I was reading a post from the contagio blog, which I highly recommend, Mila is providing a lot of samples and other very useful information. One of the latest post is related to exploit packs. Mila is actually compiling an exhaustive list of exploit packs and the vulnerabilities they are using.
I have recently start using Maltego, here again highly recommended, and when I downloaded the table of exploit packs I immediately thought that Maltego might be the perfect tool to represent the information slightly differently.
I had to modified the table of Mila in order to import it easily with Maltego. So a few tricks and modification to get a proper csv file with the CVE, the vulnerable application (e.g. flash, PDF, Java, etc.) and the name of the exploit pack.
Some of you might argue that all this can be done from the table provided and playing with filters and other formulas. However this is also highly underestimate the power of Maltego and its ability to use visualisation to transform data into information. Not to mention as well the first usage of Maltego, run transforms and leverage Open Source Intelligence to find even more information.
The first image, is the overall relationships between the exploit packs (blue circles), the vulnerabilities (green circles) and the applications (yellow circles).
The size of the circle also matters as it will depend of the number of outgoing/incoming links. So you can immediately see that the main targeted applications are Java, Flash, PDF (Acrobat) and Internet Explorer.
Let’s get confirmation of this:
So confirmed, Java, Flash, PDF and Internet Explorer are the main applications targeted. Might be good to prioritize your patch management on those!
Let’s see something interesting, by selecting the links you can see that Java is actually a target of all packs except two (Assoc ID (unconfirmed) and Zhi Zhu)!
Looking at the CVE references, situation is less clear but there is still a few interesting things:
The following CVEs are the most used:
- CVE-2006-0003 – Windows ActiveX
- CVE-2010-0188 – Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1
- CVE-2011-3544 – Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27
- CVE-2012-0507 – Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier
- CVE-2012-1723 – Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier
- CVE-2012-4681 – Java SE 7 Update 6 and earlier
- CVE-2013-0422 – Java 7 before Update 11
Sounds familiar? Well go patch Java and come back here for the rest…
Looking at the Exploit Packs:
- Gong Da
- Phoenix 3.1.15
- Eleonore 1.8.91
- Phoenix 3.1
- Blackhole 1.2.3
- Cool Jan 2013
- Alpha Pack
- Blackhole 1.2.5
- Siberia Private
That’s interesting information however the number of vulnerabilities exploited by a pack does not necessarily mean that this Exploit Pack is the most dangerous. Therefore it might be more interesting to have a look at one of the most of use CVE…for 2013. There you go
And here again it seems that Java with CVE-2013-0422 is the big winner! This list of exploit packs is a subset and therefore you can try to start gather more information about those, how to identify them, etc.
There is definitely more to do and way much more information to be extracted from the table provided by Mila. You can also see that Maltego is a great tool to visualise data and identified key information quickly.