Trends In Exploit Kits

uh like he's like she said i'm jeff jodie i uh i work for blueco systems as a threat analyst uh so basically what i do is uh i click on stuff um just like all your kids do i click on on your computers and click on links um then i get i get xfinity mad at me because i've got malware on my system and they give me these emails and say hey you've got malware on your computer and you need to clean it right now i have zeus neckers running on my network at home and i'm waiting for that email and i have not got one yet um centurylink will cut you off the network but comcast does not care

they'll just send you a polite email and then tell you to use the product that i know does not work because it's not detecting it so um so what i'm going to talk about today is uh malware and kind of the evolution of malware especially exploit kits how malware has become monetized and crimeware has got into malware and is using it now these days um so we we've gone away from malware being used by by guys and basements as pranks to crimeware groups using them for money perhaps not a guy like that perhaps he looks more like that or at least he has this guy has someone working for him that looks like that but the there are

underground groups that are using malware as money and they're making lots and lots of money out of this um so this is a uh international journal of cyber criminology this uh non-profit group did a white paper talking about how these groups need leadership structure and specialization to be successful and we can definitely see that as we track these primary groups of they definitely have these these aspects and we can see that they have a defined organization they definitely have special specialization this is just a quick example about how these kind of groups divide up work and conquer this is an article from zdnet um organized cyber crime groups are now as powerful as nations um i don't know if i believe that 100

percent they are quite powerful some of them are quite talented i think the difference between the crimer groups and the nation-state groups is the nation-state groups have more opportunity to flex their technical muscle because they're going after the hard targets for the crimeware groups they only just need to make money so if the lowest hanging fruit works then it works and they don't need to go any farther than that but just to show you how popular this stuff is this is the fbi's cyber most wanted list like they're normal most wanted was but this is their cyber most wanted list and this is my friend evgeny malkovich something russian um this is the guy who's behind the zeus

game over botnet zeus is a banking trojan steals banking credentials so they can steal money from you the source code for zeus has been out there for a long time there's been a ton of variants this variant kind of took off and became much more popular so he added a peer-to-peer infrastructure to it so the cnc callouts weren't to a central server that someone like kaspersky could take down and and everybody wins so their peer-to-peers so they talk to all sorts of other compromise hosts in order to get the information that they need um these were the guys that were distributing crypto locker how many people have heard of crypto locker yes everyone's heard it's the popular one

they the fbi did try to take down his botnet a while back um and they never completely go down so he is back doing some stuff not as not at the peak as what he once was but to show how uh how important these guys are and how successful see he has a three million dollar head price on his head right now for anyone who leads to the capture of him uh three million dollars is a nice price to have on your head shows how successful you are on an unrelated note we're going to take a trip to russia if anyone is interested in going to russia call it a retirement plan but uh yeah so he's popular and the other

reason they've started to make more money is they've take they've taken malware and they've made it easy for non-technical users to use so kind of like the instant black hat or it's it's the photoshop elements of photoshop so you basically if you have enough money you can just buy everything you need and you can be instantly owning a botnet and so we'll break these down so first you just gotta buy a trojan so here's citadel here's spy eye zeus is a very popular one spy the guy retired and he sold his source code pony is actually a downloader so they're a little bit different they uh they're manually just getting on the machine and then

downloading more malware but you'll you won't get source code you'll just get a uh a builder like this so you can build a payload with all the settings and everything that you want so you buy the botnet you buy the trojan and then you got to buy a crypter because the source code is known to all these avs so they'll detect it so crypter is uh it's a way of encrypting your malware um they'll call it fud they'll call it fully undetectable on these on these russian hacker forms um but basically there's lots of mechanics they can do to do this they can throw in apis that don't mean anything they can throw in random assembly code into the

code that doesn't mean anything but basically you're just trying to change the hash enough and the signatures enough so they won't be detected and then this is how we get you've seen those reports about there's 500 billion malware out there today you know um there's not there's like four uh everything's like zeus last year and maurer was like zeus zeus and zeus and if you got anything else it was like christmas day because it's like oh it's not zeus how exciting so they buy like two or three of these and put them in different settings run it through it and you have a whole different half and then you regurgitate it in a different way and you and you

