Rise of the Exploit Kits

Is your computer running slow? Has it been invaded by popups? Exploit kits are likely to blame. The last two years have seen an increase in malware attacks aided by these kits. These bits of ninja code are even reeking havoc on Macs. No one is safe.

FreeImages.com/TJ Smith

2006 saw the first exploit kits in the wild. They have come a long way and are now changing the computer security industry. In the past, malware such as viruses, trojans, and the like, depended on you, the user, to click on a link. Basically, they needed you to open the door for them or at the very least, leave your door unlocked. This current form of malware just needs to catch you while you are standing in your yard. While you are distracted, it can help itself to your files or leave a hard-to-find back door open for their friends and clients.

So, what is an exploit kit and how does it work?

An exploit kit is a piece of code that acts as a channel for hackers to deliver malicious code to your computer. It scans your computer for vulnerabilities (outdated Adobe Flash or Java, etc...); then it manipulates those vulnerabilities to create a backdoor for its clients; it also delivers the malicious code directly to your system. Often, you never even notice what is happening.

Where do these exploit kits hide? There are three main sources:

  • spammed email
  • compromised websites
  • malvertisement

In spammed email, there is usually a social-style link that users are tricked into clicking. We've all seen the fake emails saying we are entitled to some reward points or we need to log into an account. There are also fake friend requests lurking on places like Facebook.

On innocent websites that have been hacked, malicious code hides in plain site. It is made to look like a part of the website or it is laying wait in a vulnerable add-on like Adobe Flash. These tar pits, when stumbled upon, redirect the user to a rogue website.

Malvertisement also serves as a redirect to the exploit landing page. This form of advanced attack makes any website that displays the ad, an infection vector. In 2015, prominent websites like The Weather Channel and The New York Times fell prey to this form of attack. In these cases you only needed to visit the site to have the ad-injected code delivered to your system.

Once a target has been acquired, the kit scans it for certain requirements (ie geolocation, security software, etc...) From there, the target is sold in underground markets.

The success of these drive-by downloads is determined by the local traffic. That is why we are seeing more high profile sites being hit. If a particular piece of malvertising can spend a day or two on a high traffic, trusted website like MSN, it can rake in many targets.

Recent exploit kits are showing the ability to detect installed anti-virus softwares. The malware will stop itself from running when it detects the anti-virus and sometimes it will even hide its processes in a type of encryption while the anti-virus runs its scan. This type of behavior helps the malware avoid detection by anti-virus software.

In our next article, we will cover the most effective ways of blocking these exploit kits.

Return to Security

Return to HOME