This Is How They Hack You: The Murky World of Exploit Kits

Dann Albright 18-08-2015

If you pay attention to computer security news, you’ve probably heard exploit kits mentioned; “exploit kit infects millions,” “exploit kit used to defraud browsers,” “Adobe Flash zero-day What Is a Zero Day Vulnerability? [MakeUseOf Explains] Read More spotted in exploit kit” . . . there are many more. But what is an exploit kit? Where do they come from? And how can they be stopped?


The Basics of Exploit Kits

Put simply, exploit kits are pieces of software that run on servers and look for vulnerabilities on the computers of people who visit the server. They’re designed to detect holes in the security of browsers, as well as plugins like Flash Die Flash Die: The Ongoing History of Tech Companies Trying to Kill Flash Flash has been in decline for a long time, but when will it die? Read More and Java. And they’re designed to be very easy to use—even a novice hacker wouldn’t have much of a problem getting one set up and running.

Once the exploit kit detects a vulnerability, it will take advantage of it to deliver a piece of malware; it could be a bot, spyware, a backdoor, or any other type of malware Viruses, Spyware, Malware, etc. Explained: Understanding Online Threats When you start to think about all the things that could go wrong when browsing the Internet, the web starts to look like a pretty scary place. Read More —this isn’t actually dependent on the exploit kit. So even if you hear about an exploit kit infecting a lot of computers, you still don’t know exactly what you might be dealing with.


There are a lot of exploit kits out there, but the most popular ones make up a very large portion of their use: Angler is by far the most popular, with Nuclear a distant second, according to the Sophos blog. Fiesta, Magnitude, FlashPack, and Neutrino were also popular until recently, when Angler started dominating the top spot.

The same report found that ransomware Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Read More was the most common type of malware distributed by Angler, that Internet Explorer and Flash were the only two targets, and that they were attacked in almost equal measure.


Where Do Exploit Kits Come From?

Exploit kits are part of the cybercriminal world, a shadowy nether realm of the Internet generally familiar only to cybercriminals and security researchers. But the developers of these kits are increasingly coming out into the open; in July, Brian Krebs pointed out that Styx, an exploit kit, was being marketed on a public domain, and that they were even operating a 24-hour virtual help desk for paying customers. How much do these customers pay? $3,000 for the kit.

That’s a huge amount of money, but the creators of the kits are providing a huge service for their customers: these kits, if placed on the right servers, could easily infect hundreds of thousands of users, allowing a single person to run a worldwide malware operation with little effort. They even come with user interface panels—dashboards that make it easy to configure the software and get statistics for tracking the success of the kit.


Interestingly, the creation and maintenance of an exploit kit requires a lot of cooperation between criminals. Paunch, the creator of the Blackhole and Cool exploit kits, reputedly had $100,000 set aside to purchase information on vulnerabilities in browsers and plug-ins, according to Krebs. That money pay other cybercriminals for the knowledge of new vulnerabilities.


So how do people find out about exploit kits? As with many things in the criminal underworld, a lot of marketing is done by word-of-mouth: criminal forums, darknet sites How to Find Active .Onion Dark Web Sites (And Why You Might Want To) The Dark Web, in part, consists of .onion sites, hosted on the Tor network. How do you find them and where to go? Follow me... Read More , and so forth (though it’s becoming increasingly easy to find this sort of information with a Google search). But some cybercrime organizations are remarkably advanced: the Russian Business Network, a large cybercrime organization, supposedly used affiliate marketing to get its malware around the world.

Protecting Against Exploit Kits

FBI assistant legal attaché Michael Driscoll recently stated during a panel discussion at InfoSec 2015 that taking down the top 200 creators of exploit kits is one of the most significant challenges facing law enforcement. It’s a safe bet that enforcement agencies around the world will be dedicating a lot of resources to meeting this challenge.


But it’s not easy to stop the proliferation of exploit kits. Because they’re easily bought, used by a wide range of people on all sorts of servers around the world, and delivering different malware payloads, they present a constantly shifting target at which the FBI and other organizations aim for.


Finding the creators of these kits isn’t easy—it’s not as if you can just call the customer support number on the exploit kit’s website. And with the current worldwide concern over the surveillance powers of governments Avoiding Internet Surveillance: The Complete Guide Internet surveillance continues to be a hot topic so we've produced this comprehensive resource on why it's such a big deal, who's behind it, whether you can completely avoid it, and more. Read More , getting access to people who could be using the kits isn’t always easy, either.

There was a major arrest in 2013, in which Paunch, the creator of Blackhole and Cool, was taken into custody by Russian officials. That was the last major arrest related to an exploit kit, though. So taking your security into your own hands is your best bet.


