New tool helps analyse exploits

By Darren Pauli on Oct 21, 2013 10:15AM

First Java exploit sandbox developed.

Attack research has been given a boost with the development of the first platform to help analyse exploits in a Java and a host of file types.

The tool dubbed Sandy was designed for static and dynamic analysis of formats including Microsoft Office .pdf, jar, Flash and HTML. The beta online version processes only Java exploits.

Security researcher Rahul Sasi (@fb1h2s) designed Sandy as a means to bulk process some of the 2000 exploits that emerged each day.

"... there are no sandboxes that process Java exploits at all. So their needs to be an intelligent specialised system that process these exploit samples," Sasi said.

"The main aim of Sandy is to extract the embedded executable, drop documents and URL controllers from file formats and provide attribution [of] attack groups and their technology."

He hoped organisations hit in targetd attacks would submit exploits to the free service to help build intelligence sharing and shore up broader security postures.

"What I observed is when a business group let's assume in aviation industry gets hit by a targeted attack, they are very reluctant to tell the world that they were attacked," he said.

"If they were making the info public, then other business groups in the same industry could keep their eyes open and prepare for the threat. Also people are generally interested in knowing who else was attacked with the same exploit they were targeted with."

Exploit analysis was difficult in part because a document exploit for example may only work on Chinese XP machine or a Java exploit might drop files only on Apple Macs.

Sandy was unique in that it ran static analysis first before passing the findings to dynamic analysis. The static processes covers simple XOR; ROL; ROR encryption; packer detection; signature scanning; shellcode detection; meta data analysis; entropy and crypt-analysis, and file version detection.

Analysis sandboxes already existed but Sasi said that dynamic analysis in these environments took up to four minutes to process a sample.

The sandboxes may also lack the right software to analyse the samples, could be stumped by exploit language checks and other missing template and parameter requirements.

"The final aim of Sandy is to take in file formats and [reveal] the binary, controllers embedded inside it and [provide] attribution."

While malware sandboxes could analyse blindly-submitted binary samples, specific criteria were required for exploit sample analysis.

"A document exploit might only work on Chinese XP box or a Java exploit [might] only drop files on Mac machine."

He demonstrated analysis of a string of known Java vulnerabilities, some used in sophisticated attacks including waterhole campaigns targeting Tibetan groups.