Cyber crime: Exploit kits in the enterprise

Cyber crime is big business and exploit kits represent one of the most critical security challenges facing the enterprise today...

Exploit kits are particularly prevalent at the moment in the UK. They are largely responsible for the 600 per cent increase in the use of malicious web links as an attack vector, according to recent research by security vendor Websense.

The growing adoption of exploit kits within the cyber criminal fraternity is impacting upon the enterprise in terms of the probability that data will be stolen and productivity will be lost. "Combining exploit kits, custom encryption to evade AV detection with the acceleration of new attack techniques, emerging zero-day vulnerabilities and the fact that exploit kits are underground (consumer based products designed to support rapid updates), it is likely that even perfect patch management will still leave windows of exposure with some of the advantage going to cybercrime," according to Elad Sharf, lead senior security researcher at Websense.

But why, then, are exploit kits so popular? That's a simple one to answer: they make hacking easy. "It's the difference between having to understand Internet Protocol and code used to put up a website back in the early 1990's compared with pointing and clicking to post to Facebook today," Kevin O'Reilly, lead security consultant with the assurance team at Context Information Security, puts it.

"The posting of exploit kits on the Internet is like handing out grenade launchers to vandals" O'Reilly explains, adding "criminals with minimal technical skills can buy a point-and-click kit to create takeover software." This can then be uploaded to an automatically cloned copy of a legitimate website and even handle the emailing of the malicious links to targeted victims in your enterprise.

Exploit kits unplugged

An exploit kit is simply a cyber crime tool that is sold as an off-the-shelf product bundle usable without the kind of technical hacking skills required in days past. But what does this bundle actually contain? IT Pro asked Wolfgang Kandek, CTO at on-demand vulnerability management and policy compliance solution provider Qualys, for the component breakdown of a typical exploit kit:

1. Coded exploits for vulnerabilities in browsers and plug-ins.

2. A web admin console, showing results such as how many machines are infected, in what countries, using what browsers and detailing the best exploits and campaigns in terms of breach success.

3. A database to store all relevant data.  

4. The include' of files to be hosted on a web server which can then be implemented by the sites that will be used to infect their visitors.

5. The sites that will be used to infect visitors, either setup specifically for that purpose to attract traffic by convincing search engines to link to them (using Search Engine Poisoning techniques) or more commonly sites that were hacked by the attacker. A current example is the site iphonedevsdk.com which was involved in the attacks on Apple, Facebook and Twitter. It notes: "A single administrator account was compromised. The hackers used this account to modify our theme and inject JavaScript into our site". The JavaScript inject' mentioned by iphonedevsdk is one of the include' files provided by the exploit pack.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021