How do you do that? The same way you protect against most malware. Run your updates 3 Reasons Why You Should Be Running The Latest Windows Security Patches & Updates The code that makes up the Windows operating system contains security loop holes, errors, incompatibilities, or outdated software elements. In short, Windows isn't perfect, we all know that. Security patches and updates fix the vulnerabilities... Read More often, as exploit kits usually target vulnerabilities for which patches have already been released. Don’t ignore requests for security and operating system updates. Install a comprehensive anti-virus suite Free Anti-Virus Comparison: 5 Popular Choices Go Toe-To-Toe What is the best free antivirus? This is among the most common questions we receive at MakeUseOf. People want to be protected, but they don’t want to have to pay a yearly fee or use... Read More . Block pop-ups and disable the automatic loading of plugins How to Stop Flash From Loading Automatically With FlashControl [Chrome] You can easily disable Flash in Chrome. But FlashControl gives you more hands-on control. FlashControl is a Chrome extension that uses blacklists and whitelists for selectively blocking and unblocking Flash content. As the extensions defines... Read More in your browser settings. Double-check to make sure the URL of the page you’re on is one you’re expecting to see.


These are the basics of keeping yourself safe online, and they apply to exploit kits like they do anything else.

Out of the Shadows

Though exploit kits are part of the shadowy world of cybercrime, they’re starting to come out into the open–for better and for worse. We hear more about them in the news, and we have a better idea of how to stay safe. But they’re also becoming easier to get a hold of. Until law enforcement agencies find a reliable way of prosecuting the creators and distributors of exploit kits, we’ll have to do what we can to protect ourselves.

Stay careful out there, and use common sense 4 Security Misconceptions That You Need To Realize Today There is a lot of malware and online security misinformation online, and following these myths can be dangerous. If you've taken any as truth, it's time to get the facts straight! Read More when browsing the Internet. Don’t go to questionable sites How To Remove The Bedep Malware From XHamster Since 2015, the Bedep malware has been infecting users via websites, including an initial infection of adult site xHamster. Is your computer infected? And how can you stay safe? Read More , and do what you can to stay on top of online security news. Run your updates, and use anti-virus software. Do that, and you won’t have much to worry about!

Have you been affected by Angler or another exploit kit? What do you do to keep yourself safe from malware online? Share your thoughts below!

Image credits: Cybercrime, Virus infection, Handcuffs on the laptop, Internet security via Shutterstock.

Related topics: Adobe Flash, Anti-Malware, Ransomware.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Sjeldon
    December 23, 2016 at 3:10 pm

    I have a Mac, and recently downloaded the free trial of Clam.xav, which came up with two instances (in f_02ddbf and f_02e7f6) of HTML.exploit.CVE_7288_1. Clam.xav offers no way to delete these two things. I discovered that these exploits are aimed at Microsoft Edge, which confuses me because the only Microsoft product I have is Microsoft Office 2011 and Silverlight. I use Chrome and Safari only. Can you explain what's going on and perhaps offer suggestions on what I should do about this? Thank you.

    • Dann Albright
      December 28, 2016 at 7:42 pm

      That's pretty weird; I'd download another antivirus app and run it to see what happens. I've heard conflicting things about Clam.xav, so try something else (I like Avira) and see what it tells you.

  2. Anonymous
    August 19, 2015 at 5:04 pm

    Good! :-)

    This is the part I like the most:

    "Stay careful out there, and use common sense when browsing the Internet. Don’t go to questionable sites, and do what you can to stay on top of online security news. Run your updates, and use anti-virus software. Do that, and you won’t have much to worry about!"

    Been teaching that for some 20 years now :-)

    • Dann Albright
      August 20, 2015 at 10:37 pm

      Yeah, that solves most problems that people have with malware. :-) I'd like to think that it's common sense, but it appears that it's just not. Keeping teaching and maybe it will be!

  3. Anonymous
    August 18, 2015 at 1:24 pm

    Good informative article. Thank you :).

    • Dann Albright
      August 20, 2015 at 10:37 pm

      Very glad you liked it. Thanks for reading!

  4. Mihir Patkar
    August 18, 2015 at 1:16 pm

    This is my favorite article on MakeUseOf this month. What a wonderful, simple explanation of a complex concept. Thank you for writing this, Dann.

    • Dann Albright
      August 20, 2015 at 10:37 pm

      That's very high praise coming from you, Mihir! I'm really glad you liked it. I learned a lot researching this article . . . the black market hacking world is a new one to me. Fascinating place!