A problem of exploits

Exploits are a subset of malware, but they are not always detectable by security software if it doesn’t employ behavior analysis. In fact, it’s the only good way to beat exploits. Malware programs may be plentiful and varied, but most of them have similar behavioral patterns.

Security vendors often mention exploits in their publications as one of the most serious problems with data and systems safety, although it’s not always clear what the difference is between exploits and the malware in general. We’ll try to explain and elaborate here.

What is an exploit?

Exploits are malware, or, rather, a subset of such. Exploits are (malicious) programs that contain data or executable code, which is able to take advantage of one or more vulnerabilities in the software running on a local or remote computer.

Simply put: You have a browser and there is a vulnerability in it that allow “an arbitrary code” to run – i.e. install and launch some malicious program – on your system without your knowledge, or cause some other kind of unintended and unanticipated behavior of the system. Most often it is all about allowing privilege escalation for the attackers so they can do anything within the attacked system.

Browsers, along with Flash, Java, and Microsoft Office, are among the most targeted software categories. Being ubiquitous, they are actively explored by security experts and hackers alike, and vendors regularly have to release patches to fix vulnerabilities. It’s best if these patches are applied at once, but unfortunately that is not always the case.

A particular problem is, of course, exploits for the unknown vulnerabilities, discovered and abused by blackhats: so-called zero-days. It may take awhile before the vendors know they have a problem and work it over.

Infection routes

The next part is rather technical, so feel free to bypass it unless you’re truly curious of how these things work. Keep in mind, though, that cybercriminals often prefer exploits over other infection methods, since unlike social engineering – which can be hit or miss – the use of vulnerabilities continues to produce the desired results.

There are two ways users can be “fed” exploits. First, by visiting a site that contains malicious exploit code. Second, by opening a seemingly legitimate file with hidden malicious code. As one may easily guess, it’s most likely spam or a phishing email that will bring the exploit in.

As Securelist’s article has it, exploits are designed to strike specific versions of software that contain vulnerabilities. So, if the user has that version of the software to open the malicious object, or if a website is using that software to operate, the exploit is triggered.

Once it gains access through the vulnerability, the exploit then loads additional malware from the criminals’ server which performs malicious activity such as stealing personal data, using the computer as part of a botnet to distribute spam or carry out DDoS attacks, etc.

Exploits pose a threat even for the aware and diligent users who keep their software updated. The reason is a time gap between the discovery of a vulnerability and a release of the patch to fix it.

During that time, exploits are able to function freely and threaten the security of nearly all Internet users – unless there are automatic tools to prevent exploit attacks installed.

Exploits run in packs

Exploits are often packed together so that an attacked system is checked against a wide range of vulnerabilities; once one or more are detected, the appropriate exploits enter. Exploit kits also widely use code obfuscation to avoid detection and encrypt URL paths to prevent researchers from unrooting them.

Among the best known are:

Angler – one of the most sophisticated kits on the underground market, this one changed the game after it had begun detecting antivirus and virtual machines (often used by security researchers as honeypots), and deploying encrypted dropper files. It is one of the fastest kits to incorporate newly released zero-days and its malware runs from memory, without having to write to the hard drives of its victims. Technical description of the pack is available here.

Nuclear Pack – hits its victims with Java and Adobe PDF explots, as well as dropping Caphaw – a notorious banking Trojan. More data on it is available here.

Neutrino – a Russian-made kit containing a few Java exploits, made headlines last year due to the fact that its owner has put it on sale for a very modest price – $34,000. Most likely it was done following the arrest of a certain Paunch, creator of…

Blackhole Kit – the most prevalent web threat of 2012, it targets vulnerabilities in old versions of browsers such as Firefox, Google Chrome, Internet Explorer, and Safari as well as many popular plugins like Adobe Flash, Adobe Acrobat, and Java. After a victim is lured or redirectd to a landing page, an obfuscated JavaScript determines what is on the victim’s computers and loads all exploits to which this computer is vulnerable and sometimes a Java applet tag that loads a Java Trojan horse. If there is an exploit that is usable, the exploit loads and executes a payload on the victim’s computer and informs the Blackhole exploit kit server which exploit was used to load the payload.

It has polymorphic code, so prevention requires a good host-based intrusion prevention system or automatic exploit prevention technology to counter its attacks. Signature-based detection won’t work.

Blackhole, unlike most of the others, has a dedicated entry in Wikipedia, although after Paunch’s arrest the kit itself has almost died out.

Conclusion

As said before, exploits are a subset of malware, but they are not always detectable by security software if it doesn’t employ behavior analysis – in fact, it’s the only good way to beat exploits. Malware programs may be plentiful and varied, but most of them have similar behavioral patterns.

Kaspersky Lab’s Automatic Exploit Prevention uses the information about the most typical behavior of the known exploits. The characteristic behavior of such malicious programs helps to prevent infection even in the case of a previously unknown zero-day vulnerability exploit.

Exploits quite often preload files prior to directly contaminating the system. Automatic Exploit Prevention monitors programs appealing to the network and analyzes the source files.

More information on Automatic Exploit Prevention technology is available here.

Tips