Very often we come across numerous reports about exploit kits and the vulnerabilities they have been exploiting. The exploited vulnerabilities are tagged by a unique number and the said vulnerability is also reported to the concerned software vendor. As and when the patches are made available for the general public , it is the responsibility of the end-user to apply/deploy these patches.
However, based on the critical nature of the vulnerability the vendor may choose to provide an out of turn update/workaround to mitigate the threat. Moreover under normal circumstances, the availability of these patches is based on the routine which may range from bi-monthly to quarterly schedule.
The period between the public disclosure of vulnerability and the availability of patch/workaround is the most crucial , as the users are most vulnerable and the cyber-criminals are working round-the-clock to exploit these very vulnerabilities for their nefarious purposes.
Exploit Kits / Exploit Packs, typically cater to serve malware vide the drive-by-download method. Normally, an executable needs user intervention to be executed, however when it comes to drive-by-download types, malicious binaries are executed without the consent of the user and without their knowledge. The task of executing a binary can be accomplished by way of exploiting a particular vulnerability which allows code execution and are the prime focus of any exploit kit/ pack.
Based on the number of features, ease of deployment and its usability ie. the target audience (read: victims), the threat perception of a kit is determined. No other exploit kit ever came close to Black Hole kit.
Exploit Kits are always associated with the CVEs and the first known exploit kit was MPack, which addressed to the below mentioned vulnerabilities, and a few of them have been briefly explained:
CVE-2006-0003 :
Exploit Details : https://www.exploit-db.com/exploits/16561/
Affected : IE6/Microsoft Data Access Components (MDAC) Remote Code Execution
CVE-2006-0005
Exploit Details : https://www.exploit-db.com/exploits/1504/
Affected : Windows Media Player plug-in vulverability for Firefox & Opera
CVE-2006-3643
Exploit Details : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3643
Affected : Microsoft Management Console (MMC) Redirect Cross-Site Scripting (XSS) vulnerability (IE)
CVE-2006-3730
Exploit Details : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3730
Affected : WebViewFolderIcon (IE)
CVE-2006-6884
Exploit Details : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6884
Affected : Winzip FileView ActiveX (IE)
CVE-2007-0015
Exploit Details : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015
Affected : Apple QuickTime RTSP URL (IE)
From this table it is quite evident that in order to accomplish the task of gaining access to the system, via the browser, criminals from day one have been resorting to exploit vulnerabilities belonging to often used softwares eg. Internet Explorer, Apple Quick time and many a times Java.
Evolution is an inherent part of life and the same holds true for Exploit Kits, due to numerous reasons, we find that newer exploit kits are added and there are some which turn obsolete, however, exploit kits are in here to stay as long as there are programmers with malicious intent and criminals who are willing to pay a decent price for these.
The next series of blogs will concentrate on the CVEs used by various Exploit Kits/ Packs, beginning with GongDa / GonDad Exploit Kit and eScan’s fight against them.
Interestingly, GongDa exploits the below mentioned CVEs
CVE-2011-3544, CVE-2012-0003, CVE-2012-0507, CVE-2012-1723, CVE-2012-1889, CVE-2012-4681, CVE-2012-4792, CVE-2012-4969, CVE-2012-5076, CVE-2013-0422, CVE-2013-0634, CVE-2013-1493, CVE-2013-2465, CVE-2013-3897, CVE-2013-0634.
Till then stay tuned and stay safe.
