wp-evolution-of-exploit-kits

leak.squad

wp-evolution-of-exploit-kits

CONTENTSIntroduction................................................................................................iiExploit Kit Attack Scenario.................................................................... 1Contact............................................................................................. 1Redirect............................................................................................ 1Exploit and Infect.............................................................................. 1Exploit Kit Evolution.............................................................................. 2Early Versions................................................................................... 2Evolution........................................................................................... 3Current Trends in Exploit Kits............................................................... 3Top Exploit Kits................................................................................. 3Top Targets....................................................................................... 4Used Exploits.................................................................................... 4Evasion Techniques: Antivirus/Virtualization Product Detection... 5Evasion Techniques: File Obfuscation.......................................... 6Exploit Kits in 2015............................................................................... 8Solutions for Exploit Kits....................................................................... 8Appendix..................................................................................................iiiReferences................................................................................................vTREND MICRO LEGAL DISCLAIMERThe information provided herein is for generalinformation and educational purposes only. It is notintended and should not be construed to constitutelegal advice. The information contained herein maynot be applicable to all situations and may not reflectthe most current situation. Nothing contained hereinshould be relied on or acted upon without the benefitof legal advice based on the particular facts andcircumstances presented and nothing herein shouldbe construed otherwise. Trend Micro reserves theright to modify the contents of this document at anytime without prior notice.Translations of any material into other languagesare intended solely as a convenience. Translationaccuracy is not guaranteed nor implied. If anyquestions arise related to the accuracy of atranslation, please refer to the original languageofficial version of the document. Any discrepanciesor differences created in the translation are notbinding and have no legal effect for compliance orenforcement purposes.Although Trend Micro uses reasonable efforts toinclude accurate and up-to-date information herein,Trend Micro makes no warranties or representationsof any kind as to its accuracy, currency, orcompleteness. You agree that access to and useof and reliance on this document and the contentthereof is at your own risk. Trend Micro disclaims allwarranties of any kind, express or implied. NeitherTrend Micro nor any party involved in creating,producing, or delivering this document shall be liablefor any consequence, loss, or damage, includingdirect, indirect, special, consequential, loss ofbusiness profits, or special damages, whatsoeverarising out of access to, use of, or inability to use,or in connection with the use of this document, orany errors or omissions in the content thereof. Useof this information constitutes acceptance for use inan “as is” condition.


INTRODUCTIONAn exploit kit, or exploit pack, is a type of hack toolkit thatcybercriminals seem to have favored in the last few yearsto perform Web-based attacks to distribute malware.Several kits have since been developed then sold or rentedout like commercial products in underground markets.The earliest hack toolkit made available in the crimewaremarket on record was seen sometime in 2006. [1]A typical exploit kit usually provides a managementconsole, a bunch of vulnerabilities targeted to differentapplications, and several add-on functions that make iteasier for a cybercriminal to launch an attack.The rise of exploit kits in underground markets pushesexploit kit developers to improve the stealth and efficiencyof their product. Currently, there are 70 different exploitkits in the wild that take advantage of more than a hundredvulnerabilities. In this paper, we will discuss what an exploitkit is, how it works, and how it has changed over time.


