.

I. INTRODUCTION In our digital era, everything is connected and Network Forensics Method. Network forensics is a everyone is vulnerable. The development, part of Digital Forensic conducted with scientific dependability, and complexity of computer software methods to identify, analyse and reconstruct events have brought immediate implications for global based on digital evidence/logs from the network safety and security, especially physical objects such [14][15][16]. Network forensics is highly reliable for as cars, airplanes, cars, medical devices and others capturing, evaluating, and reconstructing data [1]. The results of a study by Carnegie Mellon streams through one host to multiple hosts on a University's CyLab Sustainable Computing network. [17][18]. Furthermore, the results of a Consortium found 20-30 bugs' every 1000 lines of study are using the Network Forensic method computer code (LOC) [2]. revealed that EKs is a sophisticated method of infection, delivery, distribution of malware, difficult The discovery of bugs in Commercial software makes to detect and involved several other components in operating systems, web browsers, applications, or the chain of events including actors, campaigns, other software components installed on computers payload, and terminology involved in the spreading vulnerable to be exploited by cybercriminals [3]. This malware. vulnerability is exploited by cyber criminals to spread and infect malware using Exploit kits (EKs) which II. BASIC THEORY have resulted in financial damage, and disruption of A. Exploit Kit services in government, private and community organizations [4][5][6]. Exploit kit is a file, code or software which automates and takes advantage of vulnerabilities in In general, Internet infections, 60-70% attacks and the application or operating system [4][11][13]. The spread of malware such as Ransomware, Backdoor, landscape for distributing malware changed in 2016 Trojans, and rootkits use the Network based method since the exploit kit "MPack" was first created by using exploit kit [7][8][9][10]. Exploit kits become Russian programmer discovered [19]. For creators, popular among Cyber Criminal due to the ease to providers and users of exploit kits are business use, cheap, fast, and effectiveness when the opportunities which can generate huge and large perpetrator launches every action [11][12][7]. business profits. Exploit kit (EK) is used to automate vulnerabilities and security vulnerabilities that have been found on The three main underlying reasons why Exploit kit victim devices when the user performs a web are attractive to cybercriminals [20]: First, Stealthy browsing activity [11][12][13]. malware infection: Exploit kits are designed to work behind the scenes of victims during normal web Therefore, this paper aim is to provide an overview browsing, by using hidden code to redirect the and recent developments in Exploit Kit capability, we victim's browser traffic to an EK Server. Second, describe the chain of events about what the exploit Automatic exploitation: EK checks vulnerabilities kit is and how the exploit kits works by using such as browser-based applications and exploits

509 International Journal of Pure and Applied Mathematics Special Issue

victim computer devices automatically, then they  Where: where was the identifyingof send appropriate exploits and cyber criminals can location or host of the attack? monitor their effectiveness via a control panel. Third,  Why: why couldit happen and what Outsourcing. Cyber criminals do not build their own wasthe motive of the offender doing the EK systems, they just hire a Server Exploit kit with attack? user-friendly control panel and a much cheaper cost  How: which source was used or is the method used by a cybercriminal for malware vulnerabilities abused? distribution. III. METHODOLOGY The basic concept of EK is using exploits to target users' computer vulnerabilities If the exploit Preparation stage starts with the setup of hardware succeeds in getting infected the next step is the and software that will be used in this study. malware installation. According to Lockheed Martin Hardware used in this study is a Notebook Processor: [21] known as The Lockheed Martin Kill Chain, there Intel (R) Core (TM) i7-6700HQ CPU @ 2.60GHz, 8GB are 7 stages of cyber-attack as shown and described RAM, 1TB SSD, 8Gb GeForce GTX 950M Graphics in Figure 1. Card. Software used in this study is Wireshark Version 2.4.0 data set pcap file from http://www.malware-traffic-analysis.net/ and using OSCAR Network Forensic Investigative Methodology. The Network Forensic OSCAR Framework stage is shown in Figure 2.

