Open any security blog and you are likely to find some information on the latest 0day being exploited in the wild by one or more of the popular exploit kits. Knowing how exploit kits are evolving over time allows researchers to validate a security stack against the latest capabilities, enables red teams to repurpose the latest in-the-wild threats, and assists vulnerability researchers to stay current on the latest exploits. However, getting samples or other specific insight into these changes is hard because direct access to tools is guarded and signatures are constantly changing. How can researchers identify and collect their own samples without any static signatures? This talk will reveal an automated system that relies on behavioral exploit detection rolled into a sandbox that continually crawls popular websites for infection. The system captures a steady stream of exploit kit samples which can support a wide range of research initiatives. We will also discuss samples from popular exploit kits that have been captured with this system such as Neutrino, RIG, and Magnitude.
Joe Desimone is a Malware Researcher at Endgame. He has over 5 years of experience in the information security industry; primarily tracking and countering APTs, reverse engineering malware, and developing novel techniques and tools to empower hunt teams. Joe holds a BS and MS in Computer Security from RIT.