Once the vulnerable applications are identified,the page will send requests to the exploit kit serverto download the exploit files that would attack thetargeted applications. The vulnerabilities found in Webbrowsers, Java, Adobe® Flash® Player, and AdobeAcrobat® and Reader® are the ones most targeted byexploit kits.After successfully exploiting a vulnerability, theattacker can now download and execute the malwarein the victim’s environment. We’ve seen various typesof malware downloaded in exploit kit attacks, themost notable ones being online banking malware andransomware. [6–7]EXPLOIT KIT EVOLUTIONUS$1,000. Compared to WebAttacker, the controlpanel of Mpack provided a more detailed statistics onits victim, such as their location.More than 3,000 compromised websites had theredirect links of Mpack. Several exploit kits were alsoreleased in 2007 in underground markets, namely,NeoSploit, Phoenix, Tornado, and Armitage exploitkits, but Mpack was seen as one of the seriousexploit kit threats that year. [8–9] Fiesta, AdPack,and FirePack exploit kits emerged in 2008, and theinfamous Blackhole Exploit Kit surfaced in 2010.The success of earlier-released exploit kits led to thesubsequent creation and release of other kits thathave been hitting legitimate businesses hard.The Timeline Record of Exploit KitsEarly Versions302628The first recorded exploit kit attack could be tracedback in 2006, which used the WebAttacker kit.This was the first exploit kit found in the Russianunderground market. It came with technicalsupport and was sold for US$20. The redirectlink of WebAttacker was distributed via spamand compromised websites. It targeted multiplevulnerabilities found in Microsoft Windows®, MozillaFirefox®, and Java applications to distribute malwarein wild.The second exploit kit, Mpack, was developedby three Russian programmers sometime in themiddle of 2006. The first complete version wasreleased December that same year and was sold for1502265 53 32006 2007 2008 2009 2010 2011 2012 2013 2014Number of Active Exploit KitTimeline record of exploit kits671311Number of New Released Exploit KitFigure 2 shows the number of active exploit kits foundin the wild and the number of new ones seen eachyear since 2006. It can be observed that this threatwas on an upward trend from 2006 to 2013, with 2011132014162 | Page © 2015 Trend Micro Incorporated


EVOLUTION OF EXPLOIT KITSResearch Papernew ones identified in 2012 alone. This, however, slowly dropped in2013 and sharply declined in 2014. The number of active exploit kits alsodecreased in 2014. The arrest of Paunch, the author of Blackhole ExploitKit, in October 2013 might have sent a strong message in undergroundcyber markets, given the radical changes in the statistics of exploit kits.Note that Blackhole was the widely used exploit kit in 2012 and 2013,posing a major threat to users.EvolutionDespite the decrease in activity, the threats exploit kits pose upon usershave not changed. Several exploit kits were still in use in 2014, some ofwhich were Fiesta, Nuclear, SweetOrange, Styx, FlashPack, Neutrino,Magnitude, Angler, and Rig. [10–12]Fiesta is the newer version of NeoSploit identified in 2013. Nuclear wasidentified in 2010 but was upgraded to version 3 with new exploits in2013. SweetOrange, Styx, and FlashPack were first used in attacks in2012. Neutrino, Magnitude, and Angler were identified in 2013; Rig wasfirst seen in April 2014.CURRENT TRENDS IN EXPLOIT KITSTop Exploit KitsOne can say that Blackhole Exploit Kit took a back seat in undergroundmarkets when its creator, Paunch, was arrested. Several exploit kits thenemerged and took its place in the spotlight, so to speak. Figure 3 showsthe distribution of exploit kit attacks seen in 2014.Distribution of exploit kit attacks3 | Page © 2015 Trend Micro Incorporated


EVOLUTION OF EXPLOIT KITSResearch PaperFigure 3 shows the distribution of exploit kit attack we identified in2014. SweetOrange, used in malvertisement attacks that distributedransomware, took more than a third of the exploit kit preference share.The Angler Exploit Kit was also widely used and remains to be one of themost active to date.Top TargetsIn terms of impact, the U.S. is the most affected because it was thetarget of almost 60% of attacks that use exploit kits, as shown below.Distribution of top 10 countries attacked in 2014Used ExploitsThe effectiveness of exploit kits depends on the exploits they utilize.An exploit for a new vulnerability can lead to more malware infectionsbecause, most likely, the vulnerability is yet to be patched by the user.This means that in order to keep the high infection rate of an exploit kit,exploit kit owners need to continuously update their exploits. Infectionrate is important to exploit kit developers because it serves as a keyfeature. Developers use it to showcase the tenacity of their product inunderground markets, which would eventually lead to more business.4 | Page © 2015 Trend Micro Incorporated


