Mind the Gap! Taking Advantage of Software Loopholes

10 Feb 2011
Virus News

Kaspersky Lab announces the publication of an article titled 'Exploit Kits – A Different View' co-authored by Marco Preuss, Head of the company's Global Research & Analysis Team in Germany, and Senior Malware Analyst, Vicente Diaz. The article lifts the lid on the murky world of exploit kits, the vulnerabilities they target and how they are copied and adapted to ensure their authors make a profit.

Exploit kits, as their name implies, make use of the numerous vulnerabilities that are constantly being discovered in popular software. The kits contain packs of malicious programs and are mainly used to carry out automated 'drive-by' attacks in order to spread malware such as Trojans, etc. The kits described in the article are sold on the black market and fetch anywhere from several hundred to over a thousand dollars apiece. The most notorious of these kits are Phoenix, Eleonore and Neosploit.

According to the article, Internet Explorer, PDF and Java vulnerabilities together represent 66% of the attack vector used by most popular exploit kits. Most of the vulnerabilities exploited are old and patches are already available for them. However, they continue to be used successfully because some users fail to update their systems.

Analysis of more recent exploits such as Crimepack and SEO Sploit Pack shows that their creators are highly knowledgeable about the most widespread vulnerabilities and create new malware specifically designed to exploit them. At the same time, the majority of exploits share common roots. The Phoenix Exploit Kit, for example, uses code from the older Fire-Pack and ICE-Pack kits.

"If an exploit kit becomes very popular, its creator earns more money through higher sales volumes. There is one thing an exploit kit must offer to gain popularity in this strongly competitive market: a high infection rate. Newcomers to the creation of exploit packs therefore often use existing, proven methods, and this may well explain the amount of similarities between packs," the authors of the article conclude.

The full version of the article 'Exploit Kits – A Different View' can be viewed at http://www.securelist.com