Attackers who want to infect systems with malware usually need a vehicle to reach as many infections as possible. These days, that vehicle is most often an exploit kit. In this post, we take a closer look at exploit kits, where they fit in the cybercrime industry, what’s inside a typical toolkit, and most importantly, how they work.
A peek into the exploit kit industry
Before we talk about what an exploit kit (EK) is and how it works, let’s first discuss the financial incentive for developing these kits. What drives people to create exploit kits?
Contrary to what most people think, not everyone who commits cyber crime has the technical skills to “hack into a system”. There are those who carry out cyber attacks by simply relying on ready-made tools they purchased in black hat marketplaces on the dark web.
Let’s say that Joe reads this article and learns that ransomware campaigns can be quite lucrative. Being morally flexible, Joe decides to launch a ransomware campaign. Joe then realizes that ransom malware by itself is not enough. He still needs to deliver the malware onto a victim’s system. One way to do that is by taking advantage of certain vulnerabilities in the system. Luckily, people have already written programs for doing just that.
These tiny programs or pieces of code are called ‘exploits’ and can be purchased through black hat hacking forums. The prices of these exploits vary, with zero-day exploits generally priced higher. So if an attacker like Joe gets a hold of an exploit, is he good to go? Not quite yet.
One exploit typically can only target one vulnerability. It’s hard to predict what vulnerabilities are present in a system. So if Joe only targets one vulnerability, chances are he would only be able to compromise a few systems, while ignoring other systems that have other vulnerabilities. If Joe wants to infect those systems too, he needs to acquire exploits for those vulnerabilities as well.
It gets even more complicated because different exploits might be written by different authors. That means, he would have to communicate with several parties. It would be so much easier if he could only deal with one vendor. That’s where exploits kits come in.
An exploit toolkit or kit is a tool, usually written in PHP, that already comes with a collection of exploits. The people who develop exploit kits purchase exploits from exploit authors and package them into one tool. They (the exploit kit developers) then sell their kits to people like Joe.
Some exploit kit licenses have validity periods. Once the license subscription expires, you would need to purchase a new subscription to continue using it. Other exploit kits are offered as a subscription service. The rates typically range from a few hundred dollars per month to a couple thousand dollars per month. This typically includes tech support and updates or patches. For example, there may be patches that introduce new evasion techniques, new exploits, or support for certain malware.
Some of the most notorious exploit kits in recent history include:
- Sweet Orange
Inside an exploit toolkit
When an attacker purchases an exploit kit, he’ll be provided with a management console. Here he’ll see various information and statistics pertinent to his exploit campaign. This is to help him monitor how the overall campaign and the individual exploits are performing.
In addition to the number of times each exploit type was delivered, the attacker will also see where those exploits actually landed. Mostly, he’ll see the countries that were targeted. Cyber attackers normally want to target specific countries (US is the usual favorite), so they want to verify whether the campaign was actually successful in that geographical region. Toolkits can focus on specific areas through geolocation based on the victim’s IP address.
Another key piece of information is the victim’s Operating System and web browser. Certain malware only works on certain operating systems (e.g. Windows), so it’s important for the payloads to be dropped in those systems.
Here’s a screen grab from a Youtube video showing Black Hole EK’s management console:
Lastly, a toolkit would typically include a module for uploading or selecting the desired payload. The attacker can either pick from a selection of payloads bundled with the kit or upload his own payload. Some of the most commonly used payloads include:
- Click-fraud bots (e.g. Bedep)
- Ransomware (e.g. CryptXXX, TelsaCrypt)
- Spambots (e.g. Tofsee)
- Banking Trojans (e.g. Zeus, Panda Banker)
- Worms (e.g. Qbot)
- Botnets (e.g. Andromeda/Gamarue)
- And many others
How exploit kits work
There are different kinds of exploit kits, but the most popular are those designed to exploit vulnerabilities in web browsers and browser plugins like Flash, Silverlight, Java, and ActiveX.
Below is a simplified diagram illustrating a web-based exploit kit. The actual set ups are often far more sophisticated than this and can also involve other processes, but this should give you an idea of the basic structure.
1. Victim lands on a compromised website
The first stage of an exploit kit attack begins when a victim visits a compromised website. These are usually popular, legitimate websites, including blogs, news sites, and social networking sites. Examples of high-traffic sites that have already been hijacked by exploit kit attackers in the past include: BBC, Yahoo, MSN, AOL, MySpace, Forbes, and New York Times, to mention a few.
The way attackers do this varies. Some attackers target vulnerabilities in CMS (content management system) plugins or in the CMS themselves. Others, like those that carry out domain shadowing, take advantage of weak login credentials. There are also those who perform cross-site scripting, SQL-injection, or FTP compromise. Perhaps the most popular method, though, is malvertising.
In a malvertising campaign, attackers target ad networks. This then allows them to reach a wide range of legitimate (and often high-traffic) websites without having to hack into the websites themselves.
2. Victim is redirected to the exploit kit’s landing page
Once the victim visits a compromised site or one that serves malvertising-infected ads, the victim’s browser will then be redirected to the exploit kit’s landing page. This redirection is carried out through an HTML iframe, 302 cushioning or some surreptitious code that the attacker previously injected into the legitimate website or malicious ad.
This article about the Stegano exploit kit offers a nice example of how a typical malvertising campaign and the use of a banner ad laced with a malicious script works.
As soon as the victim gets redirected to the landing page, the profiling process begins. Here, pertinent information regarding the victim’s browser and its plugins is collected. What the exploit kit will want to know is the kind of vulnerabilities that are present on either the web browser or the browser’s plugins. Because each browser or plugin version will have already been associated with a set of known vulnerabilities, it’s usually enough to just determine the version numbers.
3. Exploits are served
Once the version numbers (and consequently, the corresponding vulnerabilities) have been identified, the exploit kit will know which exploits to deliver. In most cases, the landing page is only used for profiling. The exploits and the payloads are usually hosted on a separate server. In fact, in many cases, these two (exploits and payloads) are likewise separated as well.
The first thing that gets delivered to the victim’s browser are the exploits. As you have already learned, these exploits will take advantage of the vulnerabilities that have been previously identified. If the exploit or exploits are successful, the exploit kit then delivers the final blow.
4. Malicious payload is delivered
At this final stage, the exploit kit drops whatever payload it was configured for. As mentioned earlier, the payload can be ransomware, a keylogger, a banking trojan, or just about any type of malware.
How exploit kit attacks succeed
The main reason that these kits are so effective is that the malicious payloads are usually delivered without the victim having to click or intentionally download anything. All the victim has to do is visit a compromised site, and the payload will be downloaded automatically in the background.
Known as a drive-by-download, this covert method is a staple in many exploit kits and is one of the primary reasons they succeed in delivering various forms of malware. Since the victim doesn’t notice anything alarming or suspicious, they are less likely to think anything is amiss.
Another major reason why these kits succeed is because a lot of people don’t patch their software. Patches typically include security updates that fix known vulnerabilities. So, if people don’t patch, the vulnerabilities will remain. In fact, some exploit kit exploits have been found to target vulnerabilities that have already been known for years. Until we have a better solution for handling updates or remove the incentive to launch these attacks, there will be a busy trade in exploit kits.