EVOLUTION OF EXPLOIT KITSResearch PaperVulnerabilities Used in 2014 Exploit Kit AttacksNuclear SweetOrange FlashPack Rig Angler Magnitude Fiesta Styx HanJuanInternetExplorerCVE-2013-2551CVE-2013-2551CVE-2014-0322CVE-2014-6332CVE-2013-2551CVE-2013-3918CVE-2014-0322CVE-2013-2551 CVE-2013-2551 CVE-2013-2551 CVE-2013-2551 CVE-2013-2551MicrosoftSilverlightCVE-2013-0074 CVE-2013-0074 CVE-2013-0074 CVE-2013-0074 CVE-2013-0074Adobe FlashPlayerCVE-2014-0515CVE-2014-0569CVE-2014-8439CVE-2015-0311CVE-2014-0515CVE-2014-0569CVE-2013-0634CVE-2014-0497CVE-2014-0515CVE-2014-0569CVE-2014-0569CVE-2015-0311CVE-2014-0515CVE-2014-0569CVE-2015-0311CVE-2014-0515CVE-2014-0497CVE-2014-0569CVE-2015-0311CVE-2014-0515CVE-2015-0313Adobe Acrobat/ReaderCVE-2010-0188CVE-2010-0188Oracle Java CVE-2012-0507 CVE-2013-2460CVE-2013-2471CVE-2013-2465CVE-2012-0507CVE-2014-2465XMLDOMActiveXCVE-2013-7331 CVE-2013-7331 CVE-2013-7331 CVE-2013-7331There have been more than a hundred vulnerabilities found integrated in exploit kits since 2006, whichincludes more than 10 different applications.Adobe Reader and Java exploits were popular targets in 2008; Java exploits was the top targeted applicationused by exploit kits in 2013. However, we found that PDF Reader and Java vulnerabilities were no longerupdated in exploit kits since 2014. By contrast, 5 exploit kits used Microsoft Silverlight toward the end of 2013all the way to 2014, making it the top target by exploit kits.Internet Explorer® exploits were also considered a primary attack vector. Things changed, however, afterMicrosoft released a major Security Bulletin, which included a significant improvement for mitigating UAF (UserAfter Free) vulnerability. [13] After that, only one Internet Explorer exploit was included in exploit kits, CVE-2014-6332, which Microsoft immediately patched. This change seems to have driven attackers toward AdobeFlash Player. This soon became the main targeted application with which the following exploits were found inexploit kits in just a short period: CVE-2014-0497, CVE-2014-0515, CVE-2014-0569, CVE-2014-8439, CVE-2015-0311, and CVE-2015-0313.EVASION TECHNIQUES: ANTIVIRUS/VIRTUALIZATION PRODUCT DETECTIONA new feature we saw added into exploit kits is the ability to detect installed security software. This meansthat if certain specific security products are installed, the exploit kit will stop itself from running. The securityproducts mentioned here include both anti-virus products and virtual machine software.5 | Page © 2015 Trend Micro Incorporated


Antivirus Products Detected in Exploit KitsEVASION TECHNIQUES: FILE OBFUSCATIONExploit Kit Angler Nuclear Rig StyxEvasion target(antivirus orvirtualizationsoftware)Kaspersky Kaspersky Kaspersky KasperskyTrend Micro Trend Micro Trend Micro ESETVMWareVirtualBoxParallelsDesktopThis behavior is done through a vulnerability inInternet Explorer (CVE-2013-7331). This vulnerabilityallows an attacker to check for the presence of filesand folders in an affected system. It was first reportedto Microsoft in February 2014 but was only patched inSeptember that same year as part of MS14-052.Below is an example for anti-virus product checking:Sample code of CVE-2013-7331 in detecting antivirussoftwareObfuscation is a common technique used in severalkinds of attacks to prevent the detection of themalicious payload. Through obfuscation, the payloadis changed to have a different appearance in staticbut recovers during execution. Exploit kits regularlyuse various techniques to obfuscate their exploit file.In 2014, some exploit kits were changed to use newobfuscation techniques. In the cases that we’ve seen,attackers used legitimate tools to obfuscate their files.For example, Angler Exploit Kit now uses Pack200format to perform obfuscation on Java exploits.Pack200 is the archive format developed by Sun(Java’s original developers) for compressing JAR filessignificantly. The tool to decompress these obfuscatedfiles can be found in the original Java developmentkit. However, not all security products can fullysupport these formats, making detection possible tobe missed.Another example is the technique used by FlashPackand Magnitude exploit kits for Flash player exploits.This involves a commercially available tool calledDoSWF to hide their files. This tool alloweddevelopers to hide the ActionScript contents of theirFlash file from people who would copy or pirate thecontents. Unfortunately, it can also work against thedetection of a security software. Aside from landingpage and exploit file obfuscation, most exploit kitsnow have the ability to obfuscate their payload/malware. It means the payload can be transferred toa stream on the Internet with encryption. Therefore,the exploit kit can deliver its payload/malware inthe victim’s machine without being detected since it6 | Page © 2015 Trend Micro Incorporated


