Tuesday, August 11, 2015

Exploit Kits on August 2015

Often people, including students and security professionals asks me about Exploit kits (EK). EKs play a foundamental role in todays malware propagation because developed to deliver content through vulnerabilities. Aims of the EK is to exploit a target client machine through well known or sometimes "less known" vulnerabilities which usually target browsers, Java Runtime Environment, Adobe products and commonly used applications including (but not limited to): Media Players, Visualisation utilities, Microsoft Office documents and so on. A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign. Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.

The following table (from contagiodump ) keeps trace of most of the known exploit kits out there within relatives exploited vulnerabilities.

Click to Enlarge, credits to Contagio Data

As you might appreciate from the Sally's work many vulnerabilities are covered by most of the exploit kits but not all, so depending on the administration console (which almost every EK gives to attackers) and, most important, on the target system, the attacker could choose between several EKs. While several exploits kits are available nowadays only a subset of them are mostly used. As described in this post from from MalwareBytes the most used EKs are represented in the following picture.

Exploit Kits from MalwareBytes analysis.

Now you would probably know how the EK infection process works, well a nice work made by TrendMicro explains in a simple view the 4 stage infection chain.

4 stage EKs infection chain by TrendMicro

Contact is the beginning of infection, where an attacker attempts to make people access the link of an exploit kit server. Contact is often done through spammed email, wherein recipients are tricked into clicking a link through social engineering lures. 

Traffic redirection system refers to the capacity with which the exploit kit operator can screen through victims based on certain condition sets. This is done through a traffic direct system, such as SutraTDS or KeitaroTDS, for aggregating and filtering redirect traffic before accessing the exploit kit server.

Once users are successfully tricked into clicking the link of an exploit kit server in the contact stage and filtered in the redirect stage, they will be directed to the exploit kit’s landing page. The landing page is responsible for profiling client environment and in determining which vulnerabilities should be used in the ensuing attack.

According to TrendMicro research (except for SweetOrange)  I do observe the following EK in almost the same score position in my current Cyber Attack detections

Most used Exploit Kits
As Malware does, ExploitKits are in continuous development conditions and day by day we observe different variants and improved evasion techniques as well as exploits integrations. Be aware that  those kits made really simple (well, I didn't say easy) Malware propagation so watch out your apps !