User:Sumthingood/exploitkits

Exploit kits are packages or packs hosted on a website, which contain exploits for vulnerabilities in a wide range of client-side applications in order to infect the victim with malicious software. Only one of the exploits needs to succeed for the malicious software to be installed onto the system. The increase of nontraditional commericial markets offering services and capabilities for a fee and the increasing prevalence of exploit kits used by attackers to target unsuspecting victims poses a growing concern as the bar for waging online attacks has dramatically been lowered. No longer does an attacker need to perform extensive efforts to develop attack vectors and methods to deliver the payload; rather all that is required with the use of exploit kits is making selections and proceeding to checkout since the exploits have become commodities.

Background[edit]

Exploit kits (also referred to as exploit toolkits) are packaged attack frameworks that may contain a number of exploits, which target known vulnerabilities in order to spread malware. Exploit kits are typically used alongside an automated form of attack known as drive-by downloads to infect systems that are vulnerable to the exploits contained in the malicious payload. Exploit kits serve as a vehicle or means to spread malware to other systems.

Exploit kits are sold in nontraditional and illegal markets referred to as the underground economy (i.e. the underground). As new vulnerabilities are discovered and made public, the exploit kits are often updated to target the new vulnerabilities; especially if the new vulnerabilities provide an effective means to achieve exploitation. However, a lot of exploit kits still exploit old vulnerabilities as well, like Microsoft Data Access Components (MDAC) (CVE-2006-0003) and libtiff (CVE-2010-0188).

Over the years, there have been a number of different exploit kits that have been available in the underground and are considered to be a competitive, and possibly lucractive, markets as many continue to be maintained and updated; while new ones continue to enter the market offering additional capabilities, features as well as exploits.

The first notable attack toolkits were seen in the early 1990's, but the capabilities for the attack toolkits were fairly simple and not as sophisticated as some of the tools available now. ^[1] The market for exploit kits has continued to grow and has recently seen significant developments with the debut of a successful exploit kit in 2006 known as WebAttacker, which is considered to be the first modern web exploit kit. ^[2] Other exploit kits that followed include MPack, ICE-Pack, Fire-Pack, Eleonore, YES Crimepack, Incognito, Phoenix, Nuclear, Sakura and SEO Sploit Pack. ^[3] ^[4] ^[5] ^[6] Two of the most recent exploits that have hit the underground market include Blackhole and RedKit exploit kit. ^[7] ^[8] ^[9]

Utilization[edit]

An attacker may use and/or leverage any of the following methods for employing the exploit kit on legitimate web servers:

Purchase access credentials to the server hosting the website
Infiltrate the site through malicious ads via the ad network
Manually exploit the server in order to insert code that serves up malicious content

In some cases, the attacker may use hidden inline frames or iframes to embed a malicious element from the user, and send the user's system to a drive-by download server. It is at that point, the system receives the malicious payload, and, if vulnerable to the provided exploits, installs malware.

Individuals, who make use of exploit kits marketed in the underground, may carry out the following actions to access available exploit kits:

An attacker goes to a site offering exploit kits (usually some site offering the exploit kit, commercially)
Attacker customizes and specifies various configurations using the options presented on the exploit kit site
Attacker purchases a license for an exploit kit from the exploit kit authors
Attacker establishes some mechanism to deploy the exploit kit to spread malware (see previous bullets)
An unsuspecting victim requests and loads a compromised web page or clicks on a malicious link in a spammed email
The compromised web page or malicious link in the spammed email sends the user to the established attack server, which delivers the exploit kit
The attack server may offer additional measures to make detection difficult such as obfuscated JavaScript and utlimately loads the packaged exploits; in some cases, the exploit kit may provide additional enhancements and features such as only deploying exploits which the system is susceptible to (e.g. Blackhole exploit kit)
If target system is vulnerable to attack(s) contained in the exploit kit, an exploit loads, executes a payload on the target system, and infects the system with malware

Prevention[edit]

The following steps may help prevent infection:

Get the latest computer updates for all your installed software and third party applications
Use up-to-date antivirus software
Use an host-based intrusion prevention system (HIPS)
Limit user privileges on the computer
Use caution when clicking on links to webpages
Protect yourself against social engineering attacks
Use online services to analyze files and URLs (e.g. Malwr ^[10], VirusTotal ^[11], Anubis ^[12], Wepawet ^[13], etc.)