EVOLUTION OF EXPLOIT KITSResearch Paperdoesn’t look like an executable file through network traffic. There is no“MZ” magic code inside the surface of network traffic payload and it isalso not an official PE file format. The exploit kit will decrypt the payloadin memory by shellcode only after it was downloaded into the victim’smachine.Payload encryption and decryptionFigure 6 shows both the appearance of the payload in network trafficand the payload after decryption. The encryption can simply prevent thedetection of most signature-based IDS/IPS system. After decrypting,some exploit kits will still drop the payload to the disk. However, Anglerand Hanjuan exploit kits don’t write their payload in the disk but candirectly run in the memory to prevent anti-virus scan on a file system.The technique is now commonly referred to as fileless infection. The7 | Page © 2015 Trend Micro Incorporated


table below shows which exploit kits use payloadencryption and fileless infection.Payload Evasion SummaryPayload (PE)EncryptionFilelessInfectionFlashPack Rig Magnitude Nuclear Fiesta Angler SweetOrange GongDa Styx HanJuan EXPLOIT KITS IN 2015An exploit kit is now one of the most popular typesof Web attack toolkits in underground markets andwe can expect more activities related to this in 2015.Barely two months into the year and we alreadysaw two Adobe Flash Player zero-day vulnerabilities(CVE-2015-0311 and CVE-2015-0313) in the wilddelivered via exploit kit. [14–15] It’s not rare for exploitkits to include zero-day exploits, and we think thatthis is a trend that we will see more of in 2015. Theinclusion of zero-day exploits in exploit kits will makefor a much more dangerous threat because this willautomate the delivery and will have the ability to affecta bigger set of users in a shorter amount of time.SOLUTIONS FOR EXPLOIT KITSExploit kits pose a multicomponent threat thatrequires a multicomponent solution. Users will need toutilize security strategies that provide protection fromall threat components:Behavior-based solutions traces routines found inexploits and block them proactively can serve as theprimary defense against exploit kits, especially thosethat include zero-day exploits in their arsenal. Anexample of this is the Sandbox with Script Analyzerengine, which is part of Trend Micro Deep Discovery.Web-based detection, through a Web-based solutionlike the Browser Exploit Prevention feature in ourendpoint products such as Trend Micro Security,Trend Micro OfficeScan, and Trend MicroWorry-Free Business Security, blocks the exploitonce the user accesses the URL it is hosted in. AWeb reputation service can also add another layerof security to make sure that the redirection chainsare blocked even before the malicious payload isdownloaded into the system.File-based detection ensures that any payloadsuccessfully downloaded into the system will not beable to execute its routines.8 | Page © 2015 Trend Micro Incorporated


