Exploit Kit

Exploit kits or exploit packs refer to a type of hacking toolkit that cybercriminals use to take advantage of vulnerabilities in systems/devices so they can distribute malware or do other malicious activities. They normally target popular software such as AdobeFlash ^®, Java^™, Microsoft Silverlight^® .

A typical exploit kit usually provides a management console, a bunch of vulnerabilities for different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.

Figure 1: Exploit kit infection chain

• Step 1: Contact
  A n attacker convinces people to click the link to a site that serves an exploit kit often through spam and effective social engineering lures.
• Step 2: Redirect
  The exploit kit finds vulnerabilities in software installed on the systems/devices used to access the link.
• Step 3: Exploit
  An exploit that takes advantage of the vulnerability found is executed on the system/device.
• Step 4: Infect
  A payload (a piece of malware) is dropped and executed on the system/device.

The Exploit Kit-Ransomware Tandem

Exploit kits have proven efficient means to deliver all sorts of threats to vulnerable systems/devices. In 2015, then most active and popular exploit kit, Angler, started the wave of delivering ransomware to victims’ systems/devices.


Figure 2: Exploits included in specific kits in the first half of 2016

Angler: 1H 2016’s Most Notorious Exploit Kit

The Angler Exploit Kit accounted for 60% of the overall activity in 2015. It was used in a massive malvertising campaign that preyed on top-tier news, entertainment, and political commentary sites in March 2016, too.

Angler was constantly updated to include new exploits, including those that were part of the Hacking Team leak and used in Pawn Storm, until the arrest of 50 people accused of using it for malware distribution, allowing them to amass US$25 million.

Figure 4: Number of times exploit-kit-hosting URLs were accessed in the first half of 2016

Vulnerabilities Most Exploited by Exploits Integrated into Kits

Exploit kits typically integrate exploits for vulnerabilities in the most commonly used applications that many users leave unpatched. We identified five of the vulnerabilities most exploited by exploit kits from 2010 to the first half of 2016 below.

• CVE-2013-2551

  Affected software: Microsoft Internet Explorer^® 6–10

  Description: A use-after-free vulnerability that lets attackers remotely execute arbitrary code via a specially crafted site that triggers access to a deleted object

  Latest story: Windows 10 Sharpens Browser Security with Microsoft Edge

• CVE-2015-0311

  Affected software: Adobe Flash Player 13.0.0.262, 14.x, 15.x, and 16.x–16.0.0.287 on Microsoft Windows® and 11.2.202.438 on Linux

  Description: An Adobe Flash Player buffer overflow vulnerability that allows attackers to remotely execute arbitrary code via unknown vectors

  Latest story: Exploit Kits in 2015: Flash Bugs, Compromised Sites, Malvertising Dominate

• CVE-2015-0359
  

  Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux

  Description: An Adobe Flash Player memory corruption vulnerability that allows attackers to execute arbitrary code when the application is used; failed exploitation attempts likely result in denial of service (DoS)

  Latest story: Exploit Kits in 2015: Flash Bugs, Compromised Sites, Malvertising Dominate

• CVE-2014-0515
  

  Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x–13.0.x before 13.0.0.206 on Microsoft Windows and Mac® OS X® and before 11.2.202.356 on Linux

  Description: An Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object, which allows attackers to run some processes and run arbitrary shellcode

  Latest story: Flash Greets 2015 with New Zero Day

• CVE-2014-0569
  

  Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux

  Description: An Adobe Flash Player remote integer overflow vulnerability that lets attackers execute arbitrary code via unspecified vectors

  Latest story: Latest Microsoft Patch Prevents Browser History Snooping
  

Adobe Flash remains the most exploited software since 2010. Cybercriminals are clearly aware of the millions of developers that use it to create content for mobile and desktop consumption. Adobe Flash runs on more than 1 billion connected devices/systems to date.

Exploit Kits Over Time

Exploit kits, the closest thing to a Swiss Army knife, remain a steadfast threat because of their track record. From fake antivirus to malvertisements and now ransomware, exploit kits have proven effective, enough to be constantly updated for more inventive and malicious uses.

Figure 5: Comparison of active and new exploit kits from 2006 to the first half of 2016

 

Active and new exploit kits

 