can get just all the different hashes you could possibly want and so that's how you see those in flighted numbers of look at all these malware that's the crypter you buy the exploit kit and that's what we're going to go into deeper in exploit kit basically just distribute your malware on the internet this is the drive by downloads essentially and then you buy traffic you buy web traffic so what does that mean has anyone heard that before buying web traffic a couple of people pbs exactly so there's some malicious actors out in the web that they specialize in driving user traffic so you you when you're browsing the internet driving your traffic to specific people

or whoever is the highest bidder we call them gates or tds think of it as a malicious web advertisement company so you can say i want people from this demographic from these countries from you know you can be very specific of what kind of traffic you want i wrote this before i knew this was recorded so we're not fans of web ad analytic companies but mostly they just compromise wordpress sites they they write crawlers that just go off in the internet and they compromise plug-ins and wordpresses that are out of date they inject code onto those websites so that they will load whatever they want in the background or redirect you somewhere else there's a few other methods um

other botnets will pay to just put traffic on their computer so they'll just start reaching out to other things um the classic is spam spam botnets will will pay to send you stuff and also malvertising which we'll get into deeper and these tds guys they kind of border in between the dark and the gray area they uh they have legitimate uses and legitimate people using it but they also have a lot of shady stuff so one day you'll hit this tds gate and you'll get maurer and then the next day they'll send you to an adware company which is legit so i mean this is a legit operator pro they do have a legit business operation

we get phone calls from them saying why have you marked us as pus and adware and we just send them to our definition and say read in between lines um one day you'll get spam you'll get you'll go to tds and you'll hit this you'll get spam for you know get a free best buy gift card or something like that and then the next day you'll hit it and you'll get the doctor's diet scam stuff um not that the doctors aren't scammy enough but but it's always some fake me and my wife like to go to the walmart because in the clearance aisle you'll see the latest trend that's the uh like it used to be cambodia dronicia

cambodia and now it's a new one used to be raspberry ketones and they show up now at the clearance aisle of walmart because it's it's a fad um ash brock's was a very popular botnet was they still are i believe but uh the spam people they were paying to deliver their payloads and their spam suddenly stopped and now they're just delivering good old classic viagra spam and stuff like that so i don't know if they lapsed in their payment to these spam people or whatnot but but you can see how they can just change around really quickly um so to go into what the exploit kit is the drive by download i kind of consider it like the opposite

of an av so what they'll do is they'll rent an ip or server usually somewhere where we don't have a lot of jurisdiction rob's gonna take me yell me now um so like russia or ukraine or somewhere where we can't do anything about it and then they'll wait for someone to hit that site so through a tds they go to a compromise website there's javascript on that page that loads something in the background or an iframe or something like that and then they send you this big blob of just javascript and it's just a big ugly blob of javascript and what that is it's the obfuscated javascript to obfuscate so you can't tell what it's

trying to do but once it actually runs it's basically using a java or javascript library called plugin detect and it's looking for the plugins in your web browser so like java and flash and the pdf and stuff like that and when it finds one that's vulnerable to an exploit they'll give you an exploit along with a downloader that can just download the malware of your choice so this is a dashboard so a lot of these come with dashboards so you can see your statistics so this is black hole exploit kit so you can see uh look at the type of os's you're hitting the type of browsers and the exploits uh the big scary number up there is the uh

percentage of ex successful exploits you've gotten they'll always advertise on the on the pack reforms like you'll get 25 of all your traffic will be exploited and then you always find a ton more uh forum posts from people complaining about like i only got like 12 percent and they're all upset um so from what i've gauged is like really from 12 to 15 is really what you see normally these are all the exploits that are being successful and there's become a marketplace for this so all these people are competing for other people's business i mean some legitimate capitalist market of just whoever does the best exploit kit wins and so they pride themselves on on who's got the

best exploit kid and who offers skates their javascript best and can change as much uh this is old serenity exploit kit they're gone now but they used to do their own black cat version of virustotal so you could take your payload your your payload you've crypt and everything and you can see which antiviruses are detecting it currently um black hole exploit kit did this as well um and the second a few of them start to detect they'll change your payload for you so you won't get detected by avs and then there's lots of other things that they've done angler exploit kit did the flash zero day that was like what three or four weeks ago

