This Trend Micro White paper on Exploit kits was a good read. It gives an easy to understand explanation of how exploit kits are currently working. Here's some highlights I took from the paper.
Exploit Kits appear to be the script-kiddie method to infect victims with malware at a mass scale. It requires no skill or expertise, it's simply a pay-to-play software as a service. The newbie bad guy wants to distribute malware to unsuspecting users, but he doesn't know how or doesn't have enough resources to get the job done. So he goes to the underground and purchases an exploit kit. With that purchase he gets an online management console, he's able to choose the vulnerabilities he wants to attack (windows, flash, etc.), the type of victims he wants to attack (certain country, certain types of sites, etc.), and the payload of malware to distribute.
All the while there is only 1 or a handful of actual smart bad guys sitting in the background, writing the code for the exploit kit, and making this software as a service operate successfully by adding new vulnerablities, new add-ons, etc. to the kits.
Now how does an exploit kit work?
1.) Newbie Bad Guy purchases exploit kit and is given a URL from the smart bad guy
2.) Newbie Bad Guy finds ways to get people to browse the URL (spam, malvertisments, hack a website)
3.) The smart guy URL uses the logic setup by the Newbie Bad Guy on the management console to decide who to infect or not
4.) If the victim should be infected the smart guy URL redirects the victim to the actual exploit
5.) The smart guy URL determine which exploit to use based on the browser/OS and uses it
6.) The smart guy exploit determines which payload/malware to deliver based on the Newbie bad guy's choices on the management console and then does so
Why do they work?
1.) People (especially slow moving enterprises) don't patch fast enough so known exploits still work for quite a while
2.) The smart bad guy is constantly adding new exploits (including 0-days or those that haven't been patched)
3.) The smart bad guy incorporates many exploit types/browsers (Internet Explorer, Flash, silverlight, Adobe Reader, Java, ActiveX) so if one doesn't work another might
4.) The smart bad guy adds evasion techniques like auto-disabling if it detects an anti-virus
5.) The smart bad guy is constantly updating/changing the URL and exploit behavior such that old Detection Signatures no longer match
6.) The smart bad guy heavily obfuscates the payload so that they're encrypted, compressed, etc. and very difficult to detect
7.) There are plenty of Newbie Bad Guy's forking out money to the smart bad guy thus making it worthwhile for the smart bad guy to continue his evil operations
How can it be stopped?
- It seems the smart bad guy will always have the upper-hand in terms of evading static signatures and developing new obfuscation techniques. So to me it seems that defense will rely heavily on Behavior based solutions for the near-future. Behavior based solutions need to understand what is normal and abnormal and be able to alert on such without actually knowing anything about the malware or attack.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.