The Rise of Exploit Kits According to Solutionary SERT

Monday, January 28, 2013

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

Today I desire to discuss a very interesting study by Solutionary's Security Engineering Research Team (SERT) that shared the results related an analysis on malware and exploit kits diffusion observed with its solution ActiveGuard service platform.

The platform has collected and analyzed malicious events that hit company clients globally, the data have been provided to SERT to paint overall threat landscape. The study revealed that despite there was a 15% drop in event volume in the categories of Authentication Security, Distributed Denial of Service (DDoS) and Reconnaissance,  the cyber threat represented by exploit kits is increasing the incidence.

The report revealed the surprising efficiency of well-known vulnerabilities usually included in the popular exploits sold in the underground, around 60% of total are more than two years old, and 70% the exploit kits analyzed (26)  were released or created in Russia.

ExploitKitsPerCountry

The data is meaningful if it is considered that second place is occupied by the China with 7.7%, most popular and pervasive exploit kit is BlackHole 2.0 that exploits fewer vulnerabilities than other kits do, meanwhile most versatile of these is Phoenix exploit kit that supports 16 % percent of all vulnerabilities being exploited. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.

TargetedVunerabilitiesXEploitKit

The data highlights the inadequacy of patch management process of private businesses  that don’t update their systems rapidly, in many cases entire infrastructures aren’t updated for long time for this reason there are still vulnerable to old exploit code dated back to 2004.

The phenomenon is really worrying, cyber security is crucial for the existence of any company and for all the business partners, we are facing with the lack of security culture, the security is still perceived as a cost and global crisis is aggravating the situation.

The report states

“SERT continuously performs batch analysis of malware variants received through various means, with much of the intense examination being left for particularly serious threats. As indicated by the accompanying chart, a majority (67%) of malware is not detected by anti-virus or anti-malware software. Although specific insights require close examination, trending from batch analysis can often provide a high-level perspective that is critical for strategic enterprise security planning. “

The use of exploit kit is also demonstrated by data related to the number of instances detected, 30% of the samples analyzed were traced back to JavaScript malware variants used for redirection, obfuscation and encryption, all functionality provided by the popular malicious kit.

The figures are very worrying, with an impressive frequency new vulnerabilities are discovered ,the trend observed in recent months demonstrates a market very active and prolific for the commercialization of 0-day vulnerabilities, in many cases dedicated exploit kits are sold directly in the underground market, once again the Russian underground is the most active in this sense.

“With a large concentration of exploit kits focusing on client-side exploitation (targeting desktop and end-user applications), organizations must pay close attention to patch management and endpoint security controls. Although these controls alone will not stop all attacks, they will significantly decrease the attack surface and reduce the overall likelihood of compromise.”

As correctly written in the report the large concentration of exploit kits focusing on client-side exploitation (targeting browser, desktop and end-user applications), due this reason organizations, but also final users, must pay close attention to keep their protected by antivirus and keep systems updated.

Cross-posted from Security Affairs

Possibly Related Articles:
9082
Breaches CVE DB Vulns US-CERT
Information Security
malware Exploits Network Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.