Understanding exploit kits and dealing against them

Wana Tun, Regional Technical Evangelist, Sophos

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Wana Tun, Sophos
Photo: Wana Tun

In recent years, exploit kits have become widely adopted by criminals looking to infect users with malware. These exploit kits are packaged with exploit codes and target commonly installed software such as Adobe Flash, Java and Internet Explorer.

In a process known as a drive-by download, a user's browser is invisibly directed to a malicious website that hosts an exploit kit, which then proceeds to exploit security holes, also known as vulnerabilities, to infect the user with malware. The entire process can occur invisibly, without any action required from the user.

These exploit kits and malicious codes have paved the way for a model called Crimeware-as-a-Service (CaaS) which provides malware on demand to the infected host. As CaaS can mutate remotely via a command over HTTP, these malicious codes can successfully evade antivirus engines.

Moreover, cybercriminals are getting better at protecting themselves from the law by using the Crimeware service, especially since they may not necessarily conduct criminal activities related to the data that is being compromised. So, how can crimeware attacks be tracked and prevented?

According to a recent research by SophosLabs, currently, the most prevalent exploit kit is the Angler. In the last eight months, it has risen above its competitors with an exponential growth in market share from a quarter to 83 per cent and has accounted for more than three-quarters of malware infections caused by exploit kits.

Website surfing to infection in just 0.5 seconds
The five stages of an Angler attack are:

  • Entry Point — A user accesses a hijacked website and malware downloads silently. The user does not notice his/her computer is being infected, especially because 82 per cent of malicious sites are in fact legitimate sites that have been hacked.
  • Distribution — The initial booby-trapped website sends users to a webpage where a range of different exploits, attack the user based on his/her software combination. For example, Windows + Internet Explorer + Safari and Flash.
  • Exploit — Angler will attempt to leverage vulnerabilities in the operating system, browser, Java, Flash, PDF reader, media player and other plugins.
  • Infection — The malware downloads a malicious payload such as Vawtrack, a zombie malware that steals financial data, or ransomware such as CryptoWall or TeslaCrypt to extort money from the user.
  • Execution — Vawtrak calls the user's home with sensitive data like credentials, banking or credit card information; ransomware encrypts files and demands a payment for the encryption key.

Why is it difficult to detect Angler?
Angler makes itself a moving target by rapidly switching the hostnames and IP numbers it uses. It trades on (and ruins in the process) the online reputation of legitimate companies by piggybacking on their DNS servers.

1  2  Next Page