Exploit kit explosion - part one

2010-04-01

Mark Davis

Editor: Helen Martin

Abstract

In the first of a two-part series introducing exploit kits, Mark Davis outlines the basic details of the dime-a-dozen kits used in drive-by browser-based attacks.


Table of contents

Exploit kits used in drive-by browser-based attacks are a dime a dozen these days, with a new kit emerging in the wild every few weeks. A multitude of kits, a.k.a. packs, now exist after several years of PHP/SQL kit development in the criminal underground. Some kits are developed for private use, while others are sold for amounts ranging from a few hundred to several thousand dollars dependent upon sophistication and capabilities. Many kits appear to be Russian in origin, with Cyrillic characters appearing in comments, Russian login options, and reference in some cases to known Russian cybercriminals.

This is the first article in a two-part series introducing exploit kits. The second part will look at exploit vectors, URL identification, and risk associated with exploit kit attack vectors.

Basics

Many have heard of exploit kits and/or understand the basic nature of a drive-by attack using such a kit, but fewer know them by name. Names for kits, unlike malcode, are often assigned by the creator, used in logos, logon screens, in comments within kits and advertisements online in various underground forums. While not exhaustive, a fairly comprehensive list of exploit kits used in malcode attacks in the wild is as follows:

  • Adpack

  • Adrenalin

  • Armitage

  • Crimepack

  • Eleonore

  • Fiesta

  • Firepack

  • Fragus

  • FSPack

  • G-pack

  • Icepack

  • JustExploit

  • Liberty

  • Luckysploit

  • Max$ Sploit System

  • mPack

  • Multisploit

  • Mypolysploit

  • Napoleon Sploit Kit

  • Neon

  • Neosploit

  • Nuc Pack (Nuclear)

  • Nuke

  • Papka Pack

  • Pheonix

  • SEO Sploit Pack

  • Shamans Dream Pack

  • Siberian Exploit Pack

  • Smartpack

  • Sploit25

  • Tornado

  • Unique Pack

  • Webattacker

  • YES!

This list does not include other types of web-based C&Cs used to manage DDoS attacks, botnets, or other frameworks and is limited to actual exploit kits used in drive-by attacks. Some of the most recent kits to emerge include the Siberian Exploit Pack, Shaman’s Dream Pack, and Papka Pack, while the older packs in the wild include Webattacker, mPack and Neosploit. Yes!, Fragus, Eleonore, Fiesta, Unique Pack, Liberty, Luckysploit and Neosploit are some of the more commonly used (and effective) kits in the wild in 2010. The kits commonly include authentication for administrative login in Russian, English, and/or other languages.

Fragus supports English and Russian login options.

Figure 1. Fragus supports English and Russian login options.

After logging into an exploit kit, statistics on infections and/or zombie reports are typically presented to the admin.

Since the emergence of exploit kits there has been a notable change in browser use. In the beginning, Internet Explorer was the primary vector but now Firefox and Opera are commonly included, as is Safari in some cases, as seen in the Fragus statistics shown in Figure 2. Information on the operating systems in use is also collected to aid developers in targeting specific browsers and operating systems of interest. Geographic location is of great importance for several reasons including possible counter-intelligence against researchers, monetization needs (such as money mules in specific countries), proxy needs (tunnel through a specific geographic region or country), affiliate financial rewards for compromises within a specific country or geographic region, and/or others.

Fragus statistics include bar graphs and core data for exploit metrics.

Figure 2. Fragus statistics include bar graphs and core data for exploit metrics.

Liberty details traffic to an exploit kit site by browser, showing Firefox as the main browser.

Figure 3. Liberty details traffic to an exploit kit site by browser, showing Firefox as the main browser.

Exploit kits also allow a remote file to be uploaded as part of payload management when exploitation is successful.

Options such as ‘Add file’ by Fragus help kit developers to protect their own intellectual material. Rather than deliver raw files to clients they can configure a server or compromised computer with an exploit kit. Some developers will do this as part of a service offering for operating and/or maintaining an exploit kit purchased by a client. As a result, clients need only use a web-based interface to upload and/or manage an attack rather than configure and set up a server for PHP/SQL exploit kit capabilities, and without the need to manage back-end files.

Fragus ‘Add file’ allows a file to be uploaded for use with the kit.

Figure 4. Fragus ‘Add file’ allows a file to be uploaded for use with the kit.

Referrals are often included in kits as a way to track where attackers get the best traffic for exploitation. For example, if ten sites are compromised and configured for iFrame redirection to an exploit kit site, a referral page can be consulted to see the top referrals and areas of success. Such metrics enable attackers to manage iFrame and server compromise efforts for maximum success.

The Liberty ‘Referers’ [sic] page reveals that x0r.su is responsible for 83% of traffic to the exploit kit.

Figure 5. The Liberty ‘Referers’ [sic] page reveals that x0r.su is responsible for 83% of traffic to the exploit kit.

Note that words like ‘referral’ and ‘referrers’ are frequently misspelled by the developers of exploit kits.

Demonstration kits are frequently distributed via online forums and file-sharing sites. Such demonstration kits have limited functionality and do not include core exploit files. Most kits look very similar, with about a dozen different PHP pages for managing core functionality, reporting and management of payloads, along with a few standard exploits used in the kit (but rarely a comprehensive set of exploits).

Figure 6. 

The next article will detail the functionality of common PHP and SQL elements of such kits. In addition, we will look at interesting metrics around exploits used in kits, the success of exploits in the wild, and mitigation elements such as unique URI elements and exploit characteristics will be overviewed.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.