YEAR	EXISTING	NEWLY RELEASED
2006		Mpack
		WebAttacker Kit
2007	MPack	Armitage Exploit Pack
		IcePack Exploit Kit
		NeoSploit Exploit Kit 1.0
		Phoenix Exploit Kit
		Tornado Exploit Kit
2008	IcePack Exploit Kit	AdPack
	NeoSploit Exploit Kit 2.0/3.0	Fiesta Exploit Kit
	Phoenix Exploit Kit	FirePack Exploit Kit
	Tornado Exploit Kit
2009	Phoenix Exploit Kit 2.0	CrimePack 1.0
	Tornado Exploit Kit	Eleonore Exploit Kit
		Fragus Exploit Kit
		Just Exploit Kit
		Liberty Exploit Kit
		Lucky Sploit
		MyPoly Sploit
		Neon Exploit System
		Spack
		Siberia Exploit Pack
		Unique Sploits Exploit Pack
		Yes Exploit Kit 1.0/2.0
2010	CrimePack 2.0/3.0	Blackhole Exploit Kit 1.0
	Eleonore Exploit Kit	Bleeding Life Exploit Kit 1.0/2.0
	Phoenix Exploit Kit 2.0	Dragon Pack
	Siberia Pack	Nuclear Exploit Kit 1.0
	Yes Exploit Kit 3.0	Papka Exploit Pack
		SEO Sploit Pack
2011	Blackhole Exploit Kit 1.1/1.2	Best Pack
	Bleeding Life Exploit Kit 3.0	G01Pack Exploit Kit
	Eleonore Exploit Kit	Katrin Exploit Pack
	NeoSploit Exploit Kit 4.0	OpenSource Exploit Kit
	Nuclear Exploit Kit 1.0	Sava Exploit Kit
	Phoenix Exploit Kit 2.0
	SEO Sploit Pack
	Siberia Pack
2012	Blackhole Exploit Kit 2.0	Alpha Pack
	G01Pack Exploit Kit	CK Exploit Kit
	Hierarachy/Eleonore Exploit Kit	Cool Exploit Kit
	NeoSploit Exploit Kit 4.0	CrimeBoss Exploit Kit
	Nuclear Exploit Kit 2.0	CritXPack
	Phoenix Exploit Kit 3.0	GrandSoft Exploit Kit
		Impact Exploit Kit
		KaiXin Exploit Pack
		Kein Exploit Pack
		NucSoft Exploit Pack
		ProPack
		RedKit Exploit Kit
		Sakura Exploit Kit
		Serenity Exploit Pack
		Sibhost/Glazunov Exploit Kit
		Styx Exploit Kit 2.0
		SweetOrange Exploit Kit
		Techno Xpack
		Yang Pack
		ZhiZhu Exploit Kit
2013	Blackhole Exploit Kit 2.0	Angler Exploit Kit
	CK Exploit Kit	Anonymous Exploit Kit
	CrimeBoss Exploit Kit	DotkaChef Exploit Kit
	Fiesta/NeoSploit Exploit Kit	GongDa Exploit Kit
	FlackPack Exploit Kit	Hello/LightsOut Exploit Kit
	G01Pack Exploit Kit	HiMan Exploit Kit
	GrandSoft	Magnitude/PopAds Exploit Kit
	Nuclear Exploit Kit 3.0	Neutrino Exploit Kit
	Phoenix Exploit Kit 3.0	Private Exploit Pack
	RedKit/Goon Exploit Kit	Red Dot Exploit Kit
	Sakura Exploit Kit	Safe Pack
	Sibhost/Glazunov Exploit Kit	WhiteHole Exploit Kit
	Styx Exploit Kit	White Lotus Exploit Kit
	SweetOrange Exploit Kit	Zuponcic Exploit Kit
2014	Angler Exploit Kit	CottonCastle/Niteris Exploit Kit
	DotkaChef Exploit Kit	HanJuan Exploit Kit
	Fiesta/NeoSploit Exploit Kit	Rig Exploit Kit
	FlackPack Exploit Kit
	GongDa Exploit Kit
	Hello/LightsOut Exploit Kit
	RedKit/Infinity Exploit Kit
	Magnitude Exploit Kit
	Neutrino Exploit Kit
	Nuclear Exploit Kit 3.0
	Styx Exploit Kit
	SweetOrange Exploit Kit
	Zuponcic Exploit Kit
2015	Angler Exploit Kit	Hunter Exploit Kit
	Fiesta/NeoSploit Exploit Kit	Sundown Exploit Kit
	HanJuan Exploit Kit
	Magnitude Exploit Kit
	Neutrino Exploit Kit
	Nuclear Exploit Kit 3.0
	Rig Exploit Kit
	SweetOrange Exploit Kit
2016	Angler Exploit Kit
	Rig Exploit Kit
	Magnitude Exploit Kit
	Nuclear Exploit Kit
	Neutrino Exploit Kit
	Sundown Exploit Kit
	Hunter Exploit Kit

Table 2: Detailed list of active and new exploit kits from 2006 to the first half of 2016

Protect Your Organization from Exploit Kits

Shield your endpoints temporarily, until you can deploy patches, or indefinitely for out-of-support or unpatchable systems. We’ll help you prevent vulnerability exploitation (e.g., ransomware exploiting vulnerabilities) with easy- and fast-to-deploy intrusion prevention system (IPS) filters. So you get full protection until you can deploy vendor patches when it makes the most sense for your business. Vulnerability protection is part of the Trend Micro Smart Protection Suites.

Trend Micro™ Deep Security™, meanwhile, powers Trend Micro’s Hybrid Cloud Security solution, providing market-leading security capabilities for physical, virtual, and cloud servers from a single integrated platform.

Add to those TippingPoint Network Security Solutions that provide real-time network protection, visibility, and centralized management and analytics that are easy to use, configure, and install.

All of these solutions contribute to the interconnected, multilayered security defense strategy that Trend Micro provides to protect your users and their data from vulnerability exploitation, regardless of device or location.

To mitigate vulnerability exploitation, follow these best practices:

• Promptly patch all endpoints to block known exploits.
• Deploy a vulnerability shielding solution that proactively shields systems/devices from even unknown vulnerabilities via behavior monitoring.
• Update browsers and plug-ins to the latest versions and use a browser exploit prevention solution that secures against zero-day browser exploits.

---

Related papers

• Monitoring Vulnerabilities: Are your Servers Exploit-Proof?
• Virtual Patching in Mixed Environments: How It Works To Protect You

Related Infographics

• Shellshock Vulnerability: The Basics of the “Bash Bug”
• Stop threats dead in their tracks/Blackhole Exploit Kit
• Dodging a Compromise: A Peek at Exposure Gaps
• The Internet of Everything: Layers, Protocols and Possible Attacks