Exploit Kits (EKs) have been very successful in delivering tailor made exploits and spreading malware. EK as a service has lowered the bar of entry for attackers, enabling wide-spread malware infections. Defenders have been using dynamic analysis tools like Cuckoo sandbox and JavaScript de-obfuscators like JSDetox and Revelo to detect and analyze EKs, but these approaches don’t scale very well across billions of websites. In this talk, I'll discuss a new technique to crawl the web at scale and detect EKs using headless browsers equipped with JavaScript and DOM inspectors. I’ll demonstrate a proof of concept and unravel the behavior of some of the latest EKs hiding in plain sight.
