This is a workshop to show how to analyze obfuscated Javascript code from an Exploit Kit page, extract the exploits used and analyze them. Nowadays it is possible to use automated tools to extract URLs and binaries but it is also important to know how to do it manually and how to find out which vulnerability is being exploited to not to miss a detail. We will focus on PDF exploits mostly, starting from a simple Javascript Hello World document and ending with a real file used by a fresh Exploit Kit or containing one of the latest vulnerabilities. This workshop will also include exercises to modify malicious PDF files and obfuscate them to try to bypass AV software, very useful in pentesting. The last version of peepdf (included in REMnux, BackTrack and Kali Linux) will be used for accomplish these tasks, so it means that this presentation covers the latest tricks used by cybercriminals to make the analysis more difficult. If you want to learn how to analyze Exploit Kits and PDF exploits in detail, this is your workshop.
No specific knowledge is required, but some Javascript skills would help to deobfuscate code…
Bring your own laptop. A Linux installation, even on a virtual machine, could simplify the setup, but it is not required.
Jose Miguel Esparza is a Security Researcher who has been working as an e-crime analyst for more than seven years, focused on botnets, malware, and Internet fraud. After working at S21sec e-crime, he joined the Fox-IT InTELL team in The Netherlands.
Author of some exploits and analysis tools like Malybuzz and peepdf (http://peepdf.eternal-todo.com), he is also a regular writer on eternal-todo.com about security and threats in Internet, and has taken part in several conferences, e.g. RootedCon (Spain), NcN (Spain), CARO Workshop (Czech Republic), Source Seattle (USA), Black Hat (Europe / USA / Asia) and Troopers (Germany).
You can easily find him on Twitter talking about security (@EternalTodo).