APPENDIXIdentified Exploit Kit ListYear Old Exploit Kits New Exploit Kits2006 MPackWebAttacker Kit2007 MPack Armitage Exploit PackIcePack Exploit KitNeoSploit Exploit Kit 1.0Phoenix Exploit KitTornado Exploit Kit2008 IcePack Exploit KitNeoSploit Exploit Kit 2.0/3.0Phoenix Exploit KitTornado Exploit Kit2009 Phoenix Exploit Kit 2.0Tornado Exploit Kit2010 CrimePack 2.0/3.0Eleonore Exploit KitPhoenix Exploit Kit 2.0Siberia PackYes Exploit Kit 3.02011 Blackhole Exploit Kit 1.1/1.2Bleeding Life Exploit Kit 3.0Eleonore Exploit KitNeoSploit Exploit Kit 4.0Nuclear Exploit Kit 1.0Phoenix Exploit Kit 2.0SEO Sploit PackSiberia PackAdPackFiesta Exploit KitFirePack Exploit KitCrimePack 1.0Eleonore Exploit KitFragus Exploit KitJust Exploit KitLiberty Exploit KitLucky SploitMyPoly SploitNeon Exploit SystemSPackSiberia Exploit PackUnique Sploits Exploit PackYes Exploit Kit 1.0/2.0Blackhole Exploit Kit 1.0Bleeding Life Exploit Kit1.0/2.0Dragon PackNuclear Exploit Kit 1.0Papka Exploit PackSEO Sploit PackBest PackG01Pack Exploit KitKatrin Exploit PackOpenSource Exploit KitSava Exploit Kit


Identified Exploit Kit ListYear Old Exploit Kits New Exploit Kits2012 Blackhole Exploit Kit 2.0G01Pack Exploit KitHierarachy/Eleonore ExploitKitNeoSploit Exploit Kit 4.0Nuclear Exploit Kit 2.0Phoenix Exploit Kit 3.02013 Blackhole Exploit Kit 2.0CK Exploit KitCrimeBoss Exploit KitFiesta/NeoSploit Exploit KitFlackPack Exploit KitG01Pack Exploit KitGrandSoftNuclear Exploit Kit 3.0Phoenix Exploit Kit 3.0RedKit/Goon Exploit KitSakura Exploit KitSibhost/Glazunov Exploit KitStyx Exploit KitSweetOrange Exploit Kit2014 Angler Exploit KitDotkaChef Exploit KitFiesta/NeoSploit Exploit KitFlackPack Exploit KitGongDa Exploit KitHello/LightsOut Exploit KitRedKit/Infinity Exploit KitMagnitude Exploit KitNeutrino Exploit KitNuclear Exploit Kit 3.0Styx Exploit KitSweetOrange Exploit KitZuponcic Exploit KitAlpha PackCK Exploit KitCool Exploit KitCrimeBoss Exploit KitCritXPackGrandSoft Exploit KitImpact Exploit KitKaiXin Exploit PackKein Exploit PackNucSoft Exploit PackProPackRedKit Exploit KitSakura Exploit KitSerenity Exploit PackSibhost/Glazunov Exploit KitStyx Exploit Kit 2.0SweetOrange Exploit KitTechno XPackYang PackZhiZhu Exploit KitAngler Exploit KitAnonymous Exploit KitDotkaChef Exploit KitGongDa Exploit KitHello/LightsOut Exploit KitHiMan Exploit KitMagnitude/PopAds Exploit KitNeutrino Exploit KitPrivate Exploit PackRed Dot Exploit KitSafe PackWhite Lotus Exploit KitWhiteHole Exploit KitZuponcic Exploit KitCottonCastle/Niteris ExploitKitRig Exploit KitHanJuan Exploit Kit


