Exploit kits – the silent assassin

Exploit kits are automated malware-distribution tools to be used by criminals. These toolkits are designed to exploit client-side vulnerabilities in software in order to infect computers with malware. Typically, exploits target browsers and software running within the browser such as Java Runtime Environment, Adobe Reader and Adobe Flash Player. The kits exploit these vulnerabilities in a drive-by download. This week for example, the NBC website was infected with the RedKit exploit kit, downloading the Citadel malware onto the computers loading the NBC homepage as well as the Jay Leno page. Exploit kits are a core component in Advanced Persistent Threats (APTs), a key cyber threat today.

Blackhole is currently the most notorious exploit kit responsible for about two-thirds of all successful exploits over the past year. It has infected hundreds of thousands of legitimate websites where it silently downloads malware onto the computers visiting these sites. The infection escapes detection by anti-virus software and cannot be noticed by the user visiting the infected site. Blackhole, a Russian-coded exploit kit, has the following characteristics:

1. It targets a variety of client-side vulnerabilities in Abobe Reader and Flash Player and Java Runtime. The code will attempt to exploit any computer navigating to the infected site using a variety of methods.

2. Auto update feature. As new exploits are discovered, they can be automatically added to the exploit, so that they instantly become available on already-infected websites. In addition, the payload of the exploit can be updated, changing the malware downloaded onto the victim computer. Typical payloads include the Citadel malware, Fake AV malware, Zeus, ZeroAccess malware, or ransomware. The Blackhole exploit kit is polymorphic in this regard, frequently changing.

3. A website can be infected with an exploit kit through an affiliate scheme. Website owners often add advertisements to their web pages in return for payment, through an affiliate program. If these advertisements are infected with the exploit, the host website is infected.

4. The code of Blackhole is encrypted. This makes analysis of the code by security organisations more difficult, and also prevents other exploit kit writers copying it’s methods.

5. Management console. This provides the criminal with summaries of successful infections by exploit, by operating system, by country, by affiliate partner, by country. The console also operates on tablets.

6. AV scanning. The payload delivered through the exploit can be pre-tested against popular antivirus scanners, ensuring that it will escape detection.

Blackhole is provided on a rental basis to criminals who want to infect computers and carry out cyber crime. It does the hard work for them – delivering the malware payload to it’s destination, the victim’s computer. Other customers are those intent on cyber espionage. Blackhole licences are provided for 1 year, 6-months or 3-months. Updates to the code are provided free during the rental period. Spam campaigns are used to increase the traffic to websites infected with the exploit kit.

More detail on Blackhole is in this excellent Sophos document.

Exploit kits, along with Advanced Persistent Threats (APTs), Advanced Volatile Threats (AVTs), drive-by downloads, key logging, spear phishing, and botnets, are central characteristics of the IT security threat landscape today.

Leave a Reply

%d bloggers like this: