Tired of Playing Exploit Kit Whack-A-Mole? Let's automate

Presented at BSidesSF 2017, Feb. 12, 2017, 4:50 p.m. (30 minutes).

Exploit Kits (EKs) have been very successful in delivering tailor made exploits and spreading malware. EK as a service has lowered the bar of entry for attackers, enabling wide-spread malware infections. Defenders have been using dynamic analysis tools like Cuckoo sandbox and JavaScript de-obfuscators like JSDetox and Revelo to detect and analyze EKs, but these approaches don't scale very well across billions of websites. In this talk, I'll discuss a new technique to crawl the web at scale and detect EKs using headless browsers equipped with JavaScript and DOM inspectors. I'll demonstrate a proof of concept and unravel the behavior of some of the latest EKs hiding in plain sight.

Presenters:

• Anjum Ahuja
  Anjum is a Threat Researcher at Endgame, working on problems related to network security, malwares, and large scale data analysis. He has a background in computer networks, routing and IOT security, and holds multiple patents in these fields. Anjum holds a Masters in computer science from Johns Hopkins University.

Links:

• https://bsidessf2017.sched.com/event/9IKk/tired-of-playing-exploit-kit-whack-a-mole-lets-automate

Similar Presentations:

• Hackfest 2016 / Exploit Kits: The Biggest Threat You Know Nothing About
• Black Hat Europe 2018 / Deep Impact: Recognizing Unknown Malicious Activities from Zero Knowledge
• BSidesLV 2019 / From EK to DEK: An Analysis of Modern Document Exploit Kits