An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

without having advanced knowledge of the exploits being used.

Browser exploit Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site s ...

s are typically used, although they may also include exploits targeting common software, such as

Adobe Reader Adobe Acrobat is a family of application software and web services developed by Adobe Inc. to view, create, manipulate, print and manage Portable Document Format (PDF) files. The family comprises Acrobat Reader (formerly Reader), Acrobat (former ...

, or the

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

itself. Most kits are written in

PHP PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by the PHP Group. ...

. Exploit kits are often sold on the

black market A black market is a Secrecy, clandestine Market (economics), market or series of transactions that has some aspect of illegality, or is not compliant with an institutional set of rules. If the rule defines the set of goods and services who ...

, both as standalone kits, and as a

service Service may refer to: Activities * Administrative service, a required part of the workload of university faculty * Civil service, the body of employees of a government * Community service, volunteer service for the benefit of a community or a ...

History

Some of the first exploit kits were WebAttacker and MPack, both created in 2006. They were sold on black markets, enabling attackers to use exploits without advanced knowledge of

computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

. The Blackhole exploit kit was released in 2010, and could either be purchased outright, or rented for a fee. Malwarebytes stated that Blackhole was the primary method of delivering malware in 2012 and much of 2013. After the arrest of the authors in late 2013, use of the kit sharply declined. Neutrino was first detected in 2012, and was used in a number of

ransomware Ransomware is a type of malware that Encryption, encrypts the victim's personal data until a ransom is paid. Difficult-to-trace Digital currency, digital currencies such as paysafecard or Bitcoin and other cryptocurrency, cryptocurrencies are com ...

campaigns. It exploited vulnerabilities in

, the

Java Runtime Environment Java is a set of computer software and specifications that provides a software platform for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms ...

, and

Adobe Flash Adobe Flash (formerly Macromedia Flash and FutureSplash) is a mostly discontinuedAlthough it is discontinued by Adobe Inc., for the Chinese market it is developed by Zhongcheng and for the international enterprise market it is developed by Ha ...

. Following a joint-operation between

Cisco Talos Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, in ...

and

GoDaddy GoDaddy Inc. is an American publicly traded Internet Domain name registry, domain registry, Domain name registrar, domain registrar and web hosting company headquartered in Tempe, Arizona, and incorporated in Delaware. GoDaddy is the world's fif ...

to disrupt a Neutrino

malvertising Malvertising (a portmanteau of "malicious software (malware) advertising") is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks ...

campaign, the authors stopped selling the kit, deciding to only provide support and updates to previous clients. Despite this, development of the kit continued, and new exploits were added. As of April 2017, Neutrino activity ceased. On June 15, 2017,

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Swed ...

tweeted "R.I.P. Neutrino exploit kit. We'll miss you (not)." with a graph showing the complete decline of Neutrino detections. From 2017 onwards, the usage of exploit kits has dwindled. There are a number of factors which may have caused this, including arrests of cybercriminals, improvements in security making exploitation harder, and cybercriminals turning to other method of malware delivery, such as

Microsoft Office Microsoft Office, MS Office, or simply Office, is an office suite and family of client software, server software, and services developed by Microsoft. The first version of the Office suite, announced by Bill Gates on August 1, 1988, at CO ...

macros and social engineering. There are many systems that work to protect against attacks from exploit kits. These include gateway anti-virus, intrusion prevention, and anti-spyware. There are also ways for subscribers to receive these prevention systems on a continuous basis, which helps them to better defend themselves against attacks.

Overview

Exploitation process

The general process of exploitation by an exploit kit is as follows: # The victim navigates to a website infected by an exploit kit. Links to infected pages can be spread via

spam Spam most often refers to: * Spam (food), a consumer brand product of canned processed pork of the Hormel Foods Corporation * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ...

, or by compromising legitimate sites. # The victim is redirected to the landing page of the exploit kit. # The exploit kit determines which vulnerabilities are present, and which exploit to deploy against the target. # The exploit is deployed. If successful, a payload of the attacker's choosing (i.e. malware) can then be deployed on the target.

Features

Exploit kits employ a variety of evasion techniques to avoid detection. Some of these techniques include obfuscating the code, and using

fingerprinting A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfa ...

to ensure malicious content is only delivered to likely targets. Modern exploit kits include features such as

web interfaces In the industrial design field of human–computer interaction, a user interface (UI) is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine fro ...

and statistics, tracking the number of visitors and victims.

References

{{reflist Malware toolkits Spyware Computer security exploits

History

Overview

Exploitation process

Features

See also

References