Exploit Kits are a mess

Published: 2012-05-13
Last Updated: 2012-05-14 00:43:26 UTC
by Joel Esler (Version: 1)
7 comment(s)

As many of the Internet Storm Center readers know, my full time job is working for Sourcefire, the makers of SNORT, ClamAV, Razorback, Daemonlogger, and all of our commercial products.  I work in the Vulnerability Research Team (VRT), where my job is to write detection for the above tools; Snort rules, ClamAV detection, etc.   I often write about Snort related things here, since I know the SANS audience uses Snort heavily, and is even taught in the 503 course.

One of the areas that I've been looking at and following even more intently recently have been all the Exploit Kits.  I refer to things like Incognito, Blackhole, Crimepack, and many more.

Let me give you a couple external references to go read in case you have no idea what I am talking about:

Brian Krebs has some blog posts here and here about some updates to it.  But for a basic explanation of how the blackhole  kit exploits you, the end user, I suggest this pdf here.  

The Blackhole exploit kit in particular is very actively developed and changes rapidly to things that block its exploit methods.  Trust me.  As a person who follows all the particular versions of these exploit kits, they change just about weekly.  

You can be exploited by various kit by simply going to a website where some injected code rests on the page (you'll never see it - this is what we call a "drive by"), receiving some spam (Linkedin, USPS, UPS, I've even seen fake Pizza Delivery emails delivering things like the Pheonix Exploit kit) that redirects you to a "landing page", receiving spam with an html/htm email attachment..  The possibilities are essentially endless on how you can wind up on an exploit kit landing page.

Once on the landing page, there are lots of different ways that the exploit kit figures out how to take over your computer, but the basic point of the landing page is "which piece of software didn't this user patch?".  Vulnerabilities in browsers, java, even the delivery of a pdf to exploit a vulnerable version of Adobe Reader.

These kits are all over the place, and most likely, you are going to run into one of these (if you haven't already).

I basically have three pieces of advice for you.

1)  Don't open spam, or click on links inside of spam, or generally just be careful of the sites you go to.  If you are reading this webpage, you know there is a 'wild west' to the Internet.  Be careful.

2) Patch.  Everything.  Java, browsers, OS, Adobe Reader, etc.  Everything.  I literally cannot stress the importance of this enough.

3) Run AV and if you are on a corporate network, run an IPS. 

This is an evolving threat.  Nothing is going to 100% protect you all the time, however, the more layers you have, hopefully the more insulated you are against the threat, and you can protect yourself and your users.  

Good Luck!

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler


7 comment(s)


Joel: What's your view on using NoScript?
Most importantly for end users, how can they detect and remove such kits
I second Great_info's request, there are numerous sources telling us to be careful, it's getting old listening to it, I'm paranoid to begin with! There are few if any telling us how to detect these stealth monsters and clean up afterwards. Of course we also know that one can never be sure anything is clean other than reformatting and a fresh OS install.
My advice is laid out in the three points above.

If you are compromised, wipe and reload.

Any page that says "Loading Please Wait" or similar shouldnt be trusted.
I second that: Nuke the site from orbit, it's the only way to be sure. IMHO, it's a matter of time economics. I can wipe and reload the OS and important software packages in far less time than it takes for a malware scan to complete its first pass.
One thing we are finding difficult to patch:Java. There are so many applications that rely on specific versions of Java, that rolling out patches and testing on an enterprise level is very difficult.
Don't forget to monitor compromised websites (usually WP 3.x) for suspicious obfuscated javascript. They usually redirect to exploit kit websites.
These javascripts have patterns (i.e. for loops, long arrays) that allow you to create IPS rules with a pretty low fp+ rate.
Depending on the amount of browsing your company has, you will be surprised with the amount of compromised websites.

Diary Archives