Exploit kit explained

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.

Exploit kits are often sold on the black market, both as standalone kits, and as a service.

History

Some of the first exploit kits were WebAttacker and MPack, both created in 2006. They were sold on black markets, enabling attackers to use exploits without advanced knowledge of computer security.[1] [2]

The Blackhole exploit kit was released in 2010, and could either be purchased outright, or rented for a fee.[3] Malwarebytes stated that Blackhole was the primary method of delivering malware in 2012 and much of 2013.[4] After the arrest of the authors in late 2013, use of the kit sharply declined.[5] [6]

Neutrino was first detected in 2012,[7] and was used in a number of ransomware campaigns. It exploited vulnerabilities in Adobe Reader, the Java Runtime Environment, and Adobe Flash.[8] Following a joint-operation between Cisco Talos and GoDaddy to disrupt a Neutrino malvertising campaign,[9] the authors stopped selling the kit, deciding to only provide support and updates to previous clients. Despite this, development of the kit continued, and new exploits were added.[10] As of April 2017, Neutrino activity ceased.[11] On June 15, 2017, F-Secure tweeted "R.I.P. Neutrino exploit kit. We'll miss you (not)." with a graph showing the complete decline of Neutrino detections.[12]

From 2017 onwards, the usage of exploit kits has dwindled. There are a number of factors which may have caused this, including arrests of cybercriminals, improvements in security making exploitation harder, and cybercriminals turning to other method of malware delivery, such as Microsoft Office macros and social engineering.[13]

There are many systems that work to protect against attacks from exploit kits. These include gateway anti-virus, intrusion prevention, and anti-spyware. There are also ways for subscribers to receive these prevention systems on a continuous basis, which helps them to better defend themselves against attacks.[14]

Overview

Exploitation process

The general process of exploitation by an exploit kit is as follows:

  1. The victim navigates to a website infected by an exploit kit. Links to infected pages can be spread via spam, malvertising, or by compromising legitimate sites.
  2. The victim is redirected to the landing page of the exploit kit.
  3. The exploit kit determines which vulnerabilities are present, and which exploit to deploy against the target.
  4. The exploit is deployed. If successful, a payload of the attacker's choosing (i.e. malware) can then be deployed on the target.[15] [16]

Features

Exploit kits employ a variety of evasion techniques to avoid detection. Some of these techniques include obfuscating the code,[17] and using fingerprinting to ensure malicious content is only delivered to likely targets.[18] [15]

Modern exploit kits include features such as web interfaces and statistics, tracking the number of visitors and victims.[15]

Notes and References

  1. Web site: Chen . Joseph . Li . Brooks . Evolution of Exploit Kits . 2022-04-08 . Trend Micro.
  2. Web site: 2014 . Markets for Cybercrime Tools and Stolen Data . RAND Corporation.
  3. Web site: 2013-10-09 . Blackhole malware exploit kit suspect arrested . 2022-04-08 . BBC News . en-GB.
  4. Web site: Kujawa . Adam . 2013-12-04 . Malwarebytes 2013 Threat Report . 2022-04-08 . Malwarebytes Labs . en-US.
  5. Web site: Zorabedian . John . 9 October 2013 . Is the Blackhole exploit kit finished? . 3 April 2022 . Sophos News.
  6. Web site: Fisher . Dennis . Blackhole and Cool Exploit Kits Nearly Extinct . 3 April 2022 . threatpost.com . 26 November 2013 . en.
  7. Web site: Neutrino Exploit kit: A walk-through into the exploit kit's campaigns distributing various ransomware . 2022-04-08 . Cyware Labs . en.
  8. Web site: Neutrino . 2022-04-08 . Malwarebytes Labs . en-US.
  9. Web site: Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down . 2022-04-08 . threatpost.com . September 2016 . en.
  10. Web site: Former Major Player Neutrino Exploit Kit Has Gone Dark . 2022-04-08 . . en-us.
  11. Web site: Schwartz . Mathew . 2017-06-15 . Neutrino Exploit Kit: No Signs of Life . 2022-04-08 . www.bankinfosecurity.com . en.
  12. 875275005625597953 . FSLabs . R.I.P. Neutrino exploit kit. We'll miss you (not). . F-Secure.
  13. Web site: Where Have All The Exploit Kits Gone? . 2022-04-08 . threatpost.com . 15 March 2017 . en.
  14. Malecki . Florian . June 2013 . Defending your business from exploit kits . Computer Fraud & Security . en . 2013 . 6 . 19–20 . 10.1016/S1361-3723(13)70056-3.
  15. Web site: Cannell . Joshua . 2013-02-11 . Tools of the Trade: Exploit Kits . 2022-04-08 . Malwarebytes Labs . en-US.
  16. Web site: exploit kit - Definition . 2022-04-08 . Trend Micro.
  17. Web site: 2014-11-12 . Exploit Kits Improve Evasion Techniques . 2022-04-08 . McAfee Blog . en-US.
  18. Web site: 2016-01-11 . Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised . 2022-04-08 . Unit42 . en-US.