DOCSLIB.ORG

Examining the Creation, Distribution, and Function of Malware On-Line

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Examining the Creation, Distribution, and Function of Malware On-Line The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Examining the Creation, Distribution, and Function of Malware On-Line Author: Bill Chu, Ph.D., Thomas J. Holt, Ph.D., Gail Joon Ahn, Ph.D. Document No.: 230111 Date Received: March 2010 Award Number: 2007-IJ-CX-0018 This report has not been published by the U.S. Department of Justice. To provide better customer service, NCJRS has made this Federally- funded grant final report available electronically in addition to traditional paper copies. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. Examining the Creation, Distribution, and Function of Malware On-Line Award Number: 2007-IJ-CX-0018 Bill Chu, Ph. D. The University of North Carolina at Charlotte Thomas J. Holt, Ph. D. Michigan State University Gail Joon Ahn, Ph. D. Arizona State University This document is a research report submitted to the U. S. Department of Justice. Opinions or points of view expressed are those of the authors and do not reflect the official position or policies of the U. S. Department of Justice. 1 This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. Abstract The global adoption of the Internet and World Wide Web has engendered the growth of significant threats from computer criminals around the world. Computer crimes are costly, and many appear to be perpetrated by computer hackers in foreign countries, particularly Russia and Eastern Europe. These attackers often use malicious software, or malware, to automate attacks and enable multiple forms of cybercrime. Recently, a great deal of attention has been given to a new form of malware used by computer hackers called bots. This malware essentially takes over an infected computer, allowing it to receive commands remotely. Bots are also bought and sold in virtual markets operating out of Russia. Researchers have, however, only begun to explore the prevalence and origins of this form of malware and its potential as an attack tool. Thus, this study examined the social and technical aspects surrounding the creation, distribution, and use of bots through both a criminological and computer science examination of bots and malware. Specifically, 13 bots were captured in the wild and analyzed using honeynet technologies to determine their utility and function in a simulated computing environment. The findings suggest that these bots had a significant impact on system functionality by changing system protocols, including adding and removing files. The bots also attempted to connect to command and control IRC servers around the world, though the majority appeared to reside in the United States. Five of the bots were able to connect to a command and control channel and received commands to scan other systems online, participate in Denial of Service Attacks, infect another system, and open communication sessions with other computers. The creation and sale of bots and malware in the on-line black market were also examined using a sample of 909 threads collected from 10 publicly accessible web-forums in Eastern Europe and Russia. The findings suggest that a service economy has developed around 2 This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. the spread of bots, including distributed denial of service attack providers, spam distribution, and bulletproof web hosting. Malware is also available through these forums, such as trojan horse programs, encryption tools, and iframe malware uploading and downloading services. Credit card and identity documents were also readily available, along with hijacked ICQ numbers. In order to better understand the social dynamics of this market, the normative orders of this community were explored using grounded theory methodology. The results suggest that three interrelated norms shape the relationships between buyers and sellers: price, customer service, and trust. Price is critical as the cost of goods affect the likelihood that an individual would be able to compete in the market. Customer service reflects the quality of products available, discounts for volume purchases, and real time support to their customers. Finally, trust refers to the lack of regulation within the markets, increasing the risk of engaging in a purchase with a vendor. Individuals who demonstrate that they were trustworthy could gain clients, while those who attempt to cheat other actors were publicly derided. As a whole, this study demonstrates the key role that bots and other malicious software play in the facilitation of cybercrime across the globe. Bots have various utility in the wild, and receive commands from IRC channels around the globe. Though malicious software takes some skill to create, the forums examined demonstrate that bot masters generate a profit from their infrastructure by selling access to attack services that enables hackers of any skill to participate in attacks ranging from Distributed Denial of Service attacks to spam. Thus, there is a significant need to disrupt botnets and the markets that facilitate the distribution of malware and hack tools. 