um sweet orange combined with the tds and so they would say hey come get rx split kit we will send you 150 000 unique visitors to your exploit kit a day who knows if that was true but that's what they claimed and then we can't go on without talking about black hole black hole exploit kid is was the king of black of exploit cats kits a lot of avs even today when they detect an exploit kit they'll call it black hole even though black hole was gone um there was some competing for him but he really was the king he made it sexy he made it efficient he was really well done and then he took all that money he

created cool exploit kit and so it to do an analogy like this is the toyota camry of exploit kits this would be the mercedes-benz so he claimed he took a hundred thousand dollars and bought a bunch of zero days you know this was gonna it was a lot more expensive to rent than the other ones 500 a month compared to like 10 000 a month for cool exploit kid we always thought that this was going to be the judgment day when these all these zero days start flooding out to the internet from cool exploit kit it never happened i just think i think it was all bs i just you know when someone offers a

product that's more expensive but it's basically the same thing you always get some people who will pay for that more expensive product and i think that's what he was doing there um unfortunately the guy who ran black collects boy kid his name was punch he got arrested um that sexy devil there that's punched that that guy kept me employed um ponch is like russian slang for oh you might know it's russian slang for like fat or donut or something like that and uh some people got offended by that but like it's his own name he called himself ponch so so so when he got arrested um the market just exploded so there was the king was was gone and now everyone

was free to fill in that market and uh everything started taking off from there so so when i was younger and i well when i first started working at blue coat i've been there about two and a half years now um these exploit kits even black hole were so much simpler um and they were easy to detect and i thought i was just an infosec super guy because i could detect these things um is it com is a website compromised and leading to exploit kits it was quite easy just view source and the scroll bar on the on the window would go really tiny because at the very top or bottom you'd see this script with

an eval call and this incredibly long parameter and that's basically the obfuscated code so it was 100 easy every time to figure out if these sites were compromised it was almost always wordpress pages bar none any other website it was very rare to see any other type of website that compromised they mostly did java java java java and it was all just java exploits and then creating the signatures were so much easier because that's what i do at blue cuddle i'll find these malware and stuff and we'll create signatures for the for the delivery for the exploit kids for the cnc servers they go into our proxy so they protect our customers from it um

they would use strings that were completely unique on the internet we see a lot of traffic we get what is it 70 50 billion log lines a day or something like that it's ridiculous we basically see a good portion of the internet and they would use strings that were completely unique to the entire internet how easy is that for an ioc or for a signature um however that quickly changed um cal security he does this blog where he talks about the most wanted exploit gets and he does it in this uh uh wild wild west presentation um so the market kind of exploded so here's a lot of the popular exploits they're out now it used to be black hole and maybe a

couple other players and now there's just a ton of them uh some of the big ones rig exploit kit fiesta exploit kit sweet orange angler like i said to the zero days um just big popular ones and then we'll see a lot of them that will come and go so they'll come and then they'll disappear for a while and then they'll come back eventually stixx exploit kit there gonda is a chinese exploit kit it's been around for several years but it just shows up does some work and then it disappears and we don't see it again so it's hard to keep track of these when they keep disappearing and coming back and all that and then there's a ton that just never

come back at all because these ex-boy kits are decently easy to write it's just plug and detect and then a database back end it's pretty simple so we see newcomers come on to the market and then they'll shoot up into the market and be incredibly popular and then they'll just die and go away and we never see them again and so there's a lot that come and go away and we never see again uh intact exploit kit that was a good one i get really uh i like to reminisce and look at these old exploit kits and oh so i miss you but there's a lot and there's a lot and there's a lot lots of explicit it's difficult to keep

them straight so a lot of these are sold on underground markets at hacker markets so they have some type of marketing and graphic design stixx exploit kit was actually the first one to have an open website it was stickscript.com and you could just go there to buy the explicit open on the web you didn't have to go through tour you didn't have to go on a russian hazard form they called it a browser vulnerability stress tester so if they have a logo it's easy to keep track of them they're sweet orange rig this was my favorite they're gone now the crime boss how cool is that you know you got a gun and monies and

