While news of the downfall of the Blackhole Exploit Kit (often referred to as “BHEK”) isn’t new, its rise and subsequent collapse is the stuff of internet crime legend. Originally appearing in late 2010, the Blackhole Exploit Kit rose to popularity due to its ease of use and overall effectiveness. Version 1 BHEK quickly became the de facto standard among exploit kits, wreaking havoc throughout 2011 and spawning a subsequent version 2 in late 2012. After the alleged creator of the BHEK, a Russian man known by the handle “Paunch”, was arrested by Russian authorities in October of 2013, a marked downturn of BHEK activity was observed by Symantec MSS. A second lesser known exploit kit named “Cool EK”, supposedly authored by Paunch as well, suffered a similar fate. Both kits have all but disappeared from widespread use on the internet by the end of 2013, with only a small number of holdouts (existing campaigns or old infrastructure) still employing them. This post is meant to highlight the last year of the most successful exploit kit we’ve ever witnessed, and to detail the newcomers filling the void left by the notorious Blackhole.
This graph illustrates the last 12 months of Symantec MSS validated incidents of successful BHEK exposure, exploitation, and resulting infection. This graph does not represent spam, exposure, failed exploitation, or partially successful BHEK events. Theories about the pre-arrest downturn in BHEK (May 2013) include a focus shift to Cool EK, potential Paunch cooperation with law enforcement, or Paunch’s possible knowledge of an ongoing investigation into his actions.
This graph demonstrates the downturn in unique computer exposures to Blackhole and Cool exploit kit landing pages as reported by Symantec endpoint products. The distinct drop in activity from September to October 2013 is clear. (Provided by Symantec Security Response)
How do exploit kits work?
Exploit kits are designed and used by criminals for a single purpose: to compromise computers and install malware. The resulting infections are motivated by the usual ends: financial gain, botnet creation, or identity theft perpetrated by the attacker.
By redirecting users to a website running an exploit kit, attackers expose endpoint machines to a quick and dirty assessment followed by an eventual exploitation attempt(s). A continuously updated series of client-side vulnerabilities are exploited by these kits, with common operating systems and popular applications being targeted. The repeatedly beleaguered client-side software includes popular web browsers (ex. Internet Explorer, Chrome, Firefox), Adobe Flash, Adobe Acrobat/Reader, Oracle Java, and more. Depending on the patch level, configuration, and security systems in place by the victim machine, exploit attempts by BHEK often result in successful infection.
Most exploit kits are offered for “rent” or outright sale on underground crime forums. More successful kits are constantly updated as new vulnerabilities are discovered and often come with customer support direct from the kit’s creators. Profits from the sale of these kits is regularly used to improve the quality or exclusivity of kit functionality and exploit variety. New 0-days are often employed by authors of these exploit kits to gain extra effectiveness and maintain a competitive edge in the underground market. High dollar payments for new exploits was a well-known facet of Blackhole and eventually Cool exploit kits.
Due to the portable and configurable nature of exploit kits, their widespread use and resulting infections are greatly varied. Such kits are oftentimes employed to spearhead the exploitation and delivery of malware associated with numerous malicious campaigns. Initial exposure to Blackhole and other kits usually stems from redirections found in everything from spam email to malicious ads and watering hole attacks.
The process usually plays out like this…
- An attacker sets up a website hosting an exploit kit (landing page + backend exploit engine).
- An endpoint user is exposed to the exploit kit landing page via malicious advertisement, redirection, spam link, etc.
- The exploit kit begins by “profiling” the victim via PluginDetect or similar, looking for vulnerable versions of popular operating systems, browsers, or plugins.
- If a vulnerable application or plugin version is detected, the exploit kit will deliver an appropriate exploit file (ex. JAR, PDF, SWF, crafted webpage).
- If the exploit was successful, a malicious payload will be dropped and executed on the victim host. This will vary greatly depending on the attacker’s preference, but usually involves some flavor of trojan, rootkit, or bot.
The resulting vacuum created by the evaporation of Blackhole and Cool exploit kits has seen a rise in new players. While none have climbed to the level of BHEK at its height, there is a very active crop of new and existing kits available. In the realm of Symantec MSS and its customers, several of the dozens of active kits stand out in recent months.
As seen below, the DotkaChef, Neutrino, and Sweet Orange exploit kits were the immediate “winners” after BHEK fell off the radar. In recent months, RedKit and relative newcomers Magnitude and Fiesta kits have played significant parts in the threat landscape.
This graph shows the breakdown of the heaviest hitting non-Blackhole/Cool exploit kits in the 6 months immediately after the arrest of “Paunch”. These numbers represent ALL activity observed (successful and otherwise) in MSS customer environments, from initial exposure to payload requests and infections. While Blackhole still played a lingering part in the exploit kit field, it was quickly outpaced by almost all of the newcomers listed above.
Exploit kits and Symantec MSS
Exploit kits have been a continuous threat to businesses and individuals across the Managed Security Services customer landscape. Such kits, when paired with effective delivery methods, have been responsible for countless malware outbreaks.
Due to the prevalence of these kits as exploitation and delivery mechanisms for malware, MSS and Symantec as a whole take detection and alerting very seriously. We’ve got a myriad of detection methods for not only the kits themselves, but the resulting malware and infrastructure used in the accompanying campaigns. A combination of signatures and heuristics are employed by both in house mechanisms as well as MSS supported third party vendor devices at customer sites (Sourcefire, Emerging Threats, Palo Alto, FireEye, McAfee, ISS, and more).
Here’s a quick list of the 10 most current and abused vulnerabilities targeted by modern exploit kits. Along with each is the CVE number as well as any vendor specific vulnerability designations. Links to vendor, patch, and general information is also included. While this is not an exhaustive list of all vulnerabilities being targeted by today’s exploit kits, it’s a snapshot of the more recent and commonly abused ones. (A more expansive list without 2014 CVE's can be found here!)
This post was brought to you by Andrew Larson (research and wordsmithing) and Eric Gonzalez (research).