EVOLUTION OF EXPLOIT KITS Exploring Past Trends and Current Improvements Joseph C. Chen Brooks Li CONTENTS Introduction ...............................................................................................ii Exploit Kit Attack Scenario ................................................................... 1 Contact ............................................................................................ 1 Redirect ........................................................................................... 1 Exploit and Infect ............................................................................. 1 Exploit Kit Evolution ............................................................................. 2 Early Versions .................................................................................. 2 Evolution .......................................................................................... 3 Current Trends in Exploit Kits .............................................................. 3 Top Exploit Kits ................................................................................ 3 TREND MICRO LEGAL DISCLAIMER The information provided herein is for general Top Targets ...................................................................................... 4 information and educational purposes only. It is not intended and should not be construed to constitute Used Exploits ................................................................................... 4 legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein Evasion Techniques: Antivirus/Virtualization Product Detection .. 5 should be relied on or acted upon without the benefit of legal advice based on the particular facts and Evasion Techniques: File Obfuscation ......................................... 6 circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the Exploit Kits in 2015 .............................................................................. 8 right to modify the contents of this document at any time without prior notice. Solutions for Exploit Kits ...................................................................... 8 Translations of any material into other languages are intended solely as a convenience. Translation Appendix..................................................................................................iii accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a References ...............................................................................................v translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition. INTRODUCTION An exploit kit, or exploit pack, is a type of hack toolkit that A typical exploit kit usually provides a management cybercriminals seem to have favored in the last few years console, a bunch of vulnerabilities targeted to different to perform Web-based attacks to distribute malware. applications, and several add-on functions that make it Several kits have since been developed then sold or rented easier for a cybercriminal to launch an attack. out like commercial products in underground markets. The rise of exploit kits in underground markets pushes The earliest hack toolkit made available in the crimeware exploit kit developers to improve the stealth and efficiency market on record was seen sometime in 2006. [1] of their product. Currently, there are 70 different exploit kits in the wild that take advantage of more than a hundred vulnerabilities. In this paper, we will discuss what an exploit kit is, how it works, and how it has changed over time. EVOLUTION OF EXPLOIT KITS Research Paper EXPLOIT KIT ATTACK CONTACT REDIRECT EXPLOIT INFECT SCENARIO Normal Malicious Ransomware One of the things that make an Website Advertisement exploit kit effective is that a lot of its routines are executed automatically. To better illustrate how an exploit Compromised Trac Direction Banking kit works, we deconstruct a typical Website System Exploit Trojan attack scenario and explain its Server Kit stages. Spammed Malware Contact Link Contact is the beginning of infection, Four stages of the exploit kit infection chain where an attacker attempts to make people access the link of an exploit kit server. Contact is often done through spammed email, wherein recipients are tricked into clicking a link through social engineering lures. [2] Aside from spammed emails, compromised websites are also widely used as a contact path. Attackers would inject malicious code that, in turn, will redirect website visitors to the exploit kit. Malvertisement is another form of advanced attack, wherein the Web advertisement redirects website visitors to the exploit kit server. [3–4] This technique makes any website that displays the malicious advertisement a possible infection vector. Redirect Traffic redirection system refers to the capacity with which the exploit kit operator can screen through victims based on certain condition sets. This is done through a traffic direct system, such as SutraTDS or KeitaroTDS, for aggregating and filtering redirect traffic before accessing the exploit kit server. [5] The source of traffic redirection isn’t always directly managed by the exploit kit operator but by the traffic provider who sells the traffic in underground markets. The traffic subscriber, who, in this case, is the exploit kit operator, can specify their target and filter out victims who don’t meet certain requirements. For example, an exploit kit operator can target a specific country by filtering client IP address by geolocation. Exploit and Infect Once users are successfully tricked into clicking the link of an exploit kit server in the contact stage and filtered in the redirect stage, they will be directed to the exploit kit’s landing page. The landing page is responsible for profiling client environment and in determining which vulnerabilities should be used in the ensuing attack. 1 | Page © 2015 Trend Micro Incorporated Once the vulnerable applications are identified, US$1,000. Compared to WebAttacker, the control the page will send requests to the exploit kit server panel of Mpack provided a more detailed statistics on to download the exploit files that would attack the its victim, such as their location. targeted applications. The vulnerabilities found in Web More than 3,000 compromised websites had the browsers, Java™, Adobe® Flash® Player, and Adobe redirect links of Mpack. Several exploit kits were also Acrobat® and Reader® are the ones most targeted by released in 2007 in underground markets, namely, exploit kits. NeoSploit, Phoenix, Tornado, and Armitage exploit After successfully exploiting a vulnerability, the kits, but Mpack was seen as one of the serious attacker can now download and execute the malware exploit kit threats that year. [8–9] Fiesta, AdPack, in the victim’s environment. We’ve seen various types and FirePack exploit kits emerged in 2008, and the of malware downloaded in exploit kit attacks, the infamous Blackhole Exploit Kit surfaced in 2010. most notable ones being online banking malware and The success of earlier-released exploit kits led to the ransomware. [6–7] subsequent creation and release of other kits that have been hitting legitimate businesses hard. The Timeline Record of Exploit Kits EXPLOIT KIT EVOLUTION 30 28 26 Early Versions 20 16 The first recorded exploit kit attack could be traced 15 13 13 back in 2006, which used the WebAttacker kit. 11 14 This was the first exploit kit found in the Russian 6 7 11 underground market. It came with technical 2 6 5 5 support and was sold for US$20. The redirect 2 3 3 0 link of WebAttacker was distributed via spam 2006 2007 2008 2009 2010 2011 2012 2013 2014 and compromised websites. It targeted multiple Number of Active Exploit Kit Number of New Released Exploit Kit vulnerabilities found in Microsoft™ Windows®, Mozilla Firefox®, and Java applications to distribute malware Timeline record of exploit kits in wild. The second exploit kit, Mpack, was developed Figure 2 shows the number of active exploit kits found by three Russian programmers sometime in the in the wild and the number of new ones seen each middle of 2006. The first complete version was year since 2006. It can be observed that this threat released December that same year and was sold for was on an upward trend from 2006 to 2013, with 20 2 | Page © 2015 Trend Micro
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages16 Page
-
File Size-