3 This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. Table of Contents Executive Summary p. 5 I. Introduction p. 14 Bot Functionality and Use p. 17 Malicious Software and Stolen Data Markets p. 21 Rationale for Research p. 24 II. Methods p. 25 Bot Analyses p. 25 Qualitative Research p. 30 III. Results p. 35 Bot Analyses p. 35 Qualitative Analyses p. 40 IV. Conclusions p. 124 Discussion of Findings p. 124 Implications for Policy and Practice p. 127 Implications for Further Research p. 135 V. References p. 138 Appendix 1 p. 146 4 This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. Executive Summary The Internet and World Wide Web have dramatically changed the way people communicate and do business around the world. These changes have far reaching consequences, affecting business, banks, government, and home computer users. As a result of the growth and penetration of computer technology, the threat posed by computer criminals has become increasingly significant. Computer crimes are costly, and many appear to be perpetrated by computer hackers in foreign countries, particularly Russia and Eastern Europe. These attackers often use malicious software programs, or malware, that automate a variety of attacks and enable different criminal acts. Recently, a great deal of attention has been given to a new form of malicious code used by computer hackers and attackers called bots. Technical analyses of bots indicate that they operate around the world and can be used to facilitate all manner of computer and cybercrime. Thus, they pose a serious threat to government, businesses, and computer users around the globe. Furthermore, a small body of research suggests that bots and services generated from bots can be purchased in open markets operating on Internet Relay Chat channels in Russia and Eastern Europe. Researchers have, however, only begun to explore the prevalence and origins of this form of malware and its potential as an attack tool. In addition, few studies have considered how web forums may facilitate the sale and trade of bots and other malware. This study examined the social and technical aspects surrounding the creation, distribution, and use of bots through a criminological and computer science examination of multiple data sets. Specifically, 13 bots were collected in the wild using a tool called MWCollect that can capture the binary of the malware. Once obtained, each program was analyzed using honeynet technologies to determine their functionality and activity in a simulated computing environment. 5 This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. The findings suggest that these bots had significant impacts on the system by changing system protocols, including adding and removing files, dlls, and registry information. Two of these bots also attempted to download other executable programs hosted on other websites, including a compromised server hosting a legitimate business website in the United States. All of the bots attempted to connect to Internet Relay Chat (IRC) command and control servers around the world, including Hungary, Malaysia, and China. The majority of command and control servers, however, operated in the United States.
Load more

Recommended publications
  • (U//Fouo) Assessment of Anonymous Threat to Control Systems
    UNCLASSIFIED//FOR OFFICIAL USE ONLY A‐0020‐NCCIC / ICS‐CERT –120020110916 DISTRIBUTION NOTICE (A): THIS PRODUCT IS INTENDED FOR MISION PARTNERS AT THE “FOR OFFICIAL USE ONLY” LEVEL, ACROSS THE CYBERSECURITY, CRITICAL INFRASTRUCTURE AND / OR KEY RESOURCES COMMUNITY AT LARGE. (U//FOUO) ASSESSMENT OF ANONYMOUS THREAT TO CONTROL SYSTEMS EXECUTIVE SUMMARY (U) The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting inDustrial control systems (ICS). This proDuct characterizes Anonymous’ capabilities and intent in this area, based on expert input from DHS’s Control Systems Security Program/Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT) in coordination with the other NCCIC components. (U//FOUO) While Anonymous recently expressed intent to target ICS, they have not Demonstrated a capability to inflict Damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methoDs, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web‐based applications and windows systems) by employing tactics such as denial of service. Anonymous’ increased interest may indicate intent to Develop an offensive ICS capability in the future. ICS‐CERT assesses that the publically available information regarding exploitation of ICS coulD be leveraged to reDuce the amount of time to develop offensive ICS capabilities. However, the lack of centralized leadership/coordination anD specific expertise may pose challenges to this effort. DISCUSSION (U//FOUO) Several racist, homophobic, hateful, and otherwise maliciously intolerant cyber and physical inciDents throughout the past Decadea have been attributeD to Anonymous, though recently, their targets and apparent motivations have evolved to what appears to be a hacktivist1 agenda.
    [Show full text]
  • Maldet: How to Detect the Malware?
    International Journal of Computer Applications (0975 – 8887) Volume 123 – No.6, August 2015 MalDet: How to Detect the Malware? Samridhi Sharma Shabnam Parveen Department of CSE, Assistant Professor, Department of CSE, Seth Jai Parkash Mukand Lal Institute of Seth Jai Parkash Mukand Lal Institute of Engineering and Technology, Engineering and Technology, Harayana, India. Harayana, India. ABSTRACT to violate the privacy and security of a system. According to Malware is malicious software. This software used to the Symantec Internet Threat Report 499,811 new malware interrupt computer functionality. Protecting the internet is samples were received in the second half of 2007 detection. probably a enormous task that the contemporary epoch of So it becomes necessary to detect the malware. computers have seen. Day by day the threat levels large thus This paper is organized as follows: Section two has covered making the network susceptible to attacks. Many novel the recent state of the malware security. Section three strategies are brought into the field of cyber security to guard discusses about the malware classification, section four websites from attacks. But still malware has remained a grave presents the malware dectector. Section five studies reason of anxiety to web developers and server administrators. mechanism of malware detection, and finally section six With this war takes place amid the security community and explains malware normalization process. malicious software developers, the security specialists use all possible techniques, methods and strategies to discontinue and 2. RELATED WORK eliminate the threats while the malware developers utilize new Technology has turn out to be an building block in recent types of malwares that avoid implemented security features.
