Introduction to Exploit Kits

The exploitation of software is nothing new and in fact, has been used for decades to spread various types of viruses. Ransomware is the most popular type of malware these days. Cybercriminals have understood that launching attacks on personal and corporate users could really pay-off.  Victims eagerly pay the ransom to be able to retrieve back data encrypted on their computers or to reactivate certain applications rendered frozen by malware. Exploit kits are among the top ways to infect devices with ransomware.

Exploit kits help the less-experienced cybercriminals to launch successful attacks and make a lot of money. This situation appears to be business-as-usual in the cybercrime world, opening the door for the more skillful hackers to simply create and sell exploit kits without taking risks distributing malware. Developers make instant money, while buyers target unsuspecting computer users all around the world.

What is an exploit kit?

Exploit is essentially an application that aims to find a software vulnerability and take advantage of a system’s weak points. Its purpose is to launch an attack and trigger the unintended behavior of the system. Vulnerability is a hole in your computer through which malware can penetrate and bring havoc to the entire system. A successful attack means the vulnerability has been exploited, hence the name. Exploits are often the first stage of The exploitation scale attacks. These malicious applications scan for security holes which can be exploited.

Exploit kit is a collection of exploits. It is like an all-in-one suite that enables hackers to launch and manage multiple attacks on a single system simultaneously. A lot of exploit kits are designed to be easy to use, making them more practical for less-knowledgeable hackers. Besides, many exploit kits allow customization in the sense that hackers can change, add, and remove specific exploits depending on the type of the target.

One of the first publicly recorded exploit kits was the MPack, released in 2006 by programmers based in Russia. Just like its more modern versions, this exploit kit was filled with a collection of PHP scripts to target vulnerabilities in commonly used applications such as Mozilla Firefox and Apple Quicktime. Shortly after MPack had been made available, it was found on more than 10,000 websites.

More than a decade has passed since the first publicly known exploit kit was discovered. Despite being essentially the same tools as their predecessor, today’s exploit kits are more effective and neatly configured.

As already said, there is a labor distribution in the cybercriminal world. Some hackers only write exploits and build exploit kits. Other hackers purchase these kits and launch attacks. They do not need to have excellent skills to build their own exploits. They also do not need to know how to distribute exploit kits as they may contact other hackers who specialize in malware distribution. This latest group may, for example, offer botnet services that involve spam email campaigns.

Furthermore, modern exploit kits come with an intuitive web interface where attackers can monitor progress and view all related statistics. Modern exploit kits are treated just like any regular application for which buyers receive periodic updates from sellers. As soon as vulnerabilities in specific software are fixed with security patches, cybercriminals find new holes and add those functions to their exploit kits. Many exploit kits are actually licensed directly from the creator, just like any other software product.

Acquiring an exploit kit can be a difficult process due to the illicit nature of the malicious application. Most exploit kits are only available and sold on black-hat forums. Hacker forums are located on the dark web, meaning regular search engines do not index them. You cannot find such forums just by entering a relevant search query into Google. It is almost impossible to access the dark web without digging first. Even if you happen to stumble across these communities, purchasing an exploit kit still involves a considerable effort. Hackers do not allow just about everyone to buy their products. You need to be referred by another hacker.

How do exploit kits penetrate devices?

Exploits are often the first squad of malware in a series of attacks. Hackers look for vulnerabilities, most commonly found in outdated software like Java, Adobe Flash Player, Internet Explorer, and more. Exploits may include shellcode, which is a small malware payload that activates and downloads more malicious software.

Once deployed, it does not take long for the malware to execute automated commands, making the computer download additional malware from hackers-controlled servers. The newly downloaded malware helps hackers penetrate deeper into the computer system.

One of the most common methods to distribute exploit kits is through infected websites. Users are subjected to the attacks anytime they visit websites filled with malware. Some legit websites may unwillingly and unknowingly host exploit kits in ads or user-contributed content.

Here is a simple diagram describing how an exploit kit penetrates a computer system:

  Image source

An attack starts when a user visits a compromised website. Most compromised websites divert traffic to another page. Users do not realize the entire redirection sequence. The malicious ”landing page” scans victims’ systems for available vulnerabilities and chooses the right exploit.

If all your software and system are up-to-date and all the latest security patches are installed, exploit kits will not be able to infect you. But if you have just one single hole, hackers most probably find and exploit it. It is good to have an antivirus that will help detect exploits kits. At the same time, to avoid detection, sophisticated exploit kits send their payload in encrypted form, which is then decrypted once it reaches the user’s computer.

Protection

Despite hackers’ relentless attempts to spread malicious software, users can minimize the risk by following general security precautions like keeping their software updated, installing the latest security patches for all applications and the operating system, and using reputable antivirus software with regular updates. It is also good to develop cybersecurity habits and avoid clicking suspicious web links and email attachments. To protect data in transit experts from Cooltechzone advise using a VPN.

Avatar
About the Author

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Leave a Reply

Your email address will not be published. Required fields are marked *