If you pay attention to computer security news, you’ve probably heard exploit kits mentioned; “exploit kit infects millions,” “exploit kit used to defraud browsers,” “Adobe Flash zero-day spotted in exploit kit” . . . there are many more. But what is an exploit kit? Where do they come from? And how can they be stopped?
The Basics of Exploit Kits
Put simply, exploit kits are pieces of software that run on servers and look for vulnerabilities on the computers of people who visit the server. They’re designed to detect holes in the security of browsers, as well as plugins like Flash and Java. And they’re designed to be very easy to use—even a novice hacker wouldn’t have much of a problem getting one set up and running.
Once the exploit kit detects a vulnerability, it will take advantage of it to deliver a piece of malware; it could be a bot, spyware, a backdoor, or any other type of malware—this isn’t actually dependent on the exploit kit. So even if you hear about an exploit kit infecting a lot of computers, you still don’t know exactly what you might be dealing with.
There are a lot of exploit kits out there, but the most popular ones make up a very large portion of their use: Angler is by far the most popular, with Nuclear a distant second, according to the Sophos blog. Fiesta, Magnitude, FlashPack, and Neutrino were also popular until recently, when Angler started dominating the top spot.
The same report found that ransomware was the most common type of malware distributed by Angler, that Internet Explorer and Flash were the only two targets, and that they were attacked in almost equal measure.
Where Do Exploit Kits Come From?
Exploit kits are part of the cybercriminal world, a shadowy nether realm of the Internet generally familiar only to cybercriminals and security researchers. But the developers of these kits are increasingly coming out into the open; in July, Brian Krebs pointed out that Styx, an exploit kit, was being marketed on a public domain, and that they were even operating a 24-hour virtual help desk for paying customers. How much do these customers pay? $3,000 for the kit.
That’s a huge amount of money, but the creators of the kits are providing a huge service for their customers: these kits, if placed on the right servers, could easily infect hundreds of thousands of users, allowing a single person to run a worldwide malware operation with little effort. They even come with user interface panels—dashboards that make it easy to configure the software and get statistics for tracking the success of the kit.
Interestingly, the creation and maintenance of an exploit kit requires a lot of cooperation between criminals. Paunch, the creator of the Blackhole and Cool exploit kits, reputedly had $100,000 set aside to purchase information on vulnerabilities in browsers and plug-ins, according to Krebs. That money pay other cybercriminals for the knowledge of new vulnerabilities.
So how do people find out about exploit kits? As with many things in the criminal underworld, a lot of marketing is done by word-of-mouth: criminal forums, darknet sites, and so forth (though it’s becoming increasingly easy to find this sort of information with a Google search). But some cybercrime organizations are remarkably advanced: the Russian Business Network, a large cybercrime organization, supposedly used affiliate marketing to get its malware around the world.
Protecting Against Exploit Kits
FBI assistant legal attaché Michael Driscoll recently stated during a panel discussion at InfoSec 2015 that taking down the top 200 creators of exploit kits is one of the most significant challenges facing law enforcement. It’s a safe bet that enforcement agencies around the world will be dedicating a lot of resources to meeting this challenge.
But it’s not easy to stop the proliferation of exploit kits. Because they’re easily bought, used by a wide range of people on all sorts of servers around the world, and delivering different malware payloads, they present a constantly shifting target at which the FBI and other organizations aim for.
Finding the creators of these kits isn’t easy—it’s not as if you can just call the customer support number on the exploit kit’s website. And with the current worldwide concern over the surveillance powers of governments, getting access to people who could be using the kits isn’t always easy, either.
There was a major arrest in 2013, in which Paunch, the creator of Blackhole and Cool, was taken into custody by Russian officials. That was the last major arrest related to an exploit kit, though. So taking your security into your own hands is your best bet.
How do you do that? The same way you protect against most malware. Run your updates often, as exploit kits usually target vulnerabilities for which patches have already been released. Don’t ignore requests for security and operating system updates. Install a comprehensive anti-virus suite. Block pop-ups and disable the automatic loading of plugins in your browser settings. Double-check to make sure the URL of the page you’re on is one you’re expecting to see.
These are the basics of keeping yourself safe online, and they apply to exploit kits like they do anything else.
Out of the Shadows
Though exploit kits are part of the shadowy world of cybercrime, they’re starting to come out into the open–for better and for worse. We hear more about them in the news, and we have a better idea of how to stay safe. But they’re also becoming easier to get a hold of. Until law enforcement agencies find a reliable way of prosecuting the creators and distributors of exploit kits, we’ll have to do what we can to protect ourselves.
Stay careful out there, and use common sense when browsing the Internet. Don’t go to questionable sites, and do what you can to stay on top of online security news. Run your updates, and use anti-virus software. Do that, and you won’t have much to worry about!
Have you been affected by Angler or another exploit kit? What do you do to keep yourself safe from malware online? Share your thoughts below!