Around this time in 2013, the most commonly used exploit kit – the Blackhole Exploit Kit – was shut down after its creator, Paunch, was arrested by law enforcement. Since then, a variety of exploit kits has emerged and have been used by cybercriminals.
The emergence of so many replacements has also meant that there are now some key technical differences between these various exploit kits. In this post, we shall go over some of these differences.
Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:
- CVE-2013-0074 (Silverlight)
- CVE-2014-0515 (Adobe Flash)
- CVE-2014-0569 (Adobe Flash)
- CVE-2014-2551 (Internet Explorer)
The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits.
The tables below shows which exploits are in use by exploit kits:
Table 1. Exploits used by various exploit kits
(Click thumbnail to enlarge)
Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.
The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.
By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – to detect plugins.
The following table summarizes which libraries are used.
Table 2. Plug-in detection methods used
The following screenshot shows the PluginDetect library as used in exploit kits:
Figure 1. PluginDetect library in use
The following screenshot shows one of the custom libraries in use:
Figure 2. Custom library in use
A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner.
This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052.
The following table summarizes the products that each exploit kit detects:
Table 3. Software products detected by exploit kits
Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files.
The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file).
Figure 3. HTTP request and reply headers
When compressed, one can see that we do not encounter the “PK” header expected of standard Java files:
Figure 4. Binary examination of Java file
Meanwhile, Flash files are also being protected by the FlashPack and Magnitude exploit kits. These use a commercially available tool called DoSWF to hide their files. This tool was meant to allows developers to hide the ActionScript contents of their Flash file from people who would copy or pirate the contents. Unfortunately, this also works against security software, which are unable to decrypt the DoSWF encryption.
Figure 5. Code calling DoSWF in ActionScript
The chart below shows the monthly traffic (as measured in number of hits) we detected each month for various exploit kits. No one exploit kit dominated the market, with fierce competition leading to changes in the landscape. Magnitude, Angler, and Sweet Orange were the most frequently encountered kits throughout the entire year.
Figure 6. Traffic seen to various exploit kits
(Click thumbnail to enlarge)
Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools.
The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors.