An exploit kit is a tool used for automatically managing and deploying
exploits against a target computer. Exploit kits allow attackers to deliver
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
without having advanced knowledge of the exploits being used.
Browser exploits are typically used, although they may also include exploits targeting common software, such as
Adobe Reader, or the
operating system itself. Most kits are written in
PHP.
Exploit kits are often sold on the
black market
A black market, underground economy, or shadow economy is a clandestine market or series of transactions that has some aspect of illegality or is characterized by noncompliance with an institutional set of rules. If the rule defines the se ...
, both as standalone kits, and as a
service
Service may refer to:
Activities
* Administrative service, a required part of the workload of university faculty
* Civil service, the body of employees of a government
* Community service, volunteer service for the benefit of a community or a pu ...
.
History
Some of the first exploit kits were
WebAttacker and
MPack, both created in 2006. They were sold on black markets, enabling attackers to use exploits without advanced knowledge of
computer security.
The
Blackhole exploit kit was released in 2010, and could either be purchased outright, or rented for a fee. Malwarebytes stated that Blackhole was the primary method of delivering malware in 2012 and much of 2013.
After the arrest of the authors in late 2013, use of the kit sharply declined.
Neutrino was first detected in 2012,
and was used in a number of
ransomware
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...
campaigns. It exploited vulnerabilities in
Adobe Reader, the
Java Runtime Environment, and
Adobe Flash.
Following a joint-operation between
Cisco Talos
Cisco Talos Intelligence Group is a cybersecurity technology and information security company based in Fulton, MD that’s a part of Cisco Systems Inc. Talos’ threat intelligence powers Cisco Secure products and services, including malware dete ...
and
GoDaddy to disrupt a Neutrino
malvertising
Malvertising (a portmanteau of "malicious software (malware) advertising") is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks ...
campaign, the authors stopped selling the kit, deciding to only provide support and updates to previous clients. Despite this, development of the kit continued, and new exploits were added. As of April 2017, Neutrino activity ceased. On June 15, 2017,
F-Secure tweeted "R.I.P. Neutrino exploit kit. We'll miss you (not)." with a graph showing the complete decline of Neutrino detections.
From 2017 onwards, the usage of exploit kits has dwindled. There are a number of factors which may have caused this, including arrests of cybercriminals, improvements in security making exploitation harder, and cybercriminals turning to other method of malware delivery, such as
Microsoft Office macros and
social engineering Social engineering may refer to:
* Social engineering (political science), a means of influencing particular attitudes and social behaviors on a large scale
* Social engineering (security), obtaining confidential information by manipulating and/or ...
.
Overview
Exploitation process
The general process of exploitation by an exploit kit is as follows:
# The victim navigates to a website infected by an exploit kit. Links to infected pages can be spread via
spam
Spam may refer to:
* Spam (food), a canned pork meat product
* Spamming, unsolicited or undesired electronic messages
** Email spam, unsolicited, undesired, or illegal email messages
** Messaging spam, spam targeting users of instant messaging ( ...
,
malvertising
Malvertising (a portmanteau of "malicious software (malware) advertising") is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks ...
, or by compromising legitimate sites.
# The victim is redirected to the landing page of the exploit kit.
# The exploit kit determines which vulnerabilities are present, and which exploit to deploy against the target.
# The exploit is deployed. If successful, a payload of the attacker's choosing (i.e. malware) can then be deployed on the target.
Features
Exploit kits employ a variety of
evasion techniques to avoid detection. Some of these techniques include
obfuscating the code, and using
fingerprinting to ensure malicious content is only delivered to likely targets.
Modern exploit kits include features such as
web interfaces and statistics, tracking the number of visitors and victims.
See also
References
{{reflist
Malware toolkits
Spyware
Computer security exploits