    [Show full text]
  • Identity Theft Literature Review
    The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Identity Theft Literature Review Author(s): Graeme R. Newman, Megan M. McNally Document No.: 210459 Date Received: July 2005 Award Number: 2005-TO-008 This report has not been published by the U.S. Department of Justice. To provide better customer service, NCJRS has made this Federally- funded grant final report available electronically in addition to traditional paper copies. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. IDENTITY THEFT LITERATURE REVIEW Prepared for presentation and discussion at the National Institute of Justice Focus Group Meeting to develop a research agenda to identify the most effective avenues of research that will impact on prevention, harm reduction and enforcement January 27-28, 2005 Graeme R. Newman School of Criminal Justice, University at Albany Megan M. McNally School of Criminal Justice, Rutgers University, Newark This project was supported by Contract #2005-TO-008 awarded by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice. Points of view in this document are those of the author and do not necessarily represent the official position or policies of the U.S.
    [Show full text]
  • DETECTING BOTS in INTERNET CHAT by SRITI KUMAR Under The
    DETECTING BOTS IN INTERNET CHAT by SRITI KUMAR (Under the Direction of Kang Li) ABSTRACT Internet chat is a real-time communication tool that allows on-line users to communicate via text in virtual spaces, called chat rooms or channels. The abuse of Internet chat by bots also known as chat bots/chatterbots poses a serious threat to the users and quality of service. Chat bots target popular chat networks to distribute spam and malware. We first collect data from a large commercial chat network and then conduct a series of analysis. While analyzing the data, different patterns were detected which represented different bot behaviors. Based on the analysis on the dataset, we proposed a classification system with three main components (1) content- based classifiers (2) machine learning classifier (3) communicator. All three components of the system complement each other in detecting bots. Evaluation of the system has shown some measured success in detecting bots in both log-based dataset and in live chat rooms. INDEX WORDS: Yahoo! Chat room, Chat Bots, ChatterBots, SPAM, YMSG DETECTING BOTS IN INTERNET CHAT by SRITI KUMAR B.E., Visveswariah Technological University, India, 2006 A Thesis Submitted to the Graduate Faculty of The University of Georgia in Partial Fulfillment of the Requirements for the Degree MASTER OF SCIENCE ATHENS, GEORGIA 2010 © 2010 Sriti Kumar All Rights Reserved DETECTING BOTS IN INTERNET CHAT by SRITI KUMAR Major Professor: Kang Li Committee: Lakshmish Ramaxwamy Prashant Doshi Electronic Version Approved: Maureen Grasso Dean of the Graduate School The University of Georgia December 2010 DEDICATION I would like to dedicate my work to my mother to be patient with me, my father for never questioning me, my brother for his constant guidance and above all for their unconditional love.
    [Show full text]
  • Data-Driven Grasp Synthesis - a Survey Jeannette Bohg, Member, IEEE, Antonio Morales, Member, IEEE, Tamim Asfour, Member, IEEE, Danica Kragic Member, IEEE
    TRANSACTIONS ON ROBOTICS 1 Data-Driven Grasp Synthesis - A Survey Jeannette Bohg, Member, IEEE, Antonio Morales, Member, IEEE, Tamim Asfour, Member, IEEE, Danica Kragic Member, IEEE specific metric. This process is usually based on some existing Abstract—We review the work on data-driven grasp synthesis grasp experience that can be a heuristic or is generated in and the methodologies for sampling and ranking candidate simulation or on a real robot. Kamon et al. [5] refer to this grasps. We divide the approaches into three groups based on whether they synthesize grasps for known, familiar or unknown as the comparative and Shimoga [2] as the knowledge-based objects. This structure allows us to identify common object rep- approach. Here, a grasp is commonly parameterized by [6, 7]: resentations and perceptual processes that facilitate the employed • the grasping point on the object with which the tool center data-driven grasp synthesis technique. In the case of known point (TCP) should be aligned, objects, we concentrate on the approaches that are based on • the approach vector which describes the 3D angle that object recognition and pose estimation. In the case of familiar objects, the techniques use some form of a similarity matching the robot hand approaches the grasping point with, to a set of previously encountered objects. Finally, for the • the wrist orientation of the robotic hand and approaches dealing with unknown objects, the core part is the • an initial finger configuration extraction of specific features that are indicative of good grasps. Data-driven approaches differ in how the set of grasp candi- Our survey provides an overview of the different methodologies dates is sampled, how the grasp quality is estimated and how and discusses open problems in the area of robot grasping.