and uh i don't know what phone that is it says 2012 up there i it's like an old google phone yeah yeah the code down of course the crime boss has to have coke um uh there used to be exploit kid called pop ads exploit kit mainly because it exploited a a web analytic company called pop ads the pop ads that show up in your browser that annoying and you always clicked away and then it changed and morphed and it came back and no one knew what to call it so this researcher from emerging threats was researching this this exploit kit and he was watching the tv show community you ever seen the tv show

community anyone know a few i haven't watched it much but apparently there's a guy on there called magnitude he's some actor or something celebrity or something like that and uh his his catchphrase is pop-pop and he just screams that every few seconds and so this researcher was was uh was researching this explicit watching this at the same time and he just thought well let's just call it magnitude exploit kit so so this exploit kit became magnitude exploit fit we actually found out later on on a russian forum that it's called top exp that's what the exploit gets called but that's boring and uh magnitude is so much cooler and so even today everyone in like the av industry

we still call it magnitude exploit kit because the one researcher from emerging threats um so it's hard to keep these exploits on on the same page but everyone's calling it different things it's part of my bucket list that i want to name my own exploit kit when i find my first exploit kit i will name it something like fluffy exploit kit or something like that so it will stick forever um this is redkit exploit kit um gold star for whoever can name the reason why we're called redkit exploit kit it was discovered by spider labs i think and they didn't speak russians and it was red and so it's redken exploit kid redkit was very different

for a couple reasons one day i came across this website um what do you think about this website pretty generic um a lot of times we'll find command control servers and malware sites and they have these generic templates on their website with a lot of stock photos to kind of fool a researcher to say nothing to see here you know these are not the websites you're looking for i totally thought that was it my wife works at bluecoat with me she does a lot of spam stuff she looked over my shoulder and said hey these are the same stock photos that the canadian pharmacy viagra scam people use and i was like oh really so that's it's

totally gotta be a fake website this is a fake website but what bugged me is there's a phone number up there at the top and so i thought why would they put a phone number i've never seen a phone number on these fake template websites so i thought i'll just call this website i'll call this number and i'll see what happens expecting to get nothing disconnected or something like that or at best maybe someone from far away who's going to tell me my computer is infected and you know something like that i call it and i get this lady nice lady she's just like hey hey and and and so i asked her well can you tell me a little bit about

your your services of your business and she talks to me and it looks like a legitimate health care company and so it's like okay we don't really contact the compromise website pages and try to help them very much because there's just way too many there's no impossible but so since i'm there it's like okay well i'm a researcher from blue coat your mouth your computer is infected and or your website's affected distributing malware and it just right over the poor lady's head she has no idea um what i'm trying to say she kept asking me like sir do you have any questions about our health care services eventually got to the manager and i was able to show him that the

website was kind of broken every link you clicked on was a 404 error which which uh why i definitely thought it was a fake website so i was able to show him that at least and say hey you need to get your website fixed but what this actually was is this was redkit exploit kit so what they did instead were like black hole and all the other ones had a central server in russia or somewhere else they used all compromised websites so you go to compromise website you get redirected somewhere else the exploit will come from another compromised website the downloader comes from a different compromise website all the statistics are sent to a whole

different compromise website so their whole infrastructure is spread throughout compromised websites to to rent out the exploit kit you had to go to another compromise website where they tacked on a few pages where you could fill out a form and request i want to rent this exploit kit so it was very unique and very difficult for us at bluecoat because i mean there's so many compromised sites it's hard to flag them all but we can always flag that central server where the actual exploit kit lies and so they can go down the chain but we'll block them there and our customers are protected but with all these compromised websites and everything's compromised you get collateral damage

and so we block these websites for our customers and then they complain and all that and so i really thought this was going to be the future of exploit kits there was an exploit kit called infinity or goon whoever you ask that was mimicking this as well and this was really popular for a time and then suddenly just disappeared and it's gone now and we really haven't seen it since the only thing i could say is probably just there must be just logistic problems of keeping all of your data and all your files too um all your code on servers that you don't really own um but that was an interesting exploit that they've got better up

at their obfuscation um the obvious getting their stuff used to be really easy um tools like wepa wet and and these automatic the obfuscators would do it really simply you could you could easily see the shell code you can easily determine what cbe they were exploiting but now they usually have like two or three layers of obfuscation and it's much harder to do for their java stuff they'll do this java class called pack so they'll pack their jars so it's harder for the avs to scan this is a commercial tool for flash to pack flash files and i think nuclear exploit kit started using these ones so it's harder for the avs to read the

