During his Black Hat briefing, Jason Jones, the Team Lead for ASI at HP DVLabs, presents a professional extensive analysis of the present-day web exploit kits.
I’m going to be talking about the state of web exploit toolkits, which is a lot of what I’ve been doing on my job. I’m the Lead for Advanced Security Intelligence Team at HP DVLabs. A lot of what my job is – is to deal with malware, analyze it, try to figure out ways to determine reputation. We do a lot of malicious content harvesting. And web exploit toolkits are becoming more popular, more prevalent in the wild – it’s something that popped up on my radar and became a very interesting topic for me to continue researching.If you’re not familiar with them, web exploit toolkits are pre-packaged software that generally consists of installer; a lot of them are PHP-based and they have database backend, it’s normally MySQL. They include a large number of exploits, and most of these exploits actually target known vulnerabilities that are already patched and are rarely 0-day. There is one instance of a 0-day vulnerability being in these things.
Another interesting and important thing is we can actually get some of these PHP files in raw form, but they are actually using the ionCube PHP Encoder which encrypts a PHP file so that it’s difficult to recover. There are services out there that claim to be able to decrypt this encoding but we never found any that actually really work.
A lot of these also have fancy control panels where you can go through and they’ll show statistics that will be about what countries your visitors are coming from, what browsers they are using, what exploits have been launched and successful. So, you can get quite a bit of information from that. And then also you can configure which exploits you want to use and which payloads you actually want to also launch. So, it ends up being very similar to a normal web application. Where they differ is their whole goal is to install a malicious payload, some piece of malware. They have been used a lot to build up botnets, Trojans, fake AV, ransomware type of stuff. At the end of the day, it’s just a way for any cyber criminal to easily build something up and make money.A lot of these kits can cost thousands of dollars; some of them are free but some of them are very expensive. You can also do rentals: daily, weekly, monthly type of stuff. And they actually do a similar model of maybe a day costing $100, but for a week it costs $500; so they’ll offer you a discount to try to get you to go up. They also do bullet-proof hosting, which is hosting on their hosting servers where you are not going to get taken down because it’s hosted by cyber criminals, so they are not going to obey law enforcement’s request to remove it.
And a lot of times they’ll contain agreements like EULAs stating that you have permission to do this with their kit, you cannot resell it, you cannot disclose what’s in it – it’s like what you expect to see with normal software. And that’s where it becomes really interesting because the economy is built up like a legitimate software business, but in the underground. It gets really interesting because there’s also marketing and competitiveness between kits, where one kit will say: “We’re better than this kit because we have exploits A, B and C”, and the other kit will say: “Well, they stole those from us”. So it’s just like the whole back and forth between these guys.