There has recently been a rise in malware launched by exploit kits (or EK). This malware provides a delivery method for infiltrating operating systems and introducing many kinds of cyber-crime software. A notable example was the compromise of the Daily Mail website by the Angler EK which infected thousands of visitors with the Cryptowall ransomware. Infection is enabled by detecting and exploiting a flaw in the user’s system.
These kits are now being offered on a rental basis allowing criminals to launch their on-line attacks, facilitating data theft and bank fraud among various other crimes, depending on the payload. The attacker can now infiltrate a victim’s system with minimum technical knowledge. This year saw the multi-platform ransomware Ransom32 being franchised on the dark web (this malware encrypts files and demands a ransom for their release). So now it is possible for a potential perpetrator to rent/buy whatever is needed for the complete dirty job.
How Exploit Kits Operate
In general, all EK are created equally, with three components: a back end that provides the control interface and holds the payload (whatever malware is to be used); a middle tier that creates a tunnel into the back end server, and a proxy layer that actually delivers the EK to the victim. The method of delivery is also fairly routine: the user is persuaded or tricked into visiting either a purpose-built or a compromised ‘site (as in the case of the ‘Mail hack). Then they are redirected through different servers to eventually arrive on the one that hosts the EK (called a landing page). Next, the kit scans for vulnerabilities in the user’s browser, applications or system. If one is found that can be exploited, then the malware is in. When installed, the EK then calls for the payload to be delivered.
Mobiles as Potential Targets for Malware
With an increase in smartphone use, these systems are becoming increasingly targeted. It is estimated that for example that 60% of people in the U.S possess a ‘phone and this figure is predicted to rise to seventy in the next few years. Considering the applications they are used for (on-line banking being just one), it is no wonder that hackers are expanding their markets. Mobile devices are usually reconfigured after sale with multitudes of free and third-party apps – this can leave them even more vulnerable to exploitation than a desktop system.
The Angler EK is one of the most sophisticated and popular, accounting for an estimated 60% of exploit attacks. This malware is notorious for its domain shadowing capability and security evasion. There have been several versions with new releases regularly to exploit newly discovered software flaws. In the past, versions have used among others, Adobe Flash and Internet Explorer vulnerabilities for access.
And older model is the RIG EK which has recently returned to the malware market, accounting for 20% of the malware delivery business. This is an example of how older designs can return after updating. Monitoring during 2015 has uncovered that this malware also now uses domain shadowing to work around conventional blocking techniques.
Exploit kits are an integral part of the ever-expanding dark technology threatening network infrastructures. More must be done in commerce to monitor this threat. And if you’re one of the six in ten people who use a smartphone for anything other than talking – harden your security now; EK are the next big, bad thing!