flash files don't worry i'll dog on i'll clash soon sorry for my adobe friend um and then they they started encrypting everything so all the strings all the payloads are encrypted which makes it a pain because you have to pull it out in memory just about um i think magnitude exploit kid is the only one who will just give me a plain plain exe file more exploits they definitely have expanded to using more exploits than what they did before let's play a little game shall we let's do a little word association so i'm going to say a word and you just scream out whatever you think comes to first thing to your mind so uh so let's start with like microsoft

okay um what else b sides okay java yeah so java has a bad rap for for all the zero days they had a couple of years back being very vulnerable it was a big selling point of uninstall java uninstall java don't have java on your machine um that's actually not the case anymore the the big popular thing for the exploit kits right now is our big friend flash flash is the new java right now they've even started to to drop their java exploits from their exploit kits so there there are far more far fewer java exploit kits in the web right now than there ever have been before and the only reason i can say for that

is just it's people are aware now and so people are focused on java they're going to move to something else and they're not going to pay attention to java anymore but flash is really getting to be the popular guy and also they try to avoid common javascript so like i said they use plug and detect it's just a javascript library so they can just do a bunch of loops to figure out what versions of plug in your u of the browser plug-in you're using we used to quite i'm quite literally we would see this compromise domain and they would tack on a file called plug-in detect dot js and they that file the only file the

only people on the internet using that file name are the exploit kits and so it was so easy to catch them but avs are aware of that avs will detect that avs are paying attention to that so now the most of them used a custom library of some sort so they can figure out what you're using pay attention that they're using activex to figure that out what version of plugins you're using uh that's a little table of of who uses what a few of them still use plug and detect they have other measures so that they don't get detected but they'll get rid of that plug-in detect so they don't get protected is there a way to minimize the amount of

javascript i expose so could we take it another step further so not show the av any javascript at all or at least as few as possible so what a lot of them are doing is they're using our nice friend flash and they will drop a file on your machine a flash file and it's not malicious per se it's just for the javascript or the action script which is basically just javascript so that that javascript and flash file will do all the scanning and all those things so the av now has to uh parse back in in order to figure out what is this thing doing and is this malicious and then just the flash exploits in

general have gotten really hard to detect as well this came from nuclear exploit kit it's always a fun day for me when i see the flat zero there on virus total for no hits that's not terribly uncommon um from my experience so this is the exploit file exploit downloader usually um we'll start to see detections within like two or three hours of when the file first shows up i mean avs you can dog on avs a lot but they're just they're good they just a bit slow eventually they'll start to catch up but what was interesting about this is it has a couple votes so when virus told you you can vote and say well i think

this is bad and it has a couple votes already so i thought who voted for that um caffeine he's a french security researcher does a lot of good work and i saw he voted for this two days ago so this file has been on the internet for almost two and a half days and it still is getting no detections and i thought that's crazy how are they doing this so i kept paying attention to it next day nothing next day after that nothing this is three days after i first found that file so five days from caffeine's found it still nothing oh lenovo solution center scheduled hardware scanned oh i hate you lenovo this is stupid

oh are you not getting no postpone shut up

no comment um

i heard that i heard that he had something to do with punch being arrested

or in the u.s where they can yeah yeah and most of them have pre-bad code you know simple cross-site scripting and sql injection stuff like that um so this is actually two weeks after that file and it still only has three detections on that flash file so i went into like why is this yeah we should all be scared of flash why is it so fun why is it fully undetectable and all that um so this is that file in hacks anyone recognize that file header it's what i can't hear you um sorry so flash should have a cws header that's the normal flash zws i did not know what that is and if you look at the hex it kind of looks

encrypted it just it's pretty random it's actually a packer lvma compression has anyone heard of that i had not heard that much i went on the internet could not find too much about it but is it is a flash packer uh winzip uses it or not sorry 7-zip but it's a it's a different packer and so the avs must be having trouble with this packer for flash because it's not really detecting this that much avoiding detections so this is i mean when i first started i could easily get a website to exploit me all i wanted now they're doing more to avoid that so this comes from angular exploit kit so again they're using uh