Figure 2: OSCAR Network Forensic Investigative Methodology framework

Explanation of figure 2 as follows [26]: Figure 1 Lockheed Martin “Cyber Kill Chain” [22] Obtain information: Two important things that B. Network Forensics investigators undertake at the beginning are gathering all the information and environments Network forensic is a branch of Digital Forensic that associated with attacks such as date, time, persons focuses on capturing, recording and analyzing data involved, systems and data involved, actions taken from networks and detecting intrusions and since discovery, summary of internal discussions, investigating [14][15][23]. Network forensics are legal issues, time frame for present due to the increasing number of cyber investigation/recovery/resolution, and goals. incidents and the increasingly sophisticated tools Strategize: Determining the potential strategy and used by cybercriminals [24]. There have been many potential sources of digital evidence in network techniques and Framework Network Forensics forensic investigation is crucial because evidence produced to help investigators solve Cybercrime networks are very volatile. Collect Evidence: This cases [24][25]. The Network Forensic Investigative third stage is collecting digital evidence with Methodology framework used in this Exploit kit attention to three important aspects; Document research is OSCAR (Obtain information, Strategize, (Chain of custody), Capture (capture evidence), and Collect Evidence, Analyse, and Report). [26]. Using Store/transport (Ensure that the evidence is stored OSCAR Framework will be able to answer basic securely). Analyze: The analysis stage is the crucial questions in Network Forensics investigation, as process of Network Forensic investigation to ensure follows [23]: the element of scientific and legal-element maintained by the investigator. Report: The last  Who: who is to be blamed or who the first stage of OSCAR Framework is tocreate a report, victim was infected? compile and presentto the scientific principles which  What: the attackerhas finished the attack are easily understood by the common people.  When: when did the attack occur?

510 International Journal of Pure and Applied Mathematics Special Issue

IV. Result and Discussion

Our research on exploit kits using the OSCAR framework focuses on Analysis and Reporting, while in Obtaining information, Strategizing, and Collecting Evidence phases have been done on the other hand. To facilitate the investigation, we created of questions based on digital evidence from log traffic with file name "2017-01-28-traffic- analysis.pcap":

1. Which personal computer name was first infected with malware, what kind of malware did infect the victim's computer, when wastheinfected date/time and the victim's internet protocol (IP)? 2. What exploits kit was used to infect the user's computer and what compromised website was kicked off the infection chain of events? 3. Before the victim's computer gets infected by malware, what wasshe/he doing while browsing?

A. Analysis

Timestamp plays a key role and very decisive important events in Digital Forensic including on Network Forensic [27]. The application used to reveal the timestamp in this study is Wireshark. Using HTTP.request filter in Wireshark, shown in Figure 2 the first time the computer was infected by a malware.

Figure 3: Timestamp

As shown in Figure above, we have been able to find out who was the first infected victim's computer, the name of the infected PC, the IP, and the victim's mac address. The first identified victim isStewie-PC as shown in Figure 3 by using the nbns filter in Wireshark.

Network forensics is a scientific method for retrieving, recording, analyzing digital evidencefrom the network and reporting the resultwhich will be presented to the court [28][24].

Figure 4: IP and Host PC infected

After successfully findingthe timestamp, IP, Mac Address, and Host-PC; we do the deep analysis ofsuspected severaldomainswhich are usedbycyber criminals to spread malware. One of the domains used is identified as having a domain namely p27dokhpz2n7nvgr.1jw2lx.top.After a search using Google, the domain p27dokhpz2n7nvgr.1jw2lx.top is used by cybercriminal to infect a malware of Ransomware type of CerberRansomware as shown in Figure 4

511 International Journal of Pure and Applied Mathematics Special Issue

Figure 5: CerberRansomware infected to victim

In Figure 5, we find the result of PCAP that has been uploaded to https://www.virustotal.com alertwhichisshowing the results of Suricatafound an actor/cybercriminal used RIG EK (Exploit Kit)

Figure 6: https://www.virustotal.com alert results

Digital evidence named "2017-01-28-traffic-analysis.pcap is run by Snort as shown in Figure 6. Snort detects RIG EK exploiting a landing page. The RIG Exploit Kit (RIG EK) is a server-based framework for malware delivery and distribution gateways, with an exploitation of weaknesses in software applications such as web browsers and directing victims to malware executions unnoticed by victims .

