A short history of the exploit kit
Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cyber security.
There are many ways that malware and other unwelcome pests can get on to your computer but, in the past few years, the two biggest means-of-entry favored by cyber criminals have been email and exploit kits.
Email-borne threats are widely understood and most people now know that something nasty could be lurking in an email attachment. Exploit kits are probably not as widely understood.
So, what’s an exploit kit?
Exploit kits work by exploiting vulnerabilities in software in order to install malware. Exploit kit operators use self-created or hijacked third-party websites to deliver their wares, injecting malicious code into their pages. This code directs browsers to the servers hosting the exploit kit itself .
What happens then? The landing page will usually host code that “fingerprints” the visitor, attempting to identify what operating system, web browser and other software they are using, such as browser plugins. Based on that information, it will redirect the visitor to another page, hosting the most appropriate exploit for the victim’s computer. This exploit will then be used to attempt to deliver malware to their computer.
Generally speaking, an exploit kit will incorporate a range of different exploits, most of which will target vulnerabilities in commonly used operating systems, web browsers, or browser plugins, such as Adobe Flash. The most successful exploit kits will regularly shuffle their deck of exploits, swapping out exploits of older vulnerabilities in favor of newer ones. Exploit kit operators will inevitably favor recently patched vulnerabilities, relying on the fact that a good proportion of potential victims may not have kept their software up-to-date (don’t say you weren’t warned!). On some occasions, exploit kits will even run exploits of zero-day vulnerabilities, that is, previously unknown vulnerabilities that have yet to be patched by the software vendor.
Exploit kits first appeared just over 10 years ago, with groups such as Webattacker and MPack creating the template that was later perfected by a swarm of successors. At the time, web-based exploits were not a new thing. What was original was the way exploit kit creators packaged them together and sold them as a service to other cyber criminals, in some cases even offering technical support to customers.
The emergence of the exploit kit is a good example of how the cyber crime underground has evolved into specialist operations. Many attackers now don’t try to spread their wares themselves and instead pay a specialist to do it for them.
Rotating cast of shadowy characters
The exploit kit marketplace is best described as volatile, and features a constantly shifting cast of characters. Exploit kits with a dominant market share can disappear overnight, while new players can emerge to quickly fill the gap.
What’s the reason for this volatility? An effective exploit kit is a hot property on the cyber crime underground. Since you own one of the most potent malware distribution channels around, you’re effectively a gatekeeper for cyber criminals and can sell your services to the highest bidder. This has made some exploit kit operators incredibly wealthy, but has also put a big target on their backs for law enforcement agencies. A successful takedown would not only remove a cyber crime big fish, but would also disrupt anyone relying on the exploit kit for distribution.
A classic case in point is Paunch (or Dmitry Fedotov, as he was known to his family and friends). Paunch was the mastermind behind the Blackhole exploit kit, which first appeared in 2010. By the time he was arrested in 2013, he had more than 1,000 customers and was estimated to be earning around $50,000 per month from his activities, enough for him to drive a Porsche Cayenne.
According to an investigation by Russian security firm Group-IB, which assisted Russian police in arresting him, Paunch was earning so much from his business that he was able to reinvest some of the profits by buying new zero-day vulnerabilities from a broker, who in turn was offering up to $200,000 for anyone wishing to sell them. By 2012, Paunch had branched out and launched a second product: the Cool exploit kit, which was marketed as a “premium” product and cost more, but came with more effective vulnerabilities.
Three years after his arrest, Paunch was sentenced to seven years in a Russian penal colony. The Russian Interior Ministry estimated that he and his associates earned more than $2.3 million from their activities. How much their customers made is unknown, but likely multiples of this figure.
One of the most recent examples of an exploit kit suddenly going offline was Angler, which disappeared in June 2016. For a time, it was one of the most widely used exploit kits by malware groups, such as ransomware families TeslaCrypt and CryptXXX, and financial Trojan Snifula. What happened to Angler remains a mystery but it might be related to the arrest of 50 people in Russia accused of involvement in the Lurk banking fraud group. Immediately afterwards, Angler and several cyber crime operations, including Dridex and Locky, went offline. While Dridex and Locky reappeared, Angler has not been seen since.
The most recent major operator to go dark was Neutrino, which was for a short while one of the most widely used exploit kits, before it disappeared completely in April 2017.
Brief ebb or permanent decline?
The number of exploit kits going offline over the past year or two has had a material impact on overall trends. During 2016, Symantec saw a 60 percent decrease in exploit kit detections and we did wonder if they were beginning to go out of fashion, with many attackers seeming to favor email as their main distribution channel.
On the evidence of recent months, we’re not so sure. Overall web attack activity (which includes exploit kits) began to rise again from May onward, and a number of exploit kits have been highly active, most notably the RIG exploit kit. It’s fair to say that the exploit kit can’t be written off just yet.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
