The Umbrella Security Labs combines our proprietary research tool the Umbrella Security Graph (Sgraph) with various investigative methods and backend predictive algorithms and classifiers to uncover new sets of suspicious and malicious domains each day. We leverage these technologies to discover domains before they are used in the wild, with the goal of ensuring that customers using Cisco Umbrella receive the best protection possible. But given the lofty nature of this claim, we also seek to expose our research and findings so that it’s clear how we accomplish these goals. For example, in a previous post, we explored the relationships between dynamic DNS domains and malware sites. In this blog, we look at sample malicious URLs to determine the most frequently used exploit kits, and discuss some of the notable features of these URLs’ domains.
An Overview of Exploit Kits
Exploit kits are an extremely efficient and popular way of distributing malware to gain control of people’s computers. Let’s quickly review how exploit kits work: First, a user’s traffic is redirected to a server that runs an exploit kit Web application. Then, the kit detects existing vulnerabilities in the software or operating system running on the user’s machine. The kit exploits these vulnerabilities by stealthily dropping a malware payload (directly or via further redirections) on the user’s computer. As a result, the attacker takes over the user’s machine. The ecosystem of exploit kits is quite vast, and these kits can differ technically or with regard to their business model. A good poster showing the common exploit kits of 2012 is available on deependresearch.org.
[Exploit kits poster published on http://www.deependresearch.org/2012/11/common-exploit-kits-2012-poster.html]
An Umbrella Security Labs Exploit Kit Study
To perform a study on how exploit kits are behaving, we take random samples of malicious URLs from our database for a period of 7 days, and use Yara (more on the tool at the end of this post) rules to detect known exploit kits URLs and report the percentage of URLs for each exploit kit. We also analyze the domains of the URLs for any noticeable features.
In the figure above, we see the top 3 most frequent exploit kits in the URL samples. As expected, Blackhole is the most prevalent followed by Red kit, then Safepack.
We then take as an example, the URLs that are related to Blackhole and further investigate their domains using the Umbrella Security Graph (Sgraph). For the example domain dfudont[.]ru, Sgraph shows in the figure below that it is fastflux, hosted on an ASN with a suspicious score, has a low C-Rank and that the domain has been assigned a low score by our classifier.
Details on a Sample of Blackhole Domains
Domains such as jindalo[.]ru, ijsiokolo[.]ru, ifikangloo[.]ru, ejjiipprr[.]ru, and dfudont[.]ru, are detected as fastflux and registered in January-April 2013. One of our predictive algorithms detects fastflux domains daily. These domains are often registered recently then start triggering DNS traffic.
The domain ehrap[.]net is registered on May 2nd, and stays dormant for 5 days. It starts being DNS-active on May 7 and our fastflux detection system catches it on that day, which is also the same day it begins delivering malware in a fake Amazon spam campaign. On May 8, we catch the domain nilokwe[.]pw as fastflux, which is the same day it is registered. On May 9, we detect the domain pinformer[.]net as fastflux. The three domains ehrap[.]net, nilokwe[.]pw, pinformer[.]net are all Blackhole related domains as urlquery reports it (click on the domain name to see the urlquery report). Furthermore, as of May 8, the three domains ehrap[.]net, nilokwe[.]pw, and pinformer[.]net use the same name server(s): ns1[.]recorderbooks[.]net and ns2[.]recorderbooks[.]net. ns[1-2].recorderbooks[.]net also serve as name servers for nopfrog[.]pw. This domain was registered on May 4, stayed dormant, then started activity as a Blackhole domain on May 9-10. We spotted it at the same time via its name server association with fastflux Blackhole domains.
justcollega[.]net is hosted on 37.59.215.18. This IP is hosting several other known malicious domains, and others not yet flagged as malicious. Some of the latter domains were registered in early May, e.g. ksufsdkjvbdskvsdkvsdv[.]com on May 2, justcollega[.]com on May 4, burnbug[.]net on May 5, zohoretail[.]biz on May 5, and contasesso[.]net on May 6. These domains are suspicious and justify that we block them or quarantine them.
Several known Blackhole related domains are hosted on the same IPs, as the figure below shows (from the studied sample). One such IPs is 37.230.116.89. This IP hosts other domains, and similarly several are registered recently. For example, kawsedrol[.]us, kawsedrol[.]info, kawsedrol[.]biz, qertroli[.]us, qertroli[.]info, polkawsed[.]org, polkawsed[.]info are all registered on May 1st 2013. Some of these domains already have known subdomains hosting or redirecting to malware. This justifies that we block the 2LDs.
More Details on Yara, the Tool for Our Study
Yara is a malware identification and classification tool that is fast at detecting textual patterns in URL samples. One can use known regular expressions of exploit kits’ URLs as rules and fire up the Yara engine to see which URLs match the rules. For example, a known string rule for detecting certain Blackhole URLs looks like:
rule blackhole : exploit_kit
{
strings:
$a = /.php?.*?:[a-zA-Z0-9:]{6,}&.*?&/
condition:
$a
}
Another rule for detecting certain Red kit URLs used for dropping malware payloads looks like:
rule redkit_bin : exploit_kit
{
strings:
$a = //d{2}.htmls/
condition:
$a
}
