Exploit kits are now responsible for the majority of malware infections across the world, representing a serious threat to computing systems and data.
An exploit kit is simply an off-the-shelf cyber crime bundle that can be used by people without expert technical hacking skills to identify software vulnerabilities and mount attacks. This typically involves executing malicious code on the target system with various objectives in mind, but revenue generation and information theft are the principle motivators.
In short, exploit kits make hacking easy. It's the difference between having to understand internet protocol and code used to put up a website back in the early 1990s compared with pointing and clicking to post to Facebook today.
The most recent infamous example of an exploit kit that was put to widespread and damaging use was Blackhole, which heads up a list of others such as Crimepack, Elenore, Neosploit and Phoenix. An advertisement for the latest version of Blackhole was posted on an underground forum and some kits even offer technical support.
Exploit kits represent the commoditisation of hacking for malicious intent with minimal visibility and traceability. The posting of exploit kits on the internet is like handing out grenade launchers to criminals with minimal technical skills.
Typically, exploit kits rely on web browsers as their principal vector of attack. The way in which a browser may be directed to a web server hosting an exploit kit may be via spammed emails containing links, or by hijacking other web servers to direct the browser on to the server hosting the exploit kit.
Once the browser reaches the malicious server and requests a page – which may be via a chain of further intermediary servers to obscure the final location – the process of target identification is performed by the exploit kit.
This is a crucial step, as software components and their versions running on the target system can be identified for cross-referencing against packaged exploits held by the server. The operating system and browser, along with the presence of installed plug-ins such as Java, Adobe Reader or Adobe Flash, are identified and this information is used to determine which exploit has the highest chance of success.
If the exploit is successful, the targeted software component will then proceed to download the malicious executable and launch it, infecting the system with the malware of choice. The technical mechanism used by the exploit depends on the software component under attack and the nature of the vulnerability.
It is of note that the majority of recent successful exploitations have been through Java browser plug-ins; but exploit vectors are in continuous flux and depend on the speed with which discovered vulnerabilities are fixed by the vendor and patched on end-user systems.
The growth in the use of exploit kits is largely down to their ability to target software vulnerabilities on a large scale and their ease of use among a non-technical audience. It is also due in part to their widespread availability on the black market for a small cost, or even for free on file sharing networks.
As long as vendors continue to ship vulnerable software and are slow to patch and update systems, the use of exploit kits will remain a fundamental problem and will continue to evolve.
Thus, mitigation advice is the same as ever. End-users or system administrators should update vulnerable software components as soon as patches are made available by vendors. A system should be in place to automate this and an approach of defence in-depth should be adopted.
Yet the source of the problem is ultimately in the insecure coding practices and insufficient testing procedures of software vendors in the first place. So, perhaps the key to cracking this problem lies more in incentivising them to change and improve their practices.
Kevin O'Reilly is lead consultant at Context Information Security