Recently, our partner Exatel published its latest research project outlining its investigation following an alert from Fidelis Network, which identified a RIG exploit kit traffic traversing a network. This isn’t interesting, per se, as exploit kit traffic is common in most environments. What made this research interesting is that Exatel, security services provider for the largest government bodies in Poland, developed a way to detect RIG infected websites by the presence of a single byte fingerprint of a remote website. As exploit kit tracking is of particular interest at Fidelis (https://www.botconf.eu/wp-content/uploads/2016/11/PR09-Tracking-exploit-kits-Bambenek.pdf), this report caught our attention.
Exploit kits are one of the two main commodity methods for automated infection of victim machines (e-mail based lures being the other). These kits involve an infected webserver that will serve up exploits; their success relies on them targeting websites that people will go to anyway. Examples could be a bank website, a political organisation, church, or similar.
The problem for the internet at large is that even if an organisation detects exploit kit traffic, they only know of that specific infected webserver. There are little means to remotely assess entire portions of the internet to see if they are part of the same exploit kit network. This makes the work of CERTs and those who want to help clean up the internet a little more difficult.
Exploit kits will perform a variety of checks on victims to see if they are suitable for infection: user-agent, country of source IP, whether there is an active malware campaign, etc. By changing IP address, you can change the behaviour of the exploit kit (many malware campaigns only target specific countries). Exploit kits use the user-agent to decide what types of exploits to send to the browser.
In this case, the skilled researchers at Exatel discovered a flaw in the exploit kit, namely, that if there was not an active malware campaign, the compromised website would add a single byte (0x0A or the number 10). Otherwise, if a request came in with a user-agent string, it would attempt to exploit, but the HTML would remain unmodified if there was no attempt to target the user-agent string. This was likely due to a coding error on the part of the exploit kit operator.
This flaw allowed Exatel to create a fingerprint to scan all .pl domains. In total, the team found 1,041 compromised websites in use by RIG during a period of time when there was no active malware campaign targeting Poland. This method could be reproduced for other TLDs to assist in cleanup.
What this does show is that drilling in on alerts and performing additional analysis can lead to unique insights, that can allow you to not only proactively protect your organisation, but also thoroughly map an adversary’s infrastructure. From here it is easy to get ahead of the adversary, even temporarily, and to take disruptive action with national CERTs to impose costs on the bad guys.