activex which is your friend and uh they're looking at your system files looking at your drivers and so that kll that's kaspersky that's a kaspersky driver and these other ones are trend micro and some other ones so they're looking for specific av on your computer to see if you have it and if they if you have it they just won't exploit you and they won't they won't touch you and i just thought that was incredible that you could go to a website and your browser can read your system files on your computer if that's not a reason why you shouldn't use internet explorer i don't know why i don't know what else i could do to convince you activex

so they look for avs they also look for vmware again i use a lot of virtual machines for detection stuff like that so that's been a pain in the butt for me that that uh i can't use that anymore um cisco or someone claims that nuclear is doing this with their tds so the tds will actually check this for you first before they send you off i have not found that myself personally i can still get exploited by nuclear on a vm machine um tds do do that though they can check what country you come from and stuff like that and send you somewhere else yeah yeah they'll send you to legitimate sites sometimes just to pull you fool

you um so here's kind of a chart of that of the different ones that they're detecting um rob lee and and some of the sans guys are big fans of orson scott card in the ender's game series and there's a big part where he says uh mazer rackham has a quote about uh the only enemy the only teacher is your enemy the only enemy the only your enemy can teach you where you're weak where you're strong and all that and i thought this was an amazing chart because if anyone out there is looking for an av vendor these are the ones that the exploit kids don't like and they will just prefer to avoid them

rather than yeah see kaspersky's on there trend michael's on there which kind of surprises me a bit eset and also i'm sorry this is being recorded i should not be saying these things my views do not represent my employer or uh sandbox evasion uh these are popular now for a lot of the downloaders they'll do a lot of sandbox evasion um this was one i got from magnitude exploit kit see how some of these have been renamed counter it basically has five or six different counters and so the malware just sits there and just twiddle the thumb as he just counts to like five billion a couple times um and why would you do that

because the sandbox is just gonna time out eventually he just that oh this sample didn't do anything so and there's lots of different ways to evade sandboxes uh you can look at the processors you can look at how much memory you have i heard of one sample that looked at the desktop background picture and if you have the default window it's xp rolling green hills he just deleted himself it's a sandbox because who has that desktop back who has xp anymore so uh lots of different ways to avail sandboxes um so we're going to go through some examples of some of these exploit kits and what they do follow the kill chain a bit i won't

explain that too much so angler exploit kit this is one of the popular ones cisco claimed this to be the new black hole and the king of exploit kits now and kind of um they'll spit they'll send out spam they'll use spam guys to send out links to send them to your exploit gift but a lot of compromise sites they'll do fake search engines um pretty much my rule of thumb is you use google google and google and if it's not google then you should not be typing anything into it we'll get customers who want to go to these i want this search engine no you don't it's an advertising uh we're gonna go deeper

into this one later uh so the compromise site third they're same as their wordpress they're distributed things like that they'll just inject code into like different javascript files things like that on on that website we get a lot of uh false positives from av and javascript javascript must be just difficult for them to parse and understand a lot of times they'll send you to an intermediary domain just a domain that just gives you a 302 redirect or an iframe to somewhere else that's one for angular and then malvertising um so i want to do a poll if i say the word malvertising how many people in this room could stand up and explain to me

in somewhat detail about what is malvertising and why is it a threat on your network of course you can how many people all right so if you were sleeping for the rest of this talk this is the time to pay attention because malvertising is kind of like the rabbit hole of what we do at blue coat it's just this big rabble hole we dive into and it's just a mess and it's terrible so what advertising does is they take they go to legitimate web ad companies they take out a malicious ad and then they distribute it through that through that legitimate bad company so like what we'll see a lot is we'll see like this is a legitimate website

and it's got a search bar oh how nice well but every time you search they always show you ads so they'll search for something a malicious ad will show up and exploit you and send you to that exploit kit basically and everyone kind of does it everyone's involved in this all the all the legitimate web ad companies they all have problems with this especially ad cache i doubt anyone here has heard of ad cache or you know you know that's a special kind of nerd but ad cache is a web ad company they've actually talked to us a couple times and we kind of tongue and cheek talk to them back because they have such a dirty

