Exploit Kits

A quick guide to exploit kits - what they are, how they attack a vulnerable device, and how you can protect your device against them.

Firstly, what is an exploit?

Before we talk about exploit kits, let's start with exploits. In computer security, an exploit is an object that causes a program to behave in an unexpected manner. The object is usually something that the program is unable to deal with – for example, a string of characters that does not fit an expected pattern, or a series of commands that the program is unable to correctly execute.

When an exploit forces the program to behave unexpectedly, an attacker can take advantage of the disruption to perform other, usually malicious, actions that would not normally be permitted. For example, an attacker might exploit one program on a computer in such a way that a second program is silently installed without authorization from the user – an action that would normally be detected and blocked by the operating system.

When a program is unable to deal with an exploit because of an underlying flaw or loophole in its coding or implementation, the flaw is known as a vulnerability. Vulnerabilities can be found in any type of software, from simple macro scripts that run within a computer program, to the software itself, to the operating system that runs it and even on the 'firmware' that controls the physical components of a user's computer or mobile device.

For an exploit to be a danger however, an attacker must have some way to deliver it to the vulnerable program. For some vulnerabilities, this requires the attacker to have physical access to the targeted computer or mobile device, which obviously limits an attacker's opportunities. Far more dangerous is when an attacker can leverage a vulnerability from a distance, most commonly over the Internet – and that's where exploit kits come in.

So what is an exploit kit?

An exploit kit is basically a utility program or toolkit that can deliver an exploit to its corresponding target program. If the exploit is successful, the kit can then deliver a malicious payload to the compromised computer or mobile device. If you think of a single exploit as being an 'arrow' that can only hit one particular 'sweet spot' on a target, then an exploit kit is the 'bow' that can launch an entire quiverful of arrows at any target that happens to be within range.

In order to get targets to attack, exploit kit operators will typically host their kits on websites, which may be either maliciously crafted websites, or legitimate ones that have been compromised. The kits can then silently probe the computers or mobile devices of any visitors to the site. In some cases, attackers may increase the flow of potential victims to the exploit kit by using some form of web traffic hijacking to redirect more visitors to the poisoned website. For example, websites might be hacked in order to quietly redirect users to the site hosting the exploit kit.

If a visitor's machine is found to be vulnerable to the exploit, the kit then downloads a payload onto the victim (essentially, a drive-by download attack). The payload can be tailored according to the exploit kit operator's wishes, but typically include downloading such malware as ransomware, botnet-related components and banking-trojans.

Overview of an exploit kit attack

Most exploit kits can also be updated by their creators or controllers (not always the same party) to add new exploits, allowing them to target any new vulnerabilities found without much fuss. For example, when the Hacking Team data breach occurred in early 2015, exploit code that was detailed in the exposed data was quickly added to various exploit kits.

Why are exploit kits a concern?

Exploit kits have become one of the more prevalent threats online today because they are essentially crimeware - specialized utility programs that are offered for sale (or rent) by their creators to interested third parties in various crime-oriented forums. On the modern Internet, they are actively being used by less technically-savvy attackers as a relatively easy way to attack and infect a large number of users.

Unlike previous forms of malware, which tended to be operated by only a small number of attackers (or even just by their creators), crimeware can be used by anyone who is able to purchase the 'product', making the potential pool of attackers much larger. Since new exploits can be simply added to an exploit kit's arsenal, attackers can also keep using the same tool (with the appropriate updates) over a longer period, in comparison to a similar, more single-focused malware that tends to have a shorter shelf life.

There are multiple exploit kits in the wild, though what vulnerabilities they target and how prevalent they are is quite variable. Today, some of the more well-known exploit kits include Angler, Magnitude, Nuclear and Neutrino (though this may not be true for long as fortunes change quite quickly in the exploit kit underworld, as can be seen when the Blackhole kit went from dominant to negligible after its operator was arrested).

How do I protect my device against exploit kits?

A successful exploit-based attack allows an attacker to gain a toehold on a computer or device, which they can then use to launch a longer chain of further intrusion and mischief. Intercepting an exploit before it completes is therefore an efficient way to stop a wider-scale attack before it can really get underway.

Since exploits are most commonly delivered by exploit kits today, we'll concentrate on what users can do to evade or block attacks launched from an exploit kit. An exploit kits' attack can only proceed if it is has two consecutive opportunities to attack your computer or device:

  • Opportunity 1: You visit (or are redirected to) a website hosting an exploit kit
  • Opportunity 2: The vulnerability their exploits leverage are unpatched and undefended

Both opportunities must be present for an attack from an exploit kit to succeed: a vulnerable machine that never encounters the exploit kit can't be attacked, any more than one that is exposed to a kit but doesn't have any vulnerable programs installed. So to evade attacks from exploit kits, a user would need to avoid providing at least one (and preferably both) of these 'openings' for attack.

There are various steps you can take when surfing online to avoid encountering exploit kits. For example, website security rating services help users avoid known malicious or compromised websites, while script blocking software and antivirus programs prevent malware from redirecting the browser to an unsolicited site.

More concretely, users can render exploits pointless by removing their intended target and closing the flaw in a vulnerable program with a security patch issued by the program's vendor. Users are strongly urged to install security patches for any software installed on their computers or devices as soon as they are released. For reference, the Vulnerability Protection page lists the latest patches released by the vendors of popular programs.

Even if a security patch is not yet available, an attack launched against a vulnerable program can be deflected by up-to-date security software, such as F-Secure SAFE. Most antivirus programs today will detect and intercept the exploits themselves as they are attempting to leverage a vulnerability, preventing it from successfully completing the attack.