New tool helps analyse exploits

By on
New tool helps analyse exploits

First Java exploit sandbox developed.

Attack research has been given a boost with the development of the first platform to help analyse exploits in a Java and a host of file types.

The tool dubbed Sandy was designed for static and dynamic analysis of formats including Microsoft Office .pdf, jar, Flash and HTML. The beta online version processes only Java exploits. 

Security researcher Rahul Sasi (@fb1h2s) designed Sandy as a means to bulk process some of the 2000 exploits that emerged each day. 

"... there are no sandboxes that process Java exploits at all. So their needs to be an intelligent specialised system that process these exploit samples," Sasi said.

"The main aim of Sandy is to extract the embedded executable, drop documents and URL controllers from file formats and provide attribution [of] attack groups and their technology."

He hoped organisations hit in targetd attacks would submit exploits to the free service to help build intelligence sharing and shore up broader security postures.

 

"What I observed is when a business group let's assume in aviation industry gets hit by a targeted attack, they are very reluctant to tell the world that they were attacked," he said.
"If they were making the info public, then other business groups in the same industry could keep their eyes open and prepare for the threat. Also people are generally interested in knowing who else was attacked with the same exploit they were targeted with."
Exploit analysis was difficult in part because a document exploit for example may only work on Chinese XP machine or a Java exploit might drop files only on Apple Macs.

Sandy was unique in that it ran static analysis first before passing the findings to dynamic analysis. The static processes covers simple XOR; ROL; ROR encryption; packer detection; signature scanning; shellcode detection; meta data analysis; entropy and crypt-analysis, and file version detection.

Analysis sandboxes already existed but Sasi said that dynamic analysis in these environments took up to four minutes to process a sample.

The sandboxes may also lack the right software to analyse the samples, could be stumped by exploit language checks and other missing template and parameter requirements.

"The final aim of Sandy is to take in file formats and [reveal] the binary, controllers embedded inside it and [provide] attribution."

While malware sandboxes could analyse blindly-submitted binary samples, specific criteria were required for exploit sample analysis.

"A document exploit might only work on Chinese XP box or a Java exploit [might] only drop files on Mac machine."

He demonstrated analysis of a string of known Java vulnerabilities, some used in sophisticated attacks including waterhole campaigns targeting Tibetan groups.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
exploits hack in the box java nullcon oracle research security vulnerabilities
In Partnership With

Most Read Articles

Australia gets world-first encryption busting laws

Australia gets world-first encryption busting laws
Defence turns on billion-dollar Telstra comms network

Defence turns on billion-dollar Telstra comms network
NAB's public cloud expansion ran without internal IT staff

NAB's public cloud expansion ran without internal IT staff
ATO prepares massive IT outsourcing shake-up

ATO prepares massive IT outsourcing shake-up
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Automate and secure IOT for Business
Automate and secure IOT for Business
Data Science and AI Solutions for Cybersecurity
Data Science and AI Solutions for Cybersecurity
Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?
How to choose a trusted IT provider
How to choose a trusted IT provider

Events

Log In

Username / Email:
Password:
  |  Forgot your password?