The Story

Blocking attempts to use exploit kits (EK) against our customers is one of Check Point’s main targets in IPS. Thus, our Intelligence Teams follow closely the trends in this world. On late December, we noticed hype around a specific EK, namely, Angler EK, and decided to give high priority to writing an IPS protection against it. The protection was included in the IPS package released for customers on January 13th. We will later elaborate on the technicalities of the protection.

Just two days after releasing this protection, we witnessed real attack attempts on some of our Managed Security Service customers, detected by their IPS blade. Attacked customers included a major bank and a hospital in the US.

On February 21st, a 0day Flash Player vulnerability exploited by Angler EK was published. That same day, we received samples of this 0day attack from an external source, and realized that the attack vector we were signing for was still relevant.

Meaning, Check Point IPS customers had been protected from this yet unpatched vulnerability, even before it was published! At our last check, IPS identified attack attempts on about 30% of the Managed Service customers, in US, Europe and Australia.

The Signature

Where’s the problem?

EKs will usually change their landing page on a timely basis, to avoid IPS detection. The URL changes with no specific pattern, and therefore can’t be signed for, e.g.:

hxxp://andcoming-rfzap.tampasnorecenter.com/x6d2dnmoy3.php
hxxp://netilliteratepranked.fllaserdentist.com/wkgetd0tz0.php
hxxp://sotaharjoituksessa.tagenar.info/2dp78n17ia.php
hxxp://hymirploceinaalgebraisten.mpcaudio.com/vatoq2iddw.php
hxxp://sdfncop348yhsd.dkk40s-3ujdjf3lodp.in/584w31z5gg

Additionally, Angler EK’s landing page is highly obfuscated, and no generic detection could be implemented for it, with reasonable performance and confidence.

Here’s an example:

So what did we do?

During further analysis of publicly available traffic, a hard-coded string in the infecting server’s response was repeatedly found in all samples.

So finally, what the signature looks for is the “last modified” header value, which consist of a future date – July 2039 or 2040. Indeed, this protection brought up only true positive events.

Following detection in IPS, we leveraged the URLs from IPS logs, and inserted them to the AV engine. Now we protect against at least some of the attacks in this blade as well.

This is what attacks look like in Managed Security Service logs:

An Anecdote on Cyber and Literature

Malicious landing pages usually commence with real text, posing as a real webpage. To keep the text changing, they use long texts taken from the internet. If you look closely at the packet capture, you can find Mrs. Jennings, Mrs. Palmer and Mr. Willoughby from Jane Austen’s novel, “Sense and Sensibility”. Different pieces taken from this story are used in the different Angler EK landing pages.