Figure 7: Snort result find RIG EK

After analyzing the TCP stream, it shows the results before the first host is infected withCerberRansomware, identified by the victim searching the Bing search engine with keywords "remodeling your kitchen cabinets" referring to the URL http://www.bing.com/search?q= Home + improvement + remodeling + your + kitchen &qs = n &sp = -1 & PQ = home improvement + + + your remodeling '[; //' '. The site www.homeimprovement.com is identified on a compromised website in the chain of events of malware deployment using the Exploit Kit.

Basically, RIG EK with various tricks directs traffic to the server EK users before sending malware. Actors use campaigns to guide traffic to the victim server EK. Actors and campaigns are two different terms, an a ctor may use one or several campaigns to distribute malware. One actor may have used the same campaigns to distribute various types of malware. The next stage is to determine the campaign's script used to deliver Cerberwhich is a way to export object in the packet capture as shown in Figure 7. PseudoDarkleech is a commonly used campaigns Cerber author, function to redirect traffic from the victim to Exploit Kit server with a stealth mode.

512 International Journal of Pure and Applied Mathematics Special Issue

Figure 8: PseudoDarkleech script is used campaigns Cerber

V. CONCLUSION AND FUTURE WORK

The conclusion of our research entitled "What Is Exploi t Kits and How Does It Work?" by using Network Forensic OSCAR Framework method results inanExploit Kits is a digital weapon that has been widely used by cybercriminal with all the ease of the use process because it does not need special expertise from the actor . The business process of exploit kits currently uses the system Exploit Kits as a Service (EKaaS), spreading threats to its widespread and sophisticated victims. EK automatically infected malware to victimwithout realizing by exploiting client-side vulnerabilities.The following figure is a brief description of the chain of events from deployment until the victims are infected with ransomware using an exploit kit as shown in Figure 8.

Figure 9: Exploit Kit Framework

The explanation of Figure 8 above is:

1. The first time victim perform a search on Bing, then visited a website URL: www.homeimprovement.com which from the results analysis has been identified as a compromised website

513 International Journal of Pure and Applied Mathematics Special Issue

2. The exploit backend contact the webserver to generate malicious javascript code and check the IP of the victim, as some Ransomwares validate the victims’ IP which are not allowed to be infected in some countries, for example CerberRansomware. 3. Next, EK backend communication with the web server by sending malicious code javascript URL to victim with domain .top 4. Landing pageusually creates and randomizes URL by using DGA (domain generation algorithm) and it is controlled by an actor/actors. 5. The injected script is a Darkleechpseudo on a compromised web page and has a Cerber payload sent by Rig EK. 6. CerberRansomware malware is sent and will be executed by the victim 7. Cerberransomware has been executed unnoticed by victim 8. The victim's computer has been in control of the cyber criminal

Because the nature of exploit kits for future work is [8] Network Security, “Ransomware: threat and now increasingly complex, sophisticated, user- response,” Netw. Secur., vol. 2016, no. 10, friendly, subsequent research is necessary to create pp. 17–19, 2016. a framework to perform Exploit Kit analysis by utilizing a combination of dynamic and static analysis [9] R. Brewer, "Ransomware attacks: detection, techniques. prevention, and cure," Netw. Secur., vol. 2016, no. 9, pp. 5–9, 2016. Acknowledgement: [10] A. Kurniawan and I. Riadi, “Detection and This research is supported by Universal University, Analysis Cerber Ransomware Using Network Batam Indonesia. We thank toOey Anton, Forensics Behavior Based,” Int. J. Netw. S.TP.,M.Pd. our colleagues who provided expertise Secur., 2017. that greatly assisted the research [11] F. Malecki, “Defending your business from REFERENCES exploit kits,” Comput. Fraud Secur., vol. 2013, no. 6, pp. 19–20, 2013. [1] M. Goodman, FUTURE CRIMES : Everything Is Connected, Everyone Is Vulnerable and What [12] W. Shim, L. Allodi, and F. Massacci, “Crime We Can Do About It. DOUBLEDAY, 2015. pays if you are just an average hacker,” Proc. 2012 ASE Int. Conf. Cyber Security. [2] W. Humphrey, “The Software Quality Index,” CyberSecurity 2012, no. SocialInformatics, Softw. Qual. Prof., vol. VOL. 1 NO., pp. 8–18, pp. 62–68, 2013. 1998. [13] M. Hopkins and A. Dehghantanha, “Exploit [3] Microsoft, “Microsoft Security Intelligence Kits: The production line of the Cybercrime Report,” vol. 21, pp. 7–8, 2016. economy?,” 2015 2nd Int. Conf. Inf. Secure. [4] Kaspersky Lab, “ATTACKS WITH EXPLOITS : Cyber Forensics, InfoSec 2015, pp. 23–27, FROM EVERYDAY THREATS,” no. April, 2017. 2016.

