2010-04-01
Abstract
In the first of a two-part series introducing exploit kits, Mark Davis outlines the basic details of the dime-a-dozen kits used in drive-by browser-based attacks.
Copyright © 2010 Virus Bulletin
Exploit kits used in drive-by browser-based attacks are a dime a dozen these days, with a new kit emerging in the wild every few weeks. A multitude of kits, a.k.a. packs, now exist after several years of PHP/SQL kit development in the criminal underground. Some kits are developed for private use, while others are sold for amounts ranging from a few hundred to several thousand dollars dependent upon sophistication and capabilities. Many kits appear to be Russian in origin, with Cyrillic characters appearing in comments, Russian login options, and reference in some cases to known Russian cybercriminals.
This is the first article in a two-part series introducing exploit kits. The second part will look at exploit vectors, URL identification, and risk associated with exploit kit attack vectors.
Many have heard of exploit kits and/or understand the basic nature of a drive-by attack using such a kit, but fewer know them by name. Names for kits, unlike malcode, are often assigned by the creator, used in logos, logon screens, in comments within kits and advertisements online in various underground forums. While not exhaustive, a fairly comprehensive list of exploit kits used in malcode attacks in the wild is as follows:
Adpack
Adrenalin
Armitage
Crimepack
Eleonore
Fiesta
Firepack
Fragus
FSPack
G-pack
Icepack
JustExploit
Liberty
Luckysploit
Max$ Sploit System
mPack
Multisploit
Mypolysploit
Napoleon Sploit Kit
Neon
Neosploit
Nuc Pack (Nuclear)
Nuke
Papka Pack
Pheonix
SEO Sploit Pack
Shamans Dream Pack
Siberian Exploit Pack
Smartpack
Sploit25
Tornado
Unique Pack
Webattacker
YES!
This list does not include other types of web-based C&Cs used to manage DDoS attacks, botnets, or other frameworks and is limited to actual exploit kits used in drive-by attacks. Some of the most recent kits to emerge include the Siberian Exploit Pack, Shaman’s Dream Pack, and Papka Pack, while the older packs in the wild include Webattacker, mPack and Neosploit. Yes!, Fragus, Eleonore, Fiesta, Unique Pack, Liberty, Luckysploit and Neosploit are some of the more commonly used (and effective) kits in the wild in 2010. The kits commonly include authentication for administrative login in Russian, English, and/or other languages.
After logging into an exploit kit, statistics on infections and/or zombie reports are typically presented to the admin.
Since the emergence of exploit kits there has been a notable change in browser use. In the beginning, Internet Explorer was the primary vector but now Firefox and Opera are commonly included, as is Safari in some cases, as seen in the Fragus statistics shown in Figure 2. Information on the operating systems in use is also collected to aid developers in targeting specific browsers and operating systems of interest. Geographic location is of great importance for several reasons including possible counter-intelligence against researchers, monetization needs (such as money mules in specific countries), proxy needs (tunnel through a specific geographic region or country), affiliate financial rewards for compromises within a specific country or geographic region, and/or others.
Figure 3. Liberty details traffic to an exploit kit site by browser, showing Firefox as the main browser.
Exploit kits also allow a remote file to be uploaded as part of payload management when exploitation is successful.
Options such as ‘Add file’ by Fragus help kit developers to protect their own intellectual material. Rather than deliver raw files to clients they can configure a server or compromised computer with an exploit kit. Some developers will do this as part of a service offering for operating and/or maintaining an exploit kit purchased by a client. As a result, clients need only use a web-based interface to upload and/or manage an attack rather than configure and set up a server for PHP/SQL exploit kit capabilities, and without the need to manage back-end files.
Referrals are often included in kits as a way to track where attackers get the best traffic for exploitation. For example, if ten sites are compromised and configured for iFrame redirection to an exploit kit site, a referral page can be consulted to see the top referrals and areas of success. Such metrics enable attackers to manage iFrame and server compromise efforts for maximum success.
![The Liberty ‘Referers’ [sic] page reveals that x0r.su is responsible for 83% of traffic to the exploit kit.](/uploads/images/figures/2010/04/davis-5.jpg)
Figure 5. The Liberty ‘Referers’ [sic] page reveals that x0r.su is responsible for 83% of traffic to the exploit kit.
Note that words like ‘referral’ and ‘referrers’ are frequently misspelled by the developers of exploit kits.
Demonstration kits are frequently distributed via online forums and file-sharing sites. Such demonstration kits have limited functionality and do not include core exploit files. Most kits look very similar, with about a dozen different PHP pages for managing core functionality, reporting and management of payloads, along with a few standard exploits used in the kit (but rarely a comprehensive set of exploits).
The next article will detail the functionality of common PHP and SQL elements of such kits. In addition, we will look at interesting metrics around exploits used in kits, the success of exploits in the wild, and mitigation elements such as unique URI elements and exploit characteristics will be overviewed.
