In February, we released our SonicWall Security 2016 Threat Report, and one of its highlights was a discussion on latest techniques and trends in exploit kits (EKs).

EKs have become a key tool for cybercriminals to take over the target machines (via an exploit) and subsequently install a malware of their choice.

For those who have some background in researching EKs, their stages would seem familiar. First, there is a redirection stage. This leads the user to the landing page of the EK (either directly or via infected website). This redirection stage can occur as a result of a URL link in the spam email or Twitter/Facebook feed, advertising banner redirection (malvertising) or simply an IFRAME redirection from an infected website.

Next is the landing stage. Here, the target visits the actual web server where the EK software resides (i.e., the landing page) and the exploit is delivered.

During exploitation, carefully crafted scripts determine the software components installed on victims machines (in order to select an appropriate exploit first). Then the successful targeted exploit is delivered and malware is subsequently installed on target machines.

Some of the stages described above can be shown using Spartan EK discovered by the SonicWall Threat Research team last year.

As you may note in Spartan’s exploit kit delivery technique, the initial Flash file was encrypted, and the actual exploit code resided only in memory and was never written to disk (thus avoiding potential detection by AV software).

EK delivery mechanisms are evolving, and require security vendors to use the latest up-to-date evasion techniques in order to successfully detect and/or prevent the attacks. It is not uncommon for EKs to check for the presence of certain AV software or virtualized environment during exploit stage, and thus abort its execution to prevent exposing itself to security professionals (see example code below).

For example, last year, we observed the Magnitude EK using steganography techniques during the redirection stage to dynamically generate an IFRAME from an encrypted/encoded image file. Such techniques make it more difficult for affected website owner to identify a potential website infection.

In addition, landing page URLs undergo periodic modifications to avoid detection by security vendors. We have observed landing page URL patterns change within 48 hours for certain EKs. Also, landing page’s software component detection techniques have undergone changes as well. Unlike in the past, we have observed EKs that can determine browser/component versions running on target systems without utilizing the JavaScript PluginDetect library.

What are some important conclusions security product designers can draw from the latest trends in EKs? For one, due to all the exploit and malware payload obfuscation trends in the latest exploit delivery techniques of exploit kits, it is now more important to quickly and correctly identify EK landing page access, and stop the exploit delivery immediately at the point of landing page access by the user. Thus, tracking EKs and their latest attack techniques is an important part of any threat research team’s activity.

Download the SonicWall Security Annual Threat Report today.

download report

Alex Dubrovsky
Executive Director of Software Engineering and Threat Research | SonicWall
Alex is the architect and the inventor of SonicWall’s Reassembly-Free Deep Packet Inspection technology (RFDPI) – core differentiating technology for SonicWall Network Security products. He is also the author of Reassembly-Free Deep Packet inspection patents and reassembly-free gateway file scanning patents and in total the author of over 30 patents granted by USPTO in the network security and content security areas.

As part of SonicWall, Alex is an Executive Director of Software Engineering & Threat Research leading all of threat prevention security services, functionality and all of Deep Packet Inspection related technology software development including: Intrusion Prevention (IPS), Gateway Anti-Virus, Capture ATP (SonicOS), Application Intelligence & Control, SSL decryption (DPI-SSL), SSH Decryption (DPI-SSH) and runs the entire SonicWall Capture Labs Threat Research team. Alex is also a part of threat research community and an active reporter for the WildList organization (well-known malware threat intelligence sharing group). Alex has been with SonicWall for 15 years and has a total of 17+ years industry work experience (in software R&D and threat research) in individual contributor and leadership roles. Alex holds B.S. in Computer Science & Engineering and M.S in Computer Science, both from University of California, Los Angeles (UCLA).

You might also like

Cyber Security News & Trends
Read more
SonicWall CEO Bill Conner Joins Cyber Security Panel on Capitol Hill
Read more
2018 SonicWall Cyber Threat Report: Actionable Intelligence for the Cyber Arms Race
Read more
The Seven Habits of Highly Effective Ransomware Attacks
Read more
RSA Conference 2018: SonicWall is Hot
Read more


Leave a reply