Sunday, April 7, 2024

Opening EXPMON for Everyone

Recently during the winter holidays, I "refreshed" the EXPMON system that my friend and I developed in 2021 (well, we just added a really simple web UI:)). The EXPMON system is mainly a sandbox-based system but with static analysis modules. Unlike all the other sandboxes that I know, EXPMON is specifically designed and built for detecting advanced file-based exploits. Here, "advanced" means unknown (undetectable by other tools) or zero-days (exploiting unpatched vulnerabilities). EXPMON doesn't process malware or anything that does not exploit vulnerabilities. In my opinion, the key difference is that EXPMON was built solely from the perspective of vulnerability research, rather than malware detection.

It's hard to explain all the differences here, so I've authored a document sharing the Methodology and Architecture - please read it if you’re interested in using the system. Personally, I want EXPMON to be as open as possible so that users understand what it can do (and what it can't). EXPMON should not be considered as a "replacement" of any kind of existing threat detection products, but as a cutting-edge "add-on" tool for users concerned about being targeted by advanced (file-based) exploits such as zero-days or hard-to-detect exploits. Look at all those emails / attachments your organizations receive every day - who knows what those files (emails are also files) are really doing?


In fact, I've been personally using the system for about two years, and it has been incredibly helpful to me. Not only do I drop suspicious samples into the system for analysis, but it has also greatly aided my research on apps such as Microsoft Office. For instance, when I encounter a suspicious RTF sample, manually testing it in various environments would be a long and arduous process. With this system, I could accurately observe the Word process activities, even across different environments. Moreover, the indicators reported by the system help me quickly identify any suspicious elements in the sample. On the other hand, with numerous samples analyzed and doing meaningful Big Data analytics, it has also assisted me in understanding and classifying normal behaviors versus abnormal ones, all through automated processes.


Anyway.. I wondered, with this newly-developed web UI, why not just open it for everyone? Personally, it would be great for me to see something I spent quite a lot of time on in 2021 benefiting the security defense community at large. Especially I failed to see a "making sense" exploit detection system or a system designed from vulnerability exploitation perspective within the community.


Therefore, let me introduce you to EXPMON Public. From now on, everyone can access the following URL and submit samples to the system for advanced exploit detection.:)


https://pub.expmon.com


I've also authored another document showing how to use the Web UI as well as the Web APIs, please check it here. Additionally, we've released a helper tool called “expmon_sample_submit.py”, which assists users in automatically submitting samples to the EXPMON system and obtaining analysis results, via the Web APIs. Please check it out on our GitHub repository https://github.com/EXPMON/PubTools.


Here are some notes:

1. Make sure to read the Methodology and Architecture and Web UI & APIs documents before using the system. So you know what you're doing and what results you should expect.


One important thing to note is that the system only focuses on exploits, with its main goal being the detection of unknown and zero-day exploits. It does not detect other types of threats, such as .exe malware or very outdated exploits (e.g., CVE-2012-0158). Therefore, you should not rely on the system to determine whether a sample is malicious or not. Instead, it serves as an advanced "add-on" feature to identify advanced file-based exploits.


That also means that the vast majority of submissions will likely be classified as "CLEAN" (doesn't mean they're not malicious, though). The thing is, one day, if it detects your sample as something like "Malicious - potential zero-day exploit", you'll go "whoa!" :)


I will also perform regular Big Data analytics based on the “environment-binding” data produced by the system and those may find hard-to-detect exploits too. In fact, this is one of the most advantages that the system provides - providing meaningful Big Data analytics thanks to the “environment-binding” architecture!


2. Currently, the supported file types and apps are listed at here. We may add more supported file types or apps in future, if needed (suggestions? contact me:)).


The current supported file types include all Word, Excel, and PowerPoint file types, Outlook email file types (.msg and .eml), PDFs (for both Adobe Reader and Foxit Reader), as well as some newer Office file types such as MS-Access (.accdb, .mdb), Publisher (.pub), and OneNote (.one). There are some advanced features depending on the file type. For example, when you submit a .msg or .eml sample, not only will the email file be analyzed in Outlook, but also the attachments (e.g., .rtf) will be analyzed.


3. Because the file types EXPMON deals with are mostly Office documents and PDFs, they may contain sensitive information. Please ensure that you have permission to share the samples before submitting them. EXPMON assumes no legal responsibility for any damage it may cause.


Please also note that this is a public system, and everyone can see what you have submitted through the “Recent” page, although they cannot download the samples (if not being hacked :P). However, you should be aware that all submitted samples, especially malicious ones, may be shared with the security defense community, for good purposes.


If you accidentally submitted a sample and wish to remove it, please contact at contact@expmon.com. However, I cannot guarantee a timely response.


Read our (simple) Terms of Service and Privacy Policy here.


If you want to use the system for advanced exploit detection but your samples can't be shared, this is understandable. Please contact contact@expmon.com to see if it's doable to deploy the system in your network.


4. If you want to submit a lot of samples, feel free to use the Web APIs (check the instructions). But please don't “DoS” us or do anything malicious. :)


In fact, we've released a helper tool named "expmon_sample_submit.py" for automated submission, check it at our GitHub repository.


5. You may note that the Controller is currently connected to only 4 VMs, so it can't process many samples simultaneously. However, if you've already submitted samples, they will be in the pending list, although it may take longer to receive the results.


Another small note: you may notice that the first sample may take longer to analyze. This is because I've enabled the "shutdown the VM server if no sample is received within 15 minutes" feature. For the first sample, the VM server needs to be powered on, so it takes more time.


The system is hosted in a place in Canada, and the system or the network may not be that stable. Well.. hopefully it will work for some time!


Anyway, you know how to contact me if you have something to say about the system.


That's it. Enjoy your hunting for advanced exploits!:)


Cheers,

Haifei


No comments:

Post a Comment