network everything pretty much they distribute is so bad um what does this look like it looks like flash but it's not flash this actually sends you to adware plus potentially unloaded software they'll do fake av stuff they'll even do mobile stuff if you're on mobile they'll pay attention to that and send you to mobile now this is my friend daisy we had a nice conversation there was you know spammy scammy type of dating sites whatever um yeah they just have such a dirty network and why is this so awesome um essentially what they're doing is is all these websites have no idea what's going on in their own website so to kind of put an analogy if i if you

owned a website and it went up to you and said hey can i rent your conference room i'm going to rent your conference room and i'm going to put posters on your windows or the conference room so your people can see it win-win i give you money you don't say you're a say you're a business that's kind of in decline like like a newspaper or something like that so you know you'll see why uh so you do that so you exchange money the first day they show up and they go in their comments room and they put your posters everything's great the next day they show up with five of their friends who are these guys i have no idea

they're in my conference room next day they show up with 20 of their friends you have no idea what they're doing because these big web ad companies they take ads from smaller web ad companies who take ads from smaller web ad companies and somewhere down that chain someone didn't vet the ad that they received and then they load them up into all these ones and then these legitimate these malicious ads are being displayed on big name brand websites latimes.com you named the website we've seen advertising come from it um and so it's insanely popular i don't have to exploit websites anymore i can just put out a malicious ad and all these popular sites that get

tons and tons of traffic ah i didn't think that was a funny part it's like what are they laughing at it's a sad part you should be sad for melvin four hours

lenovo bloatware oh i'm sorry you want to hear that story um so so uh i've requested a mac have not got a mac um this is the software for myit department i should turn this off

is

don't worry

where was i uh yeah so all these big sites they they do it and no one knows what they're doing so you know the the app ghostery little plug-in for your browser will show you how many ads are showing so just to give an example of how many people are doing this i kind of ran through some of these companies and see on their websites how many ads are they loading um amazon had 18. i checked blue coat uh they only had five that was good well good five's good

yeah definitely that's the third parties it's um i i used to think that the internet was you know the internet's free because of advertising so i didn't use adblock and i've definitely changed that now but but even adblock they uh they have certain ad providers that pay them money now so they will let those ads in and like i said it's changed from third parties from third parties so none of them i've been using ublock right now um i've had a decent success with that right now thumbs up over there um it's a it's definitely more aggressive than um adblock but uh that's been successful so anyways yeah av companies uh kaspersky unfortunately had 23.

mac v7 cementec 19 websense 12. um and newspapers this surprisingly has a lot of them they just show a lot of ads deseret news had 28. um ksl only had 23 which surprising because last month we had an advertising on ksl and so that was fun because it was close to home um but only 23 i was i was expecting that to be higher um salt lake tribune how many want to guess salt lake tribune 10 to 20 20 to 30 40 and above 77 on the salt lake tribune that is the content i think um new york times only 16. so so it's almost like playing russian roulette with with your ads you know all you need

is one of these guys to load in a malicious web ad and you could get phoned um the ugly uh this was magnitude x-boy kid someone got infected by going to this site from magnitude exploit kit so i went to see you uh tell me i just stopped there it was i'm not digging through 92 of these to see which one is doing it yeah that's that's how you get malware um so here's anglers using this guy right now um once a certain web ad company gets enough of their traffic is malicious we'll just mark them bad and so you don't get on blue coat networks anymore so these guys are rated bad this is what it looked like on

your on your on your traffic they just go to a website and they search something and they're getting infected they use common exploits um i used to say that that uh silverlight is gonna be the new popular one does anyone know what a silverlight extension looks like could you recognize silverlight file on your network the two researchers yeah anyone else it's dot zap.xap and it's basically just a zip file with dlls in it but what uses silverlight netflix does and so when they started doing silverled exploits i thought wow that's a huge market there because who does not have netflix on your computer anyone a few of you probably lying but okay all right but okay that's a different

thing um they it hasn't grown in that much popularity um it's what i don't know if they're killed you know html5 is kind of killing it because now you can do it all with html5 so so we'll see what happens but it's not as popular as it once was angler exploit kit will also do this fileless infection so what they'll do is instead of dropping a downloader onto your computer they'll actually inject code straight into your processes so they can inject code straight into your i think they did internet explorer or explorer and uh so there's no forensically there's no file to grab off the hard drive it's very effective against toast and protrusion protection systems things

