Exploits are codes or commands that take advantage of the weakness in a program, forcing it to behave in a certain way. In simpler words, it is a collection of exploits. It is a storehouse of multiple exploits that can be used by amateurs as well who don’t have advanced technical knowledge. Also, users can add their versions of the exploits in the kit.
First publicly released exploit kit was the Mpack, which was developed by Russain hackers in 2006. It consisted of PHP scripts that targeted programs commonly used by the public. The latest one is the Lord EK exploit kit, which uses compromised websites to spread malware. Some more examples are Angler, Nuclear, Fiesta, Rig, Neutrino, Sweet orange, Magnitude, among others.
Exploit kits are emerging as a popular tool for hacking. The kits contain utilities like web interfaces, regular updates, and a support period. A hacker can buy the kits from any criminal underground market where each kit’s cost can vary from
How does the exploit kit work?
Compromising a legitimate website
This is the first step of the attack where the vulnerabilities of the website are used to insert malicious codes. The following vulnerabilities that can be exploited in a website.
- Outdated Content management systems (CMS)
- Poor user access control
- Weak forum software
Apart from that, the attacker can use SEO techniques like keyword stuffing to improve the website’s ranking. Another technique is Malvertising, where the hackers obtain accounts with advertising providers and then embed the malicious code in the advertisement.
Insertion of malicious code
Once the website has been compromised, the hackers insert malicious codes using the iframe. An iframe (inline frame) is a piece of HTML code that allows developers to open up a new web page. This code will redirect the browser to the landing page, where the user profiling takes place. Moreover, the iframes are invisible on the main web page and can evade detection by matching the height and width of the original webpage.
Attackers can also use the ‘302 found’ HTTP response code to redirect to the landing page. A 302 found response means that the resource has been shifted to a new location. Hackers redirect the browser to several proxy domains before finally directing it to the landing page.
Attackers can also use code obfuscators to hide the iframes. Code obfuscators can range from PNG image to a QR code. When the browser executes the page, it reads the codes embedded in the obfuscators and then reconstructs the iframe.
Landing page creation
A landing page can be the attacker’s site, which consists of codes to profile the user’s browser. Security researchers use the landing pages to detect and counter the exploit kit. So, to protect the exploit kit, hackers obfuscate the codes.
Profiling involves the following.
- Checking the browser and OS vulnerabilities.
- Checking whether the user has installed additional security products.
- Ensuring that the target browser is not running on a Virtual machine(VM).
- Checking the OS version and make so that the kit can deliver the exact payload, and
- Checking for the vulnerabilities in the browser plugins, as plugins offer the easiest way for malware entry.
Delivering the payload
This is the last and the final step of the attack. Attackers can deliver a host of malware and other malicious codes, which are as follows.
Recent examples include the njRAT and ERIS ransomware which use Lord exploit kit to spread.
How to counter exploit kits?
Exploit kits are hard to detect as they can be obfuscated easily. Moreover, the kits are modifiable and additional exploits can be added, making it a most widely used tool to threaten the security networks. However, users can adapt the following methods to counter the threats from exploit kits.
- Regularly patching the web browsers, including the plugins. Patching reduces the threat considerably.
- Using an updated anti-virus software.
- Applying network browsing restrictions such as blocking dynamic DNS domains and denying HTTP requests over non-standard ports.
- Removing the unused plugins.
- Disabling the automatic play or download option in the browser.
- Installing security plugins such as NoScript or AdBlock Plus.
- Whitelisting applications so that only the user approved applications run on the device.
- Lastly, informing self about the risks and possible mitigation techniques.
Exploits kit are dangerous and can compromise the security and privacy of the user. So, a user should take the utmost precautions to protect oneself.