UNIVERSITY OF PIRAEUS School of Information & Communication Technologies Postgraduate Studies DIGITAL SYSTEMS SECURITY THESIS Exploit Kit Traffic Analysis Postgraduate Student: KAPIRIS STAMATIS Student ID number: MTE14040 Supervisor Professor: CHRISTOFOROS DADOYAN DEPARTMENT OF DIGITAL SYSTEMS Piraeus, June 2017 Keywords: Exploit Kit, PCAP Network Traffic Analysis, Malware Analysis, Ransomware, Cyber Threat, Angler EK, RIG EK, Security Onion, Python TABLE OF CONTENTS Table of Contents .........................................................................................................................................................1 Prologue ..........................................................................................................................................................................3 CHAPTER 1 : Introduction .......................................................................................................................................4 Related Work .......................................................................................................................................................5 Motivation .............................................................................................................................................................6 CHAPTER 2 - Characteristics of Exploit Kits ....................................................................................................7 What is an exploit kit? .....................................................................................................................................7 Incidents of the past .........................................................................................................................................7 How do you get compromised .....................................................................................................................9 EK Infrastructure ............................................................................................................................................ 11 Propagation ....................................................................................................................................................... 13 EK Campaigns ......................................................................................................................................... 13 Spam Campaigns ................................................................................................................................... 14 Malvertising............................................................................................................................................. 14 EK & Underground Economy..................................................................................................................... 15 Background on Exploit Kits ........................................................................................................................ 18 EK’s Adversarial Activity.................................................................................................................... 18 Attack Characteristics ................................................................................................................................... 18 Nature of EK ............................................................................................................................................ 18 Redirections ............................................................................................................................................ 19 302 Cushioning ...................................................................................................................................... 20 Domain Shadowing .............................................................................................................................. 20 Victim Profiling ...................................................................................................................................... 21 Fingerprinting Tactics ......................................................................................................................... 21 Traffic Distribution Systems ............................................................................................................. 24 Self-defense Characteristics ....................................................................................................................... 24 IP Blocking ............................................................................................................................................... 25 User-Agent Evasion .............................................................................................................................. 25 Blacklist Lookup .................................................................................................................................... 26 Signature Evasion ................................................................................................................................. 26 Cloaking .................................................................................................................................................... 26 Domain Generation Algorithm ........................................................................................................ 27 Hiding Referrer ...................................................................................................................................... 28 Encryption/Encoding.......................................................................................................................... 28 Obfuscation.............................................................................................................................................. 29 Fileless Infection ................................................................................................................................... 31 Final Phase ........................................................................................................................................................ 32 Post-Infection Phase ...................................................................................................................................... 33 Landing Pages .................................................................................................................................................. 33 Web Browsers .................................................................................................................................................. 35 University of Piraeus 1 Digital Systems Security Droppers............................................................................................................................................................. 37 Malware families ............................................................................................................................................. 38 Ransomware ........................................................................................................................................... 39 Botnets ...................................................................................................................................................... 44 Technical Introduction to known Exploit Kits.................................................................................... 46 ANGLER EK ....................................................................................................................................................... 46 General Characteristics ...................................................................................................................... 46 Angler In Action ..................................................................................................................................... 49 Obfuscation of Angler.......................................................................................................................... 53 Host Probing ........................................................................................................................................... 54 Malvertising............................................................................................................................................. 56 RIG EK .................................................................................................................................................................. 56 Rig Infrastructure ................................................................................................................................. 57 Rig In Action ............................................................................................................................................ 58 Customer’s Perspective ...................................................................................................................... 63 EK comparison................................................................................................................................................. 65 CHAPTER 3 - Malware Traffic Analysis Example ........................................................................................ 67 CHAPTER 4 - Attack Path Script ......................................................................................................................... 77 CHAPTER 5 - Recommendations, Future Work & Conclusions