    [Show full text]
  • Are the Current Computer Crime Laws Sufficient Or Should the Writing of Virus Code Be Prohibited?
    Fordham Intellectual Property, Media and Entertainment Law Journal Volume 18 Volume XVIII Number 3 Volume XVIII Book 3 Article 8 2008 Are the Current Computer Crime Laws Sufficient or Should the Writing of Virus Code Be Prohibited? Robert J. Kroczynski Fordham University School of Law Follow this and additional works at: https://ir.lawnet.fordham.edu/iplj Part of the Entertainment, Arts, and Sports Law Commons, and the Intellectual Property Law Commons Recommended Citation Robert J. Kroczynski, Are the Current Computer Crime Laws Sufficient or Should theriting W of Virus Code Be Prohibited?, 18 Fordham Intell. Prop. Media & Ent. L.J. 817 (2008). Available at: https://ir.lawnet.fordham.edu/iplj/vol18/iss3/8 This Note is brought to you for free and open access by FLASH: The Fordham Law Archive of Scholarship and History. It has been accepted for inclusion in Fordham Intellectual Property, Media and Entertainment Law Journal by an authorized editor of FLASH: The Fordham Law Archive of Scholarship and History. For more information, please contact [email protected]. Are the Current Computer Crime Laws Sufficient or Should theriting W of Virus Code Be Prohibited? Cover Page Footnote Alexander Southwell, Shari Sckolnick This note is available in Fordham Intellectual Property, Media and Entertainment Law Journal: https://ir.lawnet.fordham.edu/iplj/vol18/iss3/8 KROCZYNSKI_022508_FINAL 2/25/2008 7:20:52 PM Are the Current Computer Crime Laws Sufficient or Should the Writing of Virus Code Be Prohibited? Robert J. Kroczynski* INTRODUCTION .............................................................................818 I. BACKGROUND OF CYBERCRIME AND VIRUSES........................820 A. DEFINITION OF VIRUSES AND TECHNICAL DESCRIPTIONS ....822 1.
    [Show full text]
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • A Honeypot for Arbitrary Malware on USB Storage Devices
    A Honeypot for Arbitrary Malware on USB Storage Devices Sebastian Poeplau Jan Gassen University of Bonn Elmar Gerhards-Padilla Institute of Computer Science 4 Fraunhofer FKIE Friedrich-Ebert-Allee 144 Cyber Defense research group 53113 Bonn Friedrich-Ebert-Allee 144 53113 Bonn Abstract—Malware is a serious threat for modern information be infected usually by pretending to be vulnerable computers technology. It is therefore vital to be able to detect and analyze or services. Most commonly, honeypots are run on dedicated such malicious software in order to develop contermeasures. systems, i. e. machines that are maintained exclusively for the Honeypots are a tool supporting that task—they collect malware samples for analysis. Unfortunately, existing honeypots concen- purpose of capturing malware. Honeypots enable researchers trate on malware that spreads over networks, thus missing any and anti-virus companies to analyze new types of malware and malware that does not use a network for propagation. to develop countermeasures, and they are vital in generating A popular network-independent technique for malware to signatures of previously unknown malware. Even though there spread is copying itself to USB flash drives. In this article we are various different honeypot concepts, they all face one basic present Ghost, a new kind of honeypot for such USB malware. problem: How to trick malware into infecting a honeypot It detects malware by simulating a removable device in software, thereby tricking malware into copying itself to the virtual device. machine? We explain the concept in detail and evaluate it using samples Many of the employed concepts make use of the fact that of wide-spread malware.
