Exploit kits have been around for years and cybercriminals are constantly working to make them better and faster at taking advantage of security vulnerabilities so they can infiltrate computing devices to do all sorts of nasty things. The sophistication at which exploit kits now operate at is alarming. Today, we take a look at just what modern exploit kits are capable of and steps individuals and organisations can take to avoid falling victim to them.
Virus alert image from Shutterstock
Together, Dell and subsidiary SonicWall have around 1 million security sensors in over 200 countries and territories. It has combined the data collected from those sensors with shared threat intelligence from more than 50 industry collaboration groups and research organisations to compile the 2015 Dell Security Annual Report.
In 2015 alone, Dell and SonicWall blocked 2.17 trillion Intrusion prevention system (IPS) attacks and 8.19 billion malware. The pair saw a 73 per cent increase in unique malware samples compared to 2014.
One of the interesting things Dell and SonicWall observed was the efficiency of exploit kits, pre-packaged software that can be used to infiltrate computers and servers and take advantage of vulnerabilities automatically. Cybercriminals are spoilt for choice when it comes to exploit kits. There are countless kits available on the black market and they can even adapt themselves to exploit zero-day vulnerabilities. It’s a lucrative business; one exploit kit can earn its developer up to $50,000 per day and some have been created to be used as software-as-a-service (SaaS).
According to the report, the most popular exploit kits used in 2015 were:
- Angler: Easily used by attackers with little technical knowledge. A versatile kit that has been used to spread a wide range of malware, including ransomware.
- Nuclear: Can be deployed in a variety of ways and was known to be able to exploit a vulnerability in Adobe Flash Player
- Magnitude: Linked to attacks against PHP.net and Yahoo.
- Rig: Recently been implicated in the distribution of various ransomware including Cryptowall and other Cryptolocker variants
Dell and SonicWall identified a few trends that emerged in the exploit kit space and noticed that these software packages are becoming smarter, using anti-forensic and advanced methods to evade detection by security systems. For example, the Spartan exploit kit was able to avoid being detected by encrypting its initial code and generating its exploitative code in the RAM and never on the actual hard disk of a computer or server.
Nuclear used URL pattern changes to confuse antivirus software and firewalls.
“It was also common for kits to check for antivirus software or virtual environments, such as VMware or Virtual Box, and to modify their code accordingly for higher success rates”, Dell and SonicWall said in the report.
So how can you or your organisation protect yourselves against exploit kits? To answer this, you must understand that an exploit kit attack can only wreak havoc on your device under certain conditions: either you’ve visited or been redirected to a website that is hosting an exploit kit or if your device doesn’t have the latest patches that closes the vulnerabilities that can be exploited.
“So to evade attacks from exploit kits, a user would need to avoid providing at least one (and preferably both) of these ‘openings’ for attack,” according to a blog by security vendor F-Secure. “There are various steps you can take when surfing online to avoid encountering exploit kits. For example, website security rating services help users avoid known malicious or compromised websites, while script blocking software and antivirus programs prevent malware from redirecting the browser to an unsolicited site.
“More concretely, users can render exploits pointless by removing their intended target and closing the flaw in a vulnerable program with a security patch issued by the program’s vendor. Users are strongly urged to install security patches for any software installed on their computers or devices as soon as they are released.”