REFERENCES[1] Trend Micro Incorporated. (September 20, 2006). TrendLabs SecurityIntelligence Blog. “IE Zero Day + Web Attacker Kit.” Last accessedFebruary 24, 2015, http://blog.trendmicro.com/trendlabs-securityintelligence/ie-zero-day-2b-web-attacker-kit/.[2] Jon Oliver, Sandra Cheng, Lala Manly, Joey Zhu, Roland Dela Paz,Sabrina Sioting, and Jonathan Leopando. (2012). Trend Micro.“Blackhole Exploit Kit: A Spam Campaign, Not a Series of IndividualSpam Runs.” Last accessed February 24, 2015, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_blackhole-exploit-kit.pdf.[3] Brooks Li. (October 4, 2011). TrendLabs Security Intelligence Blog.“Facebook Malvertisement Leads to Exploits.” Last accessed February24, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/facebook-malvertisement-leads-to-exploits/.[4] Joseph C. Chen. (October 14, 2014). TrendLabs Security IntelligenceBlog. “YouTube Ads Lead to Exploit Kits, Hit US Victims.” Lastaccessed February 24, 2015, Last accessed February 24, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-leadto-exploit-kits-hit-us-victims/.[5] Maxim Goncharov. (October 2011). Trend Micro. “Traffic DirectionSystems as Malware Distribution Tools.” Last accessed February24, 2015, http://www.trendmicro.com/cloud-content/us/pdfs/securityintelligence/reports/rpt_malware-distribution-tools.pdf.[6] Joseph C. Chen. (August 21, 2014). TrendLabs Security IntelligenceBlog. “Website Add-on Targets Japanese Users, Leads to ExploitKit.” Last accessed February 24, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/website-add-on-targets-japanese-usersleads-to-exploit-kit/.[7] Jay Yaneza. (November 17, 2014). TrendLabs Security IntelligenceBlog. “Flashpack Exploit Kit Used in Free Ads, Leads to MalwareDelivery Mechanism.” Last accessed February 24, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/flashpack-exploit-kitused-in-free-ads-leads-to-malware-delivery-mechanism/.[8] Carolyn Guevarra. (June 18, 2007). TrendLabs Security IntelligenceBlog. “Another Malware Pulls an Italian Job.” Last accessed February24, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/another-malware-pulls-an-italian-job/.[9] Jovi Umawing. (April 2, 2008). TrendLabs Security Intelligence Blog.“Old, Known Bugs Exploited by Neosploit.” Last accessed February24, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/old-known-bugs-exploited-by-neosploit/.[10] Michael Du. (November 24, 2014). TrendLabs Security IntelligenceBlog. “Obfuscated Flash Files Make Their Mark in Exploit Kits.” Lastaccessed February 24, 2015, http://blog.trendmicro.com/trendlabssecurity-intelligence/malicious-flash-files-gain-the-upper-hand-withnew-obfuscation-techniques/.


[11] Yuki Chen. (November 25, 2013). TrendLabs Security IntelligenceBlog. “A Look at a Silverlight Exploit.” Last accessed February 24,2015, http://blog.trendmicro.com/trendlabs-security-intelligence/a-lookat-a-silverlight-exploit/.[12] Brooks Li. (September 23, 2014). TrendLabs Security IntelligenceBlog. “Nuclear Exploit Kit Evolves, Includes Silverlight Exploit.” Lastaccessed February 24, 2015, http://blog.trendmicro.com/trendlabssecurity-intelligence/nuclear-exploit-kit-evolves-includes-silverlightexploit/.[13] Jack Tang. (July 1, 2014). TrendLabs Security Intelligence Blog.“Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits.” Lastaccessed February 24, 2015, http://blog.trendmicro.com/trendlabssecurity-intelligence/isolated-heap-for-internet-explorer-helps-mitigateuaf-exploits/.[14] Weimin Wu. (January 22, 2015). TrendLabs Security Intelligence Blog.“Flash Greets 2015 with New Zero-day.” Last accessed February 24,2015, http://blog.trendmicro.com/trendlabs-security-intelligence/flashgreets-2015-with-new-zero-day/.[15] Peter Pi. (February 2, 2015). TrendLabs Security Intelligence Blog.“Trend Micro Discovers New Adobe Flash Zero-day Exploit Usedin Malvertisements.” Last accessed February 24, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discoversnew-adobe-flash-zero-day-exploit-used-in-malvertisements/.


Trend Micro Incorporated, a global leader in security software, strives to make theworld safe for exchanging digital information. Our innovative solutions for consumers,businesses and governments provide layered content security to protect informationon mobile devices, endpoints, gateways, servers and the cloud. All of our solutionsare powered by cloud-based global threat intelligence, the Trend Micro SmartProtection Network, and are supported by over 1,200 threat experts around theglobe. For more information, visit www.trendmicro.com.© 2015 by Trend Micro, Incorporated. All rights reserved. Trend Micro and theTrend Micro t-ball logo are trademarks or registered trademarks of Trend Micro,Incorporated. All other product or company names may be trademarks or registeredtrademarks of their owners.225 E. John Carpenter FreewaySuite 1500Irving, Texas75062 U.S.A.Phone: +1.817.569.8900

Similar magazines