like that and then they would use the the payload they were using was beat up just a botnet and they were doing command and control through ssl so so it's a fileless infection and then all the columns command and control traffic you can't look at because it's ssl basically unless you do an inspection surprisingly though the payload they'll drop payloads in http for some reason but then all the other called out traffic is ssl um so this is what a compromise site would look like for angular exploit kit usually the iframes are invisible you can't see them for some reason some of them show up in the corner of the website and if this text looks familiar to

anyone and probably people won't admit to it looks looks familiar because they just grab text from pride and prejudice and just throw it in there so along with the blob of javascript that does the scanning there's like just random paragraphs from like pride and prejudice stuck in there i guess it's to evade aved to think oh this is legitimate and it's got all this text and stuff i don't know um kind of what the domains look like as one of our registers they like ovh and lee's web these are two big web hosts and and they get abused a lot um some of them use godaddy placeholders so what they do is they just compromise

the uh the um either your dns host or whatever and and so they add they take a legitimate site put um gibberish subdomains onto it and then point that subdomain to a different id and they've been doing this forever and blackhole's been doing this forever cisco did a blog or someone and called it domain shadowing and it got a bunch of bunch of traffic and bunch of people talking about it because they had a fancy name so when i do blogs i have to market myself better and come up with fancy names um several different groups are using angular exploit kit they move around quite often they'll even do android stuff this is some android ransomware

this stuff is getting more and more scary because they'll even put child porn onto your computer and then say hey you have child porn please pay us this money because you did something illegal um so that's kind of scary stuff the brolock ransomware people are doing that too um afraid.org uh does anyone know what dynamic dns is it's explained with dynamic dns you definitely block it out on your network there's a lot of most stuff there afraid.org is different so freight.org is i own a website i go to them and say i'll rent my subdomains out to people and so all these people sign up and just say yeah i want a subdomain and you just

give out your domain to them for some reason so nuclear exploit kit uses these for their redirects and stuff and uh why i have no idea but that's what they do um let's see i'm getting low on time uh this is c dork they're using with rig exploit kit they basically compromise whole web servers and then put a whole different apache web server on it and inject that code into every website onto that web server pretty impressive magnitude exploit kit using our same friends that we have marked as malicious at blue code same advertising pretty much all of them use my advertising now uh some of the traffic from for magnitude exploit kits see these are the

302 redirects here's some of the payloads being dropped and if you notice in here this is a this is a legitimate microsoft binary being dropped that's a kb file when i look that up that is actually powershell so the downloader uses powershell to download more malware to your computer and since there was an xp machine without powershell he went and downloaded powershell for me so how nice uh fiesta exploit kit hosts on cloud player a dependent but for us as well they compromise forums a lot for some reason this is excel form for the excel microsoft office it's not owned by microsoft but it's so popular that microsoft will point you to excel form to say get more information here if you

need questions and it's compromised all the time and i rated it malicious once and i got in so much trouble because it has so much traffic but it's compromised all the time even just to get this screenshot i got compromised just just trying to get the screenshot so that's java trying to run and that's pdf adobe pdf trying to run and yeah uh let's see uh i've only got like five minutes left so we're going to skip this part this is more marketing for how cool our tools are oh no this is my favorite part uh well that's that's some of the code there's that's from the opticated javascript in the excel form uh hosting at least on

post for web so these threat groups how are these threat groups working um it's funny to see how they work they're definitely there's more of them coming out um a lot of them have ups and downs so we'll see them do a campaign and then they'll just go dark and we won't see from them for a while and you talk about it it could be that my theory has always been that um i mean so so there's speciality and you've got to have people to do something with the data they just stole and so i think a lot of them don't have the manpower so they do a bunch of stuff they take it down they analyze the data

that they just collected and then go back up again um am i done is that what you're saying all right so they move around a lot crypto wall is the new crypto locker basically they pretty much x every exploit kit drops them they've been using every exploit possible and it's interesting the only people i can find that don't use them that's a big popular awareness the dire drydex people they're a new banking trojan pretty popular why they do it or don't use xboy kits i i don't know that's my talk thank you