What Are Exploit Kits?

I discussed exploit kits as part of the Botnet Wars Q&A conducted by Bart Parys for Malware Database. The article documents perspectives of several malware experts on the topic of exploit kits. I recommend reading the full Q&A if you’re interested in the topic. (The article is mirrored on Bart’s blog.)

Below is an excerpt of my contribution to the discussion.

Defining an Exploit Kit

An exploit kit, sometimes called an exploit pack, is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser. Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player.

It’s interesting to see that different specialists define an exploit kit/pack a bit differently, while agreeing on the general characteristics of this type of malware.

Characteristics of Exploit Kits

A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign.

Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.

For an overview of the key characteristics of common exploit kits, see Mila’s Overview of Exploit Packs, which includes a spreadsheet of exploit kit features.

Competing for Customers and Victims

An exploit kit is a launching platform used to deliver other payload, which may include a bot, a backdoor, spyware or another type of malware. In this context, exploit kit authors and distributors compete for customers.

The ease of use and affordability of exploit packs makes it possible even for people with low technical skills to become a “hacker,” be it for profit, politics or other reasons. The user friendliness of the control interface of the exploit kit might be one a market differentiator, helping it stand out from the competition.

Overall, it’s not uncommon for criminals of all shapes and sizes to battle one another for control. I’m not surprised we’re seeing such battles in the Internet world as well. Though there are a lot of potential targets for competing attackers to infect, it’s natural for the attacker to wish to assert full control over newly-compromised system. If the host is already infected, the new attacker will need to remove the presence of a competing entity. It’s a variation of a children’s game called King of the Hill, though obviously with more severe repercussions.

Exploit Kits and Geographic Boundaries

Some of exploit kits are developed and marketed in a specific country and, therefore, will be used more widely by attackers who speak that language or who hang out in those forums. However, the “beauty” of exploit kits is that they can be developed in Country A, sold in Country B, and used in Country C to attack Country D by using systems hosted in Country E. As the result, is that it’s hard to attribute malicious activity to actors located in a particular country by simply looking at IP addresses observed during the immediate attack.

Resisting Exploit Kit Attacks

Though some exploit packs target zero-day vulnerabilities, a large number of exploits go after vulnerabilities for which patches exist. End-users and organizations should look closely at how they keep up with security patches on the desktop. End-users at home can use auto-update mechanisms of the targeted applications or specialized tools such as Secunia PSI. Enterprise environments should use automated tools to identify vulnerable systems, install relevant patches and validate that the patches are installed. It’s also important to lock down the environment so that when an individual system is affected, the attack is contained and discovered quickly.

Lenny Zeltser

2 notes

Show

  1. lennyzeltser posted this

Blog comments powered by Disqus

  • posted 26 October, 2010

  • 2 notes for this post