Exploit Kit traffic analysis
Exploit kits have become one of the most widespread and destructive threat that Internet users face on a daily basis. Since the first actor, which has been categorized as exploit kit, namely MPack, appeared in 2006, we have seen a new era on exploit kit variants compromising popular websites, infecting hosts and delivering destructive malware, following an exponentially evolvement to date. With the growing threat landscape, large enterprises to domestic networks, have started to adopt multiple security solutions to guard their perimeter against them. An exploit kit is actually a type of malicious toolkit that is used to identify and exploit security holes found in web browser plugins installed on victim’s computer, for the purpose of facilitating the real aim of spreading and infecting the computer with a type of malware. Exploit kit authors have been proven quite skilled programmers of crimeware which embodies sophisticated code and characteristics considered as challenging in terms of analysis and detection, for both security controls and analysts. In this thesis, we will try to examine the exploit kit phenomenon and cover all perspectives. First of all, we will explain the motivating factor of studying this subject and refer to cybersecurity researchers’ previous work regarding exploit kit analysis. We will also refer to cyber security incidents of the past having as main actor an exploit kit and describe their infrastructure and business model they usually follow for profiting from their underground activity. To familiarize the reader with the exploit kits, we will discuss the ways of propagating themselves and describe and analyze their main characteristics that can be categorized as attack characteristics and self-defense characteristics. We have also covered the procedure of analyzing network traffic captures that contain traffic produced by exploit kits, so as to give a walkthrough to the researchers who will be interested in performing a basic malware traffic analysis. Finally, we designed a simple command line script that takes as input a packet capture file that contains network traffic captured during live infection by exploit kit, parses the packets according to the exploit kit theory that is described in this thesis, to indicate in turn, the potential attack path the actor followed to compromise the victim. Our code is based on the results of our research and our observations by analyzing many malware samples. It would be possibly useful for a researcher who wants to a quickly identify a starting point to begin his analysis of samples containing exploit kit traffic.