    [Show full text]
  • Underground Hacker Markets ANNUAL REPORT—APRIL 2016
    Underground Hacker Markets ANNUAL REPORT—APRIL 2016 1 Underground Hacker Markets | APRIL 2016 Contents 3 Introduction: Welcome Back to the Underground 4 Price List for Hacker Goods and Services 7 Russian Hackers Expand their Working Hours and Use Guarantors to Ensure Customers’ Happiness 9 Hacking Services for Hire 11 Business Dossiers for Companies in the Russian Federation Bank Account Credentials, Tax Identification Numbers (TINS), Articles of Incorporation, Phone Numbers, Lease Agreements 12 Hacker Goods for Sale Bank Accounts, Popular Online Payment Accounts, Airline Points Accounts, Credit Cards, Hacker Tutorials…You Name It 16 Is ATM Skimming Passé? Not on Your Life. 19 Security Measures for Protecting Against Cyber Threats 22 Conclusion 23 Glossary of Terms 2 Underground Hacker Markets | APRIL 2016 Introduction: Welcome Back to the Underground For our 3rd Annual Underground Hacker Markets Report, Dell SecureWorks engaged two of our top intelligence analysts from our CISO INTEL Team. The team members spend time tracking hackers on the numerous underground hacker forums and marketplaces all over the world. While much of the cybercrime hitting organizations throughout the world is the result of cooperation by hackers working outside the confines of publicly-accessible marketplaces, these underground forums provide a small window into the world cybercriminals occupy. In this report, we concentrated on marketplaces located on the Russian Underground and on English-speaking marketplaces between Q3 2015 and Q1 2016. Just as we did in the 2013 and 2014 Underground Hacker Reports, we wanted to see if any trends had emerged. For example, did prices for popular hacker goods such as stolen bank accounts, credit cards, and malware go up or down? What about services such as Distributed Denial of Service (DDoS) attacks or hacking company databases? Not only did we answer those questions, but we also found some intriguing new products for sale and some interesting new trends as well.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
    Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 By Kathleen Kuczma 2019-0319 This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report, and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments. Executive Summary Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to shed light on this by determining the top 10 vulnerabilities from 2018. It is imperative that security professionals have insight into those vulnerabilities that impact a company’s technology stack and are included in exploit kits, used to distribute a remote access trojan (RAT), or are currently being used in phishing attacks. In 2018, we observed more exploits targeting Microsoft products than Adobe ones. Eight out of 10 vulnerabilities exploited via phishing attacks, exploit kits, or RATs targeted Microsoft products, and only one Adobe Flash vulnerability made the top 10, likely due to a combination of better patching and Flash Player’s impending demise in 2020. Like in past years, the development of new exploit kits has continued to drop amid the shift to more targeted attacks and less availability of zero-day vulnerabilities. Exploit kits in previous years took advantage of Adobe product vulnerabilities, which have continued to dwindle. Key Judgments • For the second year in a row, Microsoft was consistently targeted the most, with eight of the top 10 vulnerabilities impacting its products.
    [Show full text]
  • What Is Exploit Kit and How Does It Work? [1]Ade Kurniawan, [2]Ahmadfitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia
    International Journal of Pure and Applied Mathematics Volume 118 No. 20 2018, 509-516 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu What is Exploit Kit and How Does it Work? [1]Ade Kurniawan, [2]AhmadFitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia Abstract— In the Year 2016 to mid-2017, the analysts have claimed those years as the years of Malware especially Ransomware. The number, spread, infection and impact of malware have caused many users, businesses, governments, and organizations to be anxious, one of the tools to spread it by using exploit kits. A popular method of mass distribution used the perpetrators of cyber criminals is using the exploit kit. Exploit kit has become more effective, cheaper and sophisticated tools to spread malware to their victims. Therefore, in this paper, we provide this research using the Network Forensic Method. The results which are done will explain the chain of events about what the exploit kit is and how the exploit kit works, including actors, campaigns, payload, and terminology involved in the spreading of malware Index Terms—Exploit Kit, Payload, Malware, Ransomware, and Chain of events. I. INTRODUCTION In our digital era, everything is connected and Network Forensics Method. Network forensics is a everyone is vulnerable. The development, part of Digital Forensic conducted with scientific dependability, and complexity of computer software methods to identify, analyse and reconstruct events have brought immediate implications for global based on digital evidence/logs from the network safety and security, especially physical objects such [14][15][16].
    [Show full text]