10

My current understanding is that an exploit kit will fingerprint (gather information on) a system, check those details against a database of vulnerabilities and then attempt to use the relevant exploits.

I can see simple ways of checking for things like the installed version of Flash using JS but this is really easily defended against (because it's just JavaScript that can be stopped, modified or stepped over by the user).

What other techniques are used to gather information on a user when they find their way to the exploit kit's landing page?

For example, how would it discover what version of Adobe Reader you are using or what browser plugins are installed if you landed on my webpage?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Arlix
  • 1,459
  • 3
  • 13
  • 22
  • Look for strings within the executable. Often they'll have the name and exact version floating around somewhere. – RoraΖ Nov 10 '17 at 13:50

2 Answers2

14

I think you might be assuming that the kits are more complicated than they are.

A kit is designed to exploit specific vulnerabilities. It is not necessary to 'fingerprint' and choose the best exploit. It can just attempt to exploit what it is designed to exploit. Some kits will attempt one method after another in series until something works.

For instance, a kit can be designed to exploit Safari browsers. When a user hits it, the exploit is launched. Whether it works or not depends on whether the correct browser and version made the connection. If it did not, generally nothing happens that the user can see anyway.

For your example of Adobe Reader, the kit does not need to know that a specific version is reading the file. The kit just serves the PDF file with the exploit within it. What's the cost of failure?

On the other hand, if the kit wants to be more targetted, then yes, it looks for the specific markers it requires. But what those markers are, and subsequently how to look for them, will depend on the vulnerability. Too many to enumerate here.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    For a fun look at real-world extreme version targeting, check out the "Zero Days" documentary on Stuxnet... – Brad Werth Nov 10 '17 at 18:38
  • They often do do some basic checks to see if a target is exploitable, but usually (when millions of dollars of collective 0days are not on the line) it's limited to checking the user agent and maybe some basic HTML5 features to see if the version is known to be too old or too new to work. – forest Jan 02 '18 at 03:09
3

One technique that can be used to gather information on a user is through Flash.

Flash is very similar to java and can detect your browser type and do much more.

Action-script code can do a lot.

Such as detect whether JavaScript is enabled, your browser type, operating system, and even a whether the SWF(flash file) is running in a sand-boxed environment.

How an attacker would use flash:

  1. Use a flash file to detect the users information.

  2. If the browser is chrome it most likely will redirect to a dummy page since Chrome in most cases cannot be exploited due to its sandbox. OR It will redirect you to the exploit landing page.

In most cases JavaScript would not be needed in a flash exploit but many exploit-kits make use of JavaScript to write to the html to the dom.

JAR(packed java) files and XAP(Silverlight dll + XAML) files can do the same and in some cases more than Flash.

In general What most exploit kit's do is:

  1. First grab details on the users system info primarily through flash or JavaScript.
  2. If the users system info is exploitable then go ahead and exploit it.

Exploit kits also make use of exploits called browser info-leak. Using this they are able to detect your browser version, system information, and plugins!