An exploit kit is a toolkit designed to facilitate the exploitation of client-side vulnerabilities most commonly found in browsers and their plugins in order to deliver malware on end users’ machines.
The first documented case of an exploit kit was found in Russian underground forums in late 2006 and called MPack.
From the beginning, authors of exploit kits made sure to build their program as a commercial package, often including support and providing regular updates.
By 2010, the market for such exploitation tools had blossomed and one of the most popular and revered exploit kits entered the scene with the infamous Blackhole EK.
EK writers started introducing new vulnerabilities at a faster pace and focused on the most deployed and unpatched applications like Java or Adobe Reader.
After the arrest of Blackhole’s creator (Paunch) in late 2013, there was uncertainty in the underground market but activity picked up again not very long after.
By 2015, a newer exploit kit called Angler was dominating and using zero-day vulnerabilities instead of already patched ones. A zero-day attack happens when no patch is available from the software manufacturer and yet an exploit already exists and may even be used on a large scale already.
Common infection method
The primary infection method with an exploit kit is a drive-by download attack. This term is used to describe a process where one or several pieces of software get exploited while the user is browsing a site.
Such attacks occur silently within seconds and most notably they do not require any user interaction. The simple fact of viewing a webpage is enough to trigger an attack.
Websites that have poor security often get hacked and injected with malicious code within their pages, for example iframes, which are HTML tags that allow the loading of an external site directly within the same page.
Other times, well-known and trusted websites are caught redirecting visitors to exploit kits via malicious advertisements, also known as malvertising.
From there, the browser loads the exploit kit landing page which is stuffed with code that fingerprints the victim’s machine for the type of software installed and the corresponding vulnerabilities. In other cases, such as with zero-days, the exploit is fired right away knowing that since there is no patch available, it will most likely succeed in its task.
Once the exploit has opened the door to the target computer, it can load the final piece, which is the malware itself.
For this reason, exploit kits are a means for malicious actors to distribute their malware without the user’s consent on tens of thousands of machines within minutes.
The top exploit kits as of 2015 are:
- Angler EK
- Nuclear EK
- Neutrino EK
- RIG EK
- Magnitude EK
- Hanjuan EK
As mentioned earlier, exploit kits are a means to infect your computer and their code is hosted on remote servers, often housed with bullet-proof hosting providers. For this reason, one cannot remove the exploit kit itself, but rather focus on the payload that was dropped by it. This could be ransomware, a banking Trojan, or a spam bot just to name a few.
Once infected by an exploit kit, you will need to check your computer for the presence of malware using antivirus and anti-malware tools.
Of course, it is also important to identify the cause of the infection (i.e. an out-of-date Flash Player) in order to prevent future ones.
The best way to protect against exploit kits is to first and foremost keep your computer up-to-date but also remove any pieces of software that you no longer need in order to reduce the attack surface you are allowing the bad guys to exploit.
Since zero-days are becoming more and more prevalent, regular patching is no longer sufficient. A layered defense starting with anti-exploit and other mitigation tools is a must.