Cybercriminals have many different tactics to attempt to gain control of your computer or steal your personal information. One way is through exploit kits (EKs). Attackers write EKs to run on web applications to exploit specific vulnerabilities in software that can allow them to compromise your system. An EK can hide within a website’s code. To the visitor, it is invisible.

Whether a vulnerability has been around for months or it is a zero-day exploit, the attacker is counting on you to put off updating that vulnerable web browser or plugin. They’re counting on you clicking “remind me later,” every time you’re prompted to install an update.

Although it causes all sorts of security problems, “remind me later” really is a necessity. You don’t always want to update to the latest software version. Updating one software version sometimes breaks another piece of crucial software. So, you defer and continue pushing off the update until everything is compatible. Then there’s the inconvenience. Wait for an installation and then a reboot in the middle of a work day? Never. Gonna. Happen.

The attackers know these systems are out there, unpatched against the latest vulnerabilities. How do attackers find a computer to exploit? Spam and phishing are a common strategy. You know when you receive that email with all of the empty promises of a bad infomercial?

“Click here for singles in your area that want to meet you!”

“Click here to lose weight instantly. The new mouse clicking exercise routine awaits!”

Once you click a link from a phishing email, your browser is likely directed to a compromised website hosting an EK, ready to take advantage of your out-of-date browser or plugins. One of the most widely used EKs at the moment is Angler. Throughout 2015, Angler was seen to exploit mainly Flash, Internet Explorer, and Silverlight based Common Vulnerabilities and Exposures (CVEs) [1].

Phishing sites aren’t the only sources for exploit kits. It could be a seemingly innocuous website that you visit regularly, like your banking site. One technique used on compromised websites is to modify the website’s HTML code to load a malicious Flash file from yet another compromised site. Flash then issues the HTTP POST request. The response to POST will redirect the visitor to another website.
When the landing page for the EK is reached, it will decide which exploit it can deploy based on browser and plugin information gathered from the visitor. The goal here is a drive-by download. If the computer is able to be exploited, the payload (malware) is downloaded. The payload is executed and post-infection communication to command and control (C&C) servers begins.

Payloads vary; the most prevalent being ransomware variants and infostealers. Ransomware, such as Teslacrypt [2], encrypts specific file types on your computer so that you are no longer able to access them and offers to decrypt them for you after receiving payment.

TC Callback

TeslaCrypt callback traffic; compromised domains.

A Trojan infostealer, such as Dridex [3], is able to collect screenshots while you use your computer, grab information entered into forms from specific sites you visit, and redirect to false banking sites.

Dridex XML

Dridex XML configuration, showing which URLs to use to capture form submissions.

Of course, the goal of exploitation isn’t always to steal your personal information. The aim could be to keep infecting more computers, leaving a backdoor for remote access communication and enlisting computers into a zombie botnet. Botnets are computers that can be issued commands from a C&C server and are used for spamming, or DDoS attacks.

Let’s not forget the vigilantes. There are rumors of vigilante white/gray hats taking over the Dridex botnet to send out payloads of popular antivirus software. The AV cleans the machine of all known malware in its definitions and then releases control. The anti-malware-malware.

To keep up to date on the latest CVEs, sign up with US-CERT to receive alerts on exploits and zero-days. Another good resource is the Offensive Security Exploit Database. Give the database a search before you add that new plugin to your WordPress site. Speaking of WordPress, the Exploit Database currently has 857 archived exploits regarding the publishing application. If you’re running WordPress, it’s imperative that you keep it up to date. The majority of the EKs that researchers find are hosted on compromised WordPress sites [4].

Be sure to always update your OS, web browsers, and plugins with the latest patches. You can use Umbrella, OpenDNS’s flagship enterprise security product and have access to a dashboard that provides centralized visibility and control over all of your organization’s offices and users, no matter where they operate. And with Investigate, you’re able to pivot through an attacker’s infrastructure to detect or respond to threats.

Investigate TeslaCrypt

[domain that OpenDNS has blocked for being associated with TeslaCrypt]


Of course, you could always keep hoping for some of that anti-malware-malware to drop on your systems.


This post is categorized in: