Exploit Krawler: New Weapon againt Exploits Kits
Exploit Krawler is a device that will allow us to grab the tools from miscellaneous exploit kits (applet java,pdf..) in order to make their analysis easier. These exploit kits are more and more numerous on Internet and are more and more used to drop malwares and build botnets. One problem for the security researchers is to reproduce the infections and access the while infection chain. The Exploit Krawler framework goal is to answer these problems at a large scale. Exploit Krawler is a cluster of Selenium instrumented browsers. Browsers are driven in different virtual machines; each virtual machine is monitored to detect an intrusion through its browser.
Monitoring is implemented through the hypervisor. The hypervisor API is used to dump the memory, dump the disks and also launch actions on the virtual machine. Process, socks and DLL which are added or removed during the crawl are checked. Each VM reaches the web pages through Honeyproxy. So all the accesses are logged and the proxy downloads the whole set of web transactions (page, applet, executable,…).
The initial URL list is shared inside the cluster and every newly found URL is distributed through a demultiplexer; the goal is to run different browsers on the same URL with different or identical referrers to trigger the infection, as some exploit kits only triggers on a given Referer and/or for a given browser.
The cluster is spread on different continents in order to come from different networks, because some exploit kits also trigger depending on the browser location. When a browser finds a trapped page, it will follow the whole infection chain (redirection, Javascript callback) and the virtual machine will be freezed as soon as the first control channel with the central server will be up. Meanwhile, the proxy has registered the whole infection and grabbed the miscellaneous infection vectors (executable, Java applet…) which exploited the browser vulnerabilities. Once the virtual machine is freezed, the whole memory is dump for analysis, and the whole file system as well. The virtual machine will be released to let the compromission go on and all the connections to the control channel will be registered to get the whole chain.