Exploit Kits

A quick guide to exploit kits - what they are, how they attack a vulnerable device, and how you can protect your device against them.

An exploit kit is a utility program that attackers use to launch exploits against vulnerable programs.

An exploit is an object - such as a piece of code or string of commands- that takes advantage of a vulnerability in a program to force it to behave unexpectedly.

An exploit kit is simply a program for collecting and managing multiple exploits. They act as a kind of repository, and make it easy for users without much technical knowledge to use exploits.

Overview of an exploit kit attack

Exposed online

Exploits are designed to target specific vulnerabilities, causing unexpected behaviors that an attacker can take advantage of to perform other harmful actions.

For an exploit to work however, the attacker must have some way to launching it against the vulnerable program. For some vulnerabilities, this requires physical access to the computer or mobile device, which obviously limits an attacker's opportunities. But it's much easier for an attacker to target a vulnerable program if it is on a device that is connected to the Internet – and that's where exploit kits come in.

In order to get targets to attack, exploit kit operators will host their kits on websites. The sites may be legitimate one that were hacked, or specially crafted sites. Attackers may also drive more potential victims to the exploit kit by redirecting or hijacking web traffic to the page hosting it.

Infecting devices

Once the page hosting the exploit kit is opened on a site visitors' computer or mobile device, the kit runs and silently probes the device for a vulnerability it can exploit. If it finds one, the kit launches the appropriate exploit.

If the exploit is successful, the kit can then launch the separate payload or attack intended by its operator. The most common payloads involve downloading and running other harmful programs on the compromised device, such as:

The exploit kit is essentially used to gain a foothold on a device, which an attacker can then use to cause greater damage. Foiling an exploit-based attack can therefore halt a wider-scale attack before it really gets underway.

A popular tool for attackers

Exploit kits have become much more common today because they are essentially crimeware - specialized utility programs that are offered for sale (or rent) by their creators to buyers on crime-oriented forums. This 'crimeware as a service' model means that the kits can be used even by attackers with little technical skill, making the potential pool of attackers much larger.

Many exploit kits are designed to be modular, so that new exploits can easily be added and old ones removed. This allows the kit operators to quickly start using new exploits when they become available. For example, when the Hacking Team data breach occurred in early 2015, exploit code that was detailed in the exposed data was added to various exploit kits within days.

Popular kits

There are many exploit kits currently active online, though what vulnerabilities they target and how prevalent they are in each country is quite variable. Some of the more well-known exploit kits of the moment include Angler, Magnitude, Nuclear and Neutrino.

Fortunes can change quickly in the crimeware underworld however, which can affect how prevalent some exploit kits are online. For example, the Blackhole kit went from being the dominant threat to almost totally negligible very quickly after its operator was arrested.

Foiling exploit kit attacks

An attack by a website-hosted exploit kit can only work if it is has two consecutive opportunities, or exposures, to attack your device:

  • Exposure 1: You open a page hosting an exploit kit
  • Exposure 2: Your device has an unpatched vulnerability that the kit can leverage

A vulnerable device that doesn't encounter the exploit kit can't be compromised, any more than one that is exposed to a kit but doesn't have any vulnerable programs installed.

To foil attacks from exploit kits, you can take a couple simple but effective steps:

  • Browse safely
    Use a reputable antimalware product with a website scanning feature to make sure the web page is not silently hosting a harmful component. They can also prevent scripts from redirecting the browser to an unsolicited site.
  • Patch all programs regularly
    Ensure your device and all installed programs are using the latest versions and any applicable security fixes. For reference, the Vulnerability Protection page lists the latest patches released by the vendors of popular programs.
Intercepting exploits

In many cases, many modern antimalware programs (such as F-Secure SAFE) will detect and intercept the exploits themselves as they are attempting to leverage a vulnerability, preventing it from successfully completing the attack.