Kurt Baumgartner Kaspersky Lab
download slides (PDF)
In addition to automated social engineering techniques, exploit packs continue to be the rage for mass exploitation across the Internet. It is easy to estimate that millions of Internet users have visited sites hosting exploit pack generated web pages. A long list of packs have come and gone over the past handful of years, leaving behind a few of the most popular like Eleonore, Phoenix, and the Siberia exploit packs.
We will dissect these packs, examine and compare their characteristics and effectiveness and how they have changed this past year, focusing most on recent ITW installations and events. A long list of characteristics will be presented for this underground phenomenon: pricing models, development challenges, implementation, exploits, low-level technical details of the shellcoding, and, some of the payloads themselves.
The market for these packs is reactive and changing, which leads to a number of interesting questions: How easy is it to identify the presence of one kit versus another on the web? Is attribution easy (while not necessarily our job or interest, we will provide an example)? How is the market affected by Windows 7, DEP and ASLR? Is the shellcode simply copy/pasted from other projects or is it developed privately? How long of a window of opportunity do their exploits have to be effective? And finally, are there any advanced shellcoding or programming techniques in the current kits? This time, the answer is yes, some of the coders found Metasploit inadequate to serving their cross-OS exploitation needs, and developed similar, but improved ROP techniques. While ROP shellcoding techniques were considered to be too new by the researchers presenting at Black Hat USA to be ITW, we find that ROP shellcoding was developed and delivered to even the commodity exploit packs in mid to late summer this year. We will examine and present these ITW techniques present in the resurrection of one particular exploit pack.
At the time of this abstract's submission, an offensive security group begins its month of undisclosed bugs, releasing zero-day proof-of-concepts effectively attacking services on Windows 2008 SP1 with DEP 'alwayson'. We will monitor this event and ROP code to identify its inclusion in ITW packs and malware.
It's something that Lil Wayne and Jay-Z might not participate in, but rop isn't quite rap.