Since 2006, when the earliest exploit kit (WebAttacker) was made available in the crimeware market, these hack toolkits have become one of the preferred ways for cybercrooks to deliver malware to unsuspecting users.
At the moment, over 70 different exploit kits taking advantage of more than a hundred vulnerabilities are actively used by attackers. The top five list of most used ones goes like this: Sweet Orange, Angler, Magnitude, Rig, and Nuclear.
The effectiveness of exploit kits depends on the exploits they utilize. Throughout the year, exploit kit developers changed their focus a number of times, choosing to implement exploits for vulnerabilities depending on software popularity and on how quick the company behind it is to patch the holes.
In 2014, the flaws exploited were prevalently those in Adobe Flash Player and Acrobat/Reader; Microsoft Internet Explorer, Silverlight and ActiveX; and Oracle’s Java (click on the screenshot to enlarge it):
Exploit kits have also become more adept at detecting security and virtualization software in order to stop themselves from running and avoid being spotted and analyzed. New obfuscation techniques have also been implemented by some of the authors.
So what can we expect from exploit kits in 2015? Judging by what happened at the beginning of the year, Trend Micro researchers believe that they will include more exploits for zero-day flaws.
Another emerging tendency is the increasing use of exploit kits in malvertising.
“In particular, zero-day exploits (usually seen first in targeted attacks) are now being deployed in malicious ads right away, instead of first being used in targeted attacks against enterprises or other large organizations,” noted Trend Micro threat analysts Brooks Li and Joseph Chen. “This is a worrying trend, as it means that more users could be affected by these threats before a patch becomes available.”
An obvious way for users to keep themselves as secure from exploit kits as they can be is to make an effort to keep all their software up-to-date, especially the solutions mentioned earlier as they are the most targeted. This won’t protect them against active zero-day exploits, but most of the flaws probed by exploit kits are usually already patched.
While not clicking on links contained in spammed messages and emails might help them stay away from landing on sites hosting exploit kits, malvertising is not that easily avoided. This is where security software can step in and detect malicious behavior, as well as block access to exploit sites and the running of malicious files.
For more information about the evolution, modus operandi and prevalence of exploit kits, check out the easy-to-follow paper.