<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Threats 101
Forrest Williams
Aug 2016

Understanding Exploit Kits: How They Work and How to Stop Them

If you or one of your users gets infected with ransomware or any other malware, there’s a good possibility an exploit kit was involved at some point along the way.

What are exploit kits?

An exploit kit is a tool criminals use to infect computers with malware by exploiting vulnerabilities in browsers, operating systems, and other programs (Adobe Flash and Java are common examples).

Why do criminals use them?

In many cases, in order for criminals to get malware onto a machine they have to trick the user into downloading and opening a file. While that certainly happens often enough (thanks in large part to criminals getting progressively better at crafting convincing phishing emails), it does still require users to initiate the infection process by actively taking the bait.

By using an exploit kit, on the other hand, criminals don’t have to rely on unsuspecting users downloading their payloads. Instead, they just need to lure them to an infected website and let the exploit kit take it from there.

How an exploit kit works

Once you visit an infected website* the exploit kit scans your browser and/or other software to see if the vulnerability it is designed to exploit is present (ex: it checks to see if you’re running an outdated version of Firefox that contains a particular flaw). If so, the exploit kit leverages that vulnerability to deliver its malware payload and infect your computer. This process is referred to as a drive-by-download.

how_exploit_kits_work_visual.jpg

* It’s important to note the use of exploit kits is not confined to malicious websites. All attackers need to do is embed a silent HTML tag into a legitimate web page or into an advertisement on that page and everyone who visits that site will be attacked. For example, in March, a flurry of malicious ads containing the Angler exploit kit appeared on such major mainstream websites as The New York Times, the BBC, AOL, and the MSN homepage.

What can exploit kits infect you with?

The short answer is, potentially any kind of malware. Downloaders, credential stealers, banking trojans, you name it. But as the chart below indicates, in the past 12 months a larger and larger percentage of exploit kits have been delivering ransomware payloads. Learn more about ransomware here.

exploit_payload_stats_may_2016.png

Malwarebytes

Anatomy of an exploit kit

An exploit kit has two primary parts:

  1. A control panel that allows attackers to easily generate their own custom web pages. It also provides criminals with real-time performance stats, so they can keep track of how many people are visiting infected web pages, and how many are being successfully infected.
  2. The web page component generated by the control panel, which contains the exploits and allows attackers to auto-infect visitors to the web page via vulnerabilities in their web browsers.

How criminals get access to exploit kits

Let’s say I want to launch a ransomware campaign. Either I need to get connected to someone active in the underground economy who can set me up, or I have to go to a Darknet website and buy one, myself. Exploit kits can range in cost anywhere from $500 to $10,000 a month. The majority come packaged as rental options, and some even offer free trials. Transactions are conducted with Bitcoin.

What I actually get when I purchase an exploit kit is the control panel software, which can look a lot like any other legitimate software. It allows me to generate malicious website files (.html; .js; .php; etc.) and upload them to any website I have access to. Anyone unlucky enough to view these sites will be attacked. If their browser or an application they’re running has a vulnerability that I’m targeting my exploit kit can take advantage of it to infect the visitor.

Different types of exploit kits

exploit_kit_activity_june_2016.jpg

Trend Micro

Neutrino, RIG, Sundown, Angler, and Nuclear (the latter two no longer active) — there are a variety of exploit kits out there, but when it comes down to it, there are really only two things that differentiate exploit kit brands from each other:

  1. The exploits they use
  2. The tricks they utilize to hide or make their malicious files appear benign to security software

For example, one exploit kit may have exclusive access to a new Adobe Flash zero day because they know the hacker who authored it and are doing a deal with him for exclusivity, to boost their sales. Another exploit kit may specialize in only Microsoft Word exploits, or targeting Google Chrome. Like any product developer, they have specialties and business partnerships, all in the interest of delivering the best and most profitable product to their customers.

To stay in business, exploit kits need to be constantly updated. Not only do they need a continuous flow of new exploits to stay ahead of the competition, they also need a programmer with an in-depth understanding of the way security software works to stay ahead of getting caught. That person needs to continuously tinker with their website generator algorithm to keep the files they produce undetected.

It’s an endless game of cat and mouse perpetuated by the fact that the traditional, signature-based approach to security (like antivirus) is reactive — by the time security companies start having success detecting or blocking any one exploit kit attackers are already deploying new ones.

How to stop exploit kits

Traditional security solutions are short-term and short-lived. That’s because they’re limited very specifically to existing versions of known exploit kits only. For example, in order for antivirus to block or flag an exploit kit, a researcher will have had to find a sample of the kit active in the wild and create a unique signature for the kit that the antivirus program can add to a blacklist.

Once that kit is modified, however, that signature is no longer going to match. The reason that’s a big problem is that attackers are constantly making modifications to their files.

The only way to actually shut an exploit kit operation down is to:

  1. Patch the exploits that they use, rendering them useless.
  2. Arrest the programmers and business people who create, maintain, and market them (it may not be coincidence that the arrest of 50 Russian hackers in June was followed by the disappearance of the Angler EK).
  3. Shut down the individual instances of the exploit kits whenever they are found or add them to a blacklist.

3 things you can do to protect yourself now

how_to_protect_against_exploit_kits.jpg

The best way to make security improvements is to focus on the things you can control. Let’s start off with the first option from the list above:

1) Patch management: Since exploit kits rely on users running outdated and/or vulnerable software, one of the best ways to reduce your risk is by adopting a system of keeping everything patched and up-to-date. How easy or complicated that is depends on the size of your organization, along with a host of additional factors.

A good way to get started, however, is to make sure you’ve installed patches for the top 10 exploited vulnerabilities as identified in this year’s Verizon DBIR:

CVE-2001-0876, CVE-2011-0877, CVE-2002-0953, CVE-2001-0680, CVE-2012-1054, CVE-2015-0204, CVE-2015-1637, CVE-2003-0818, CVE-2002-0126, CVE-1999-1058

These vulnerabilities accounted for 85% of all successful exploit traffic in 2015, even though six of them were over 10 years old (one of them even dates back to 1999). It just goes to show, “If it ain’t broke, don’t fix it” is a hacker’s motto, too. Patch these vulnerabilities first, then develop a (preferably automated) way of searching for and deploying patches moving forward. 2) Educate your users: Since even legitimate mainstream websites can be infected by exploit kit campaigns it’s not reasonable to expect users to recognize when they’re in danger. In many cases, by the time they realize something isn’t right, it might be too late. That said, you can help them reduce their exposure to infected websites by teaching them how to spot suspicious emails and double-check any email links before they click. 3) Add another layer of endpoint security on top of antivirus: Instead of relying solely on antivirus products that are constantly playing catch-up every time a new version of an exploit kit gets created, consider adopting a behavior-based endpoint security solution like the one we’ve developed here at Barkly. We’ve designed Barkly to stop any type of malware by blocking it as soon as it tries to do anything malicious. That means an exploit kit can drop a new piece of malware that's never been seen before and Barkly can still stop it by watching and immediately reacting to its attempted behavior. Learn more about how it works in the video below:

Forrest Williams

Forrest Williams

Forrest is a Malware Research at Barkly with 7 years of malware analysis experience. He helps strengthen Barkly's protection by analyzing the malware threat landscape and designing protection algorithms to block malicious behaviors.

blocks-attack-grey-circle.svg

2017 Cybersecurity Checklist

Are you focusing on the right things to protect your company against the latest threats? Find out now.

Get my checklist

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.