Diving into a Silverlight Exploit and Shellcode – Analysis and Techniques

In recent years, exploit-kits have become one of the most common platforms for malware distribution. One of the exploits coming from Infinity exploit-kit exploits a security vulnerability in Microsoft Silverlight.

Compared to other technologies like Java, PDF, Flash, etc. – Silverlight exploits are less common. Just to get a rough feeling, according to cvedetails.com, from 2010 to 2014, 15 vulnerabilities were reported for Microsoft Silverlight , while Adobe Acrobat Reader had 268 vulnerabilities, Adobe Flash Player had 321 vulnerabilities; Microsoft Internet Explorer had 392 vulnerabilities and Java with at least 358 vulnerabilities. However, Microsoft Silverlight exploits, specifically CVE-2013-0074, are still delivered in active and well known exploit kits.

In our paper, we wanted to focus more on the exploit and shellcode analysis coming from the Infinity exploit-kit rather than the vulnerability itself.

In many cases, an exploit analysis is bounded to some limitations and conditions dictated by the exploit’s context. Thus, various relevant techniques have to be used in order to successfully analyze the exploit: .NET DLL decompiling & patching, memory analysis and of course, dynamic execution debugging.

In our paper we also observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition, we look at the shellcode supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.

Read the full paper for an in depth look into our analysis.