[5] McAfee Labs, Understanding Ransomware [14] A. Kurniawan, I. Riadi, and A. Luthfi, & Strategies to Defeat it. 2016. “Forensic Analysis and Prevent of Cross Site Scripting in Single Victim Attack Using Open [6] A. Lilly, A. Communications, and J. Bedell- Web Application Security Project (Owasp) pearce, “Ransomware becomes the most Framework,” J. Theor. Appl. Inf. Technol., vol. prevalent form of malware and hits an ever- 95, no. 6, pp. 1363–1371, 2017. wider range of victims,” Netw. Secur., vol. 2017, no. 2, pp. 1–2, 2017. [15] K. Nguyen, D. Tran, W. Ma, and D. Sharma, “An Approach to Detect Network Attacks [7] B. Min and V. Varadharajan, “A new Applied for Network Forensics,” pp. 655– technique for counteracting web browser 660, 2014. exploits,” Proc. Aust. Softw. Eng. Conf. ASWEC, pp. 132–141, 2014. [16] Terrence V. Lillard, Digital Forensics for Network, Internet, and Cloud Computing: A

514 International Journal of Pure and Applied Mathematics Special Issue

Forensic Evidence Guide for Moving Targets Secur., no. July 2005, pp. 1–14, 2011. and Data. Elsevier Inc, 2010. [22] Lockheed Martin Corporation, “Seven Ways [17] S. Imam Riadi, Jazi Eko Istiyanto, Ahmad to Apply the Cyber Kill Chain ® with a Threat Ashari, “Log Analysis Techniques using Intelligence Platform A White Paper Clustering in Network Forensics Imam,” Int. Presented by : Lockheed Martin J. Comput. Sci. Inf. Secur., vol. Vol. 10, N, no. Corporation,” 2015. July, 2013. [23] M. H. Mate and S. R. Kapse, “Network [18] A. Sciences, “Wikipedia Handbook of Forensic Tool - Concept and Architecture,” Computer Security and Digital Forensics Proc. - 2015 5th Int. Conf. Commun. Syst. 2016 - Part II - Digital Wikipedia Handbook of Netw. Technol. CSNT 2015, pp. 711–713, Computer Security and Digital Forensics 2015. 2016 Part II - Digital Forensics By Wikipedians,” no. January, 2016. [24] E. S. Pilli, R. C. Joshi, and R. Niyogi, “Network forensic frameworks: Survey and research [19] B. Stock, B. Livshits, and B. Zorn, “Kizzle: A challenges,” Digit. Investig., vol. 7, no. 1–2, signature compiler for detecting exploit kits,” pp. 14–27, 2010. Proc. - 46th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Networks, DSN 2016, pp. [25] S. Khan, A. Gani, A. W. A. Wahab, M. Shiraz, 455–466, 2016. and I. Ahmad, “Network forensics: Review, taxonomy, and open challenges,” J. Netw. [20] P. A. NETWORKS and U. 42, Exploit Kit Comput. Appl., vol. 66, pp. 214–235, 2016. Getting in by Any Means Neccasary. Palo Alto Networks, 2017. [26] S. Davidof and J. Ham, “Network Forensics Tracking Hackers through Cyberspace,” in [21] E. M. Hutchins, M. J. Cloppert, and R. M. Climate Change 2013 - The Physical Science Amin, “Intelligence-Driven Computer Basis, Intergovernmental Panel on Climate Network Defense Informed by Analysis of Change, Ed. Cambridge: Cambridge Adversary Campaigns and Intrusion Kill University Press, 2012, pp. 1–30. Chains,” 6th Annu. Int. Conf. Inf. Warf.

515 516