- written by Bart P
This article is also mirrored at Pastebin.
Picture of a botnet with the Command & Control server and botnet herder
Botnet kits. Crimeware kits. Exploit kits. Who hasn't heard these words nowadays? Sold in underground forums, they are becoming more popular due to a drop in prices and the fact you do not need to be a technological wonder to use them.
But what are these kits exactly? Which features does it have? Who develops them? How do they get used? More importantly, how can we stop the spreading of these kits and how can users protect themselves against the dangers they pose?
In today's article (which will be a Q&A, a question & answer), I hope to be able to clear up the mystery behind these kits. I have been able to interview experts in the anti-malware world. They will each give their opinion on this particular subject.
I will pose my question and place the answer of each expert right beneath it, for your convenience.
Included is a link to their website, and a link to their Twitter page. If you have Twitter, I strongly advise you to follow them if you aren't already. The experts are the following:
Iftach Ian Amit - Security Art VP Business Development - @iiamit
Luis Corrons - PandaLabs Technical Director - @Luis_Corrons
David Harley - Eset Anti-malware researcher/author - @DavidHarleyBlog
Mikko H. Hypponen - F-Secure Chief Research Officer - @mikko
Paolo Milani - isecLAB Malware/Threat researcher - @paolo_milani
David Sancho - Trend Micro Senior Malware Researcher - @dsancho66
Steve Santorelli - Team Cymru Malware/Threat Researcher - @teamcymru
Lenny Zeltser - Savvis Security Consultant & Malware/Threat Researcher - @lennyzeltser
Note: Mr. Harley did not have much time as he was travelling, but succeeded in providing me answers anyway. Thanks !
Iftach Ian Amit provides us with the difference between an exploit kit and a crimeware kit:
The exploit kits are usually focused on serving the attack vector of drive-by downloads and browser exploitations where criminals "reach out" to get their victims abused. An example for an exploit kit is Mpack, IcePack, Neosploit, etc…
The crimeware kits (or more specifically the Trojan kits) serve the more persistent part of the attack and are the ones being deployed after the exploit kit managed to gain access to the victim's system. Trojan kit examples are Limbo, ZeuS, SpyEye, Sinowal, etc…
Now, time to fire off those questions ! Each expert will give their opinion and elaborate.
a) Let us start with a basic question. What is, in your opinion, an exploit kit ? Which features does it have and which risks pose they?
Iftach Ian Amit:An exploit kit specifically is an aggregation of "weaponized" exploits geared towards ease of use in deployment. These usually have a basic installation script (DB backed), and a management interface. Some exploit kits include multiple-user support and a granular permission system to allow users from different "groups" to manage their own data. The exploit kit does NOT contain a payload (usually a Trojan, Spyware, or a rootkit), but allows the manager to set one up to be used on PCs it successfully exploits.
The risk that exploit kits pose is from an ease-of-use perspective, as they enable even the most non-technical criminal to start utilizing the internet as a venue for their fraud.
Luis Corrons:It is a “kit for infecting computers for dummies.” Pretty popular nowadays, we are just talking about a software package very easy to use, that enables anyone to create their infection spread platform. They come with a number of exploits for different software, they usually include tech support & updates (if you pay for it), statistics, etc. You can even decide which users you want to infect (per country, language, etc.) and some also include a module to infect websites injecting iframes which will point to the exploit kit server, where the software is installed and where the exploits are launched from.
David Harley:I’d actually favour quite a lax definition: some “exploit kits” are not much more than Proof of Concept code that illustrates a vulnerability. Not that information about a vulnerability is a trivial issue. In fact we had to be rather careful in our research into Stuxnet not to make too much information available about currently unpatched vulnerabilities that we’ve turned up during our analysis work, though it’s difficult to strike a balance between releasing enough generally useful information and too much info for comfort. The prompt take-up of the CVE-2010-2568 vulnerability originally found in Stuxnet by other malware families illustrates the problem.
The risks here are generally indirect as far as the user is concerned: they depend on the ability of criminals to turn a specific kit to their advantage: however glamorous the bug, it can still be the quality of the social engineering that makes it successful.
Mikko H. Hypponen:An exploit kit is a collection of multiple exploits, targeting various different vulnerabilities. Most of these focus on drive-by-attacks, targeting web surfers.
Paolo Milani:I think an exploit kit can be all sorts of different things, and will become yet more varied as time goes by. Cybercrime is developing into a service economy, with many specialized actors with completely different levels of technical sophistication, and different levels of involvement into illegal activities, who provide services to one another. So some people develop and sell 0-days, others operate and rent botnets, and others provide software tools for different parts of this ecosystem, from ready-to-use bot code to tools for drive-by download exploits or blackhat search engine optimization. Any of these software tools can in the wider sense be called "exploit kits".
David Sancho:Exploit kits are web front-ends whose main objective is to infect the users when they access the page. In order to do this, they identify the user's browser and send the right exploits to make sure they get infected. In addition to this, modern exploits have logging capabilities that crunch the numbers so that the owner can see how many users have been infected, what country they were coming from, what vulnerabilities are the most successful ones and other similar items.
Exploit kits ultimately mean that a criminal can put up a malicious web site to infect users. They can do this with a minimal programming effort, with low cost and with good reporting stats that will allow them to tweak their attacks to maximize the number of infections.
These are similar to botnet kits, which allow the criminals to create botnets. Botnet kits have both server and client side and can be customized so that the information they steal from the victim's pc is automatically reported to the command and control console so that the botnet's owner can access it. Botnet kits have automated botnet creation and maintenance in such a way that it has impulsed malware growