Last-minute paper: The ROP pack presented at Virus Bulletin 2010

by Kurt Baumgartner (Kaspersky lab),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2010/abstracts/LastMinute4.xml

Summary : "
In addition to automated social engineering techniques, exploit packs continue to be the rage for mass exploitation across
the Internet. It is easy to estimate that millions of Internet users have visited sites hosting exploit pack generated web
pages. A long list of packs have come and gone over the past handful of years, leaving behind a few of the most popular like
Eleonore, Phoenix, and the Siberia exploit packs.
We will dissect these packs, examine and compare their characteristics and effectiveness and how they have changed this
past year, focusing most on recent ITW installations and events. A long list of characteristics will be presented for this
underground phenomenon: pricing models, development challenges, implementation, exploits, low-level technical details of
the shellcoding, and, some of the payloads themselves.
The market for these packs is reactive and changing, which leads to a number of interesting questions: How easy is it to
identify the presence of one kit versus another on the web? Is attribution easy (while not necessarily our job or interest,
we will provide an example)? How is the market affected by Windows 7, DEP and ASLR? Is the shellcode simply copy/pasted
from other projects or is it developed privately? How long of a window of opportunity do their exploits have to be
effective? And finally, are there any advanced shellcoding or programming techniques in the current kits? This time, the
answer is yes, some of the coders found Metasploit inadequate to serving their cross-OS exploitation needs, and developed
similar, but improved ROP techniques. While ROP shellcoding techniques were considered to be too new by the researchers
presenting at Black Hat USA to be ITW, we find that ROP shellcoding was developed and delivered to even the commodity exploit
packs in mid to late summer this year. We will examine and present these ITW techniques present in the resurrection of one
particular exploit pack.
At the time of this abstract's submission, an offensive security group begins its month of undisclosed bugs, releasing
zero-day proof-of-concepts effectively attacking services on Windows 2008 SP1 with DEP 'alwayson'. We will monitor this
event and ROP code to identify its inclusion in ITW packs and malware.
It's something that Lil Wayne and Jay-Z might not participate in, but rop isn't quite rap.
"