References[edit]

^ Symantec (2011-01-20). "Symantec Report on Attack Kits and Malicious Websites" (PDF). Symantec. Retrieved 2012-08-19.
^ "HP DVLabs 2010 Full Year Top Cyber Security Risk Report" (PDF). HP. 2011-04-05. Retrieved 2012-07-22.
^ Mila (2012-04-03). "Contagio: Overview of Exploit Packs". Contagio. Retrieved 2012-08-19.
^ Brian Krebs (2010-08-05). "Crimepack: Packed with Hard Lessons". Brian Krebs. Retrieved 2012-08-19.
^ Brian Krebs (2010-10-11). "Java: A Gift to Exploit Pack Makers". Brian Krebs. Retrieved 2012-08-19.
^ Marco Preuss and Vicente Diaz (2011-02-10). "Exploit Kits - A Different View". Kaspersky. Retrieved 2012-07-22.
^ Steven K (2012-03-28). "Xylivbox: Blackhole v1.2.3". Xylibox. Retrieved 2012-08-19.
^ Arseny Levin (2012-05-02). "Meet RedKit". Trustwave SpiderLabs. Retrieved 2012-07-22.
^ Hardik Suri (2011-02-18). "Symantec: The Blackhole Theory". Symantec Connect Community. Retrieved 2012-08-19.
^ "Malwr.com". Retrieved 2012-06-17.
^ "VirusTotal". Retrieved 2012-06-17.
^ "Anubis". Retrieved 2012-06-17.
^ "Wepawet". Retrieved 2012-06-17.

[symantec:attack_kits-1] Symantec (2011-01-20). "Symantec Report on Attack Kits and Malicious Websites" (PDF). Symantec. Retrieved 2012-08-19.

[hp2010SecurityReport-2] "HP DVLabs 2010 Full Year Top Cyber Security Risk Report" (PDF). HP. 2011-04-05. Retrieved 2012-07-22.

[contagio_exploitpacks-3] Mila (2012-04-03). "Contagio: Overview of Exploit Packs". Contagio. Retrieved 2012-08-19.

[krebs_crimepack-4] Brian Krebs (2010-08-05). "Crimepack: Packed with Hard Lessons". Brian Krebs. Retrieved 2012-08-19.

[krebs_java_a_gift-5] Brian Krebs (2010-10-11). "Java: A Gift to Exploit Pack Makers". Brian Krebs. Retrieved 2012-08-19.

[kaspersky_securelist-6] Marco Preuss and Vicente Diaz (2011-02-10). "Exploit Kits - A Different View". Kaspersky. Retrieved 2012-07-22.

[xylibox_blackhole_v1.2.3-7] Steven K (2012-03-28). "Xylivbox: Blackhole v1.2.3". Xylibox. Retrieved 2012-08-19.

[trustwave_spiderlabs-8] Arseny Levin (2012-05-02). "Meet RedKit". Trustwave SpiderLabs. Retrieved 2012-07-22.

[symantec_blackhole_theory-9] Hardik Suri (2011-02-18). "Symantec: The Blackhole Theory". Symantec Connect Community. Retrieved 2012-08-19.

[malwr-10] "Malwr.com". Retrieved 2012-06-17.

[virustotal-11] "VirusTotal". Retrieved 2012-06-17.

[anubis-12] "Anubis". Retrieved 2012-06-17.

[wepawet-13] "Wepawet". Retrieved 2012-06-17.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]