Check Point Threat Alert: Exploit Kits

An exploit kit is a malicious toolkit whose purpose is to identify vulnerabilities in client machines. These vulnerabilities are then exploited in order to upload and execute malicious code on the client. Exploit kits also provide a user interface for an attacker to gain information on success rates and other statistics, as well control the client’s settings. According to Check Point’s analysis and reports, there was a notable spike in exploit kit usage as of January 14th 2016.

Description

Exploit kits are a type of malicious toolkit used to exploit security holes in software applications and spread malware. These kits come with pre-written exploit code and target users whose computers are running insecure or outdated software applications. This is a typical sequence of events:

1. A certain web server was hacked by cybercriminals.
2. A user visits a compromised website whose web server was hacked or where malicious ads are displayed.
3. The compromised web server performs a redirection to an exploit kit URL.
4. The victim visits an exploit kit page.
5. The exploit kit gathers information on the victim and determines which exploit to deliver.
6. The exploit is delivered.
7. If the exploit succeeds, a malicious payload is downloaded to the victim’s computer and executed. This is known as a drive-by download as it happens without the victim’s knowledge or consent. An example of a ransomware payload was recently published by Check Point’s intelligence analyst in this blog post.

Exploit kits try to exploit zero-day vulnerabilities while Check Point IPS protections are blocking these attacks as published in this blog post. Angler is the most popular exploit kit nowadays, deployed in 30% of all compromised websites. Angler is also the most technically advanced: it provides support for a more diverse infection spectrum and employs various techniques to evade antivirus protections.

Check Point IPS Protections

• Check Point IPS blade protects against many different exploit kits.
• This includes coverage of 20 different exploit kits and more than 40 relevant protections for the stages mentioned in the above infection chain. A full list can be found in Appendix A.
• Additional research can be found in the following blog articles and papers:
  • http://blog.checkpoint.com/2015/08/18/javascript-hooking-malicious-website-research-tool/
  • http://blog.checkpoint.com/2015/07/26/current-wave-of-ransomware/
  • http://blog.checkpoint.com/wp-content/uploads/2015/07/sb-ransomware-threat-research.pdf
  • https://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf

References

• Exploit Kits:
  • https://blog.malwarebytes.org/intelligence/2013/02/tools-of-the-trade-exploit-kits/
• In the News:
  • http://news.softpedia.com/news/exploit-kit-usage-explodes-at-the-start-of-2016-498825.shtml
  • http://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/exploit-kits-past-present-and-future

Appendix A – Exploit Kits Covered by Check Point IPS

• Check Point IPS protections cover the following exploit kits:
  Angler
  Archie
  Astrum
  Beta (Sundown)
  BlackHole
  Fiesta
  g01pack
  Gondad
  HanJuan
  Hunter
  Infinity
  LightsOut/Hello
  Magnitude
  Neutrino
  Nuclear
  NullHole
  RIG
  Spartan
  Sweet Orange