An exploit kit is simply a collection of exploits, which is a simple one-in-all tool for managing a variety of exploits altogether. Exploit kits act as a kind of repository, and make it easy for users without much technical knowledge to use exploits. Users can add their own exploits to it and use them simultaneously apart from the pre-installed ones.
One of the earlier kits was MPack, in 2006. Exploit kits are often designed to be modular and easy to use, enabling the addition of new vulnerabilities and the removal of existing ones. Exploit kits also provide a user interface for the person who controls them, which typically includes information on success rates and other types of statistics, as well as the ability to control their settings. A typical kit is a collection of PHP scripts that target security holes in commonly used programs such as Apple Quicktime or Mozilla Firefox. Widely used software such as Oracle Java and Adobe Systems products are targeted particularly often.
Exploit kits come packed with a variety of tools ranging from hunting vulnerabilities to further automated exploitation of the security loopholes which it has discovered. Basically it follows a simple hierarchy of the five steps of hacking.
The exploit kit gathers information on the victim machine, finds vulnerabilities and determines the appropriate exploit, and delivers the exploit, which typically silently drive-by downloads and executes malware, and further running post-exploitation modules to maintain further remote access to the compromised system. Lastly as a measure to cover up tracks, it uses special techniques like erasing logs to avoid detection.
As days pass by exploit kits are becoming ever more sophisticated. They tend to be neatly packaged, and do not require any understanding of exploits, and very little computer proficiency. Kits may have a Web interface showing active victims and statistics. They may have a support period and updates like commercial software.
Exploit kits are sold in cybercriminal circles, often with vulnerabilities already loaded onto them.
A study by Solutionary's Security Engineering Research Team (SERT) found about 70% of exploit kits released in Q4 2012 come from Russia, followed by China and Brazil, with 20% not attributed. A typical, relatively unsophisticated kit may cost US$500 per month. Licenses for advanced kits have been reported to cost as much as $10,000 per month. Exploit kits are often encoded, instead of in plain PHP, to prevent unlicensed use and complicate anti-malware analysis.
Further Research from Recorded Future's Threat Intelligence Team revealed that Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Flash Player's popularity with cyber criminals remains even after increased Adobe security issue mitigation efforts.
This article needs additional citations for verification. (December 2016) (Learn how and when to remove this template message)
Kits continue to include exploitation of vulnerabilities that were patched years back, as there continues to be a significant population of unpatched machines.
Exploit kits tend to be deployed covertly on legitimate Web sites that have been hacked, unknown to the site operators and visitors.
- Joshua Cannell (11 February 2013). "Tools of the Trade: Exploit Kits". Https:. Retrieved 16 March 2016.
- "New Kit, Same Player: Top 10 Vulnerabilities Used by Exploit Kits in 2016". Recorded Future. 2016-12-06. Retrieved 2017-01-20.
- Jérôme Segura (15 March 2016). "Large Angler Malvertising Campaign Hits Top Publishers". malwarebytes. Retrieved 16 March 2016.