Investigating exploit kits: Clear and present danger
Nick Biasini is the Outreach Engineer at Cisco Talos. He has researched a wide range of topics including exploit kits and various malware campaigns being distributed through email.
In this interview he discusses the challenges involved in the investigation of new exploit kits, talks about surprising details he uncovered during his research, and offers insight into what we might see in the future.
What are the main technical challenges involved in the investigation of new exploit kits?
One of the biggest challenges from a security researcher perspective is the rapid adoption of malicious ads to distribute exploit kits. By either paying for legitimate ads or compromising the advertising servers, exploit kit users have become increasingly effective at delivering the gate into the exploit kit via malvertising.
The challenge this presents is replication. It’s common to find users being infected by exploit kits, but challenges are introduced when trying to chase down the campaign specifically. Logically, when using ads, the sites that they appear on are random and don’t necessarily repeat on the same site very often. For example, you find a user being compromised at site A through ad vendor B. Now you find the same Angler server being connected through site C and ad vendor D. When trying to replicate the infection you connect to both sites A & C, but the malicious ad is not served. This is one of the biggest challenges with exploit kits.
What are some of the most surprising details you’ve uncovered while examining an exploit kit?
For me, one of the most surprising details is the sophistication and organization associated with these kits. This is a big business with millions of dollars in revenue and it has definitely been reflected in the sophistication of these kits.
Take the Angler report we recently released. What we found was largely an enterprise service for compromise. They were using proxied connections, remote logging, and sophisticated health monitoring. These are things I would expect to see in an enterprise environment, not in an organization delivering ransomware to random people on the internet. The other surprising thing is scope. Going in I didn’t expect to see as many users as we did communicating with exploit kits. You may not realize it, but you are likely interacting with exploit kits when you are browsing the internet.
The exploit kit authors have become extremely effective in not wasting exploits, so most users aren’t delivered any malicious content. But it’s likely that in the background your browser is at least interacting with an exploit kit landing page. Whether it’s your favorite large web page that has ads, or a local restaurant around the corner that has had their wordpress/droopl/joomla site compromised, exploit kits are everywhere.
How do exploit kit authors adapt after their work has been discovered?
The biggest thing we see is changes in tactic or software updates. Commonly, we will see adversaries pivot from a hosting perspective. We have seen Angler shift largely outside of the United States for hosting and move primarily into Europe. We still occasionally see instances hosted within the United States, but after we were able to work with a provider in the US the bad guys stayed away.
A more recent example would be a new gate that we saw and wrote about. It was initially using a large contiguous string of text in the URL structure. However, a week after the publishing of our report, it changed and started using multiple sub folders to break up the large string to help ensure it wasn’t easily detected.
What are today’s most dangerous exploit kits? Why? How do you expect them to evolve?
All exploit kits are dangerous because they are focused on compromising users that are browsing the web. It is this indiscriminate compromise that makes these kits so dangerous. As a researcher I am fascinated with Angler. They consistently innovate and deliver new techniques. They are always evolving, changing and getting users compromised.
Just look at how their innovation has led the other exploit kits. It started with Domain Shadowing, which is the use of compromised registrant accounts to host exploit kit activity. Angler was the first exploit kit to start making use of it and it has now moved to every major exploit kit. They also pioneered things like 302 cushioning and encrypted payloads. All of these techniques are adopted by the other kits, another indication of their superiority.
Finally, there is the speed associated with exploit development. Angler is commonly the first kit to make use of breaking vulnerabilities. They are always on the cutting edge of vulnerabilities that are available today. For all these reasons I think that Angler is the most sophisticated and dangerous exploit kit. But all exploit kits are threats to the average user.