Security Report Lays Out How Exploit Kits Work

• By Dian Schaffhauser
• 05/11/10

A new free report by a security vendor explains in plain language how exploit kits are sold, deployed, and used to generate money for their buyers through malware installation. Marketed with feature lists and screenshots and sold like other software programs, an exploit kit is a Web application that allows the user to take advantage of known exploits in popular applications, such as Microsoft's Internet Explorer, Adobe Acrobat, and Adobe Flash Player.

In M86 Security's "Web Exploits--There's an App for That," the company said it has counted more than a dozen new attack kits being launched in just the last six months. The report was released at the same time the company announced a new version of its Web security gateway and e-mail security product.

Most of the new exploit kit releases are in Russian though often translated into English and sell for $400 to $1,000 apiece. They promise buyers the "highest rates for the lowest price," as one package proclaims. Once installed--through basic commands such as Unix's cp for copying a file and chmod for modifying file permissions--the kit helps the user set up exploit pages. The applications also provide a Web interface for measuring the effectiveness of any given exploit. Then, the user drives traffic to the exploit page, where the unwitting visitor clicks on a link to install malware on his or her system.

The exploit kit user generates revenue through several means, according to the report. These include stealing private information from the victim to be resold or installing other malware such as fake anti-virus "scareware" and getting paid for each pay-per-install.

The reports shows a screenshot of one exploit kit administrator console displaying 5,032 successful installs for the day. "Assuming a pay-per-install model where the affiliate is earning a modest $100 USD per 1,000 installs, this would result in revenue of about $500 USD for the day," the writers state.

"Exploit kits have changed the cybercrime industry in a very short period of time," said Bradley Anstis, M86 vice president of technology strategy. "People can launch attacks without even knowing a line of code, and the infrastructure now exists to pay the attacker per exploit achieved. With an attack kit there is literally 'an app for that' and it is driving the explosive growth in Internet-borne threats such as spam and zero-day attacks with new kits popping up every day. This latest research report details the anatomy of these kits, providing insight into the evolution and the skyrocketing increase in the number of attacks."

A complete copy of the report can be downloaded here.

M86 recently updated its security product, M86 WebMarshal 6.5.6, to include support for Windows 7 as well as usability improvements. WebMarshal is intended to protect organizations from Internet threats, including malware, viruses, blended attacks, and attempted fraud.

The new release works with Windows 7, Windows Server 2008 R2, and Windows Small Business Server 2008, as well as older editions of the operating systems. It also includes a new default policy rule-set for easier management of rules, improved content filtering, and enhanced reporting on user activities. The upgrade is optimized to handle processing of streaming media and large files and provides a number of smaller improvements, such as more granular filtering and monitoring, right-click functionality, and improved quota options for cached files.

The company's newest release of its e-mail product, M86 MailMarshal SMTP 6.8, is compatible with Microsoft Windows 7 and Microsoft Windows Server 2008 R2. It includes a new quarantining feature for blended threats. A blended threat embeds a URL link onto a legitimate-looking Web site that can then execute "automated, drive-by downloads," the company said in a statement, infecting users and exposing them to vulnerability exploits. With the new version suspicious messages can be held in a queue while a "blended threat module" performs analysis on any contained URLs.

The new quarantine feature can also be applied to anti-virus rules. For example, if a user's anti-virus signature engine is out-of-date, e-mails with suspicious or unexpected attachments can be held back until they can be scanned with an up-to-date engine.

Among other changes, the e-mail security product upgrade also provides a way for users to select which message digests they wish to receive and the ability to add senders to a white list from the message digest e-mail, without the need to visit the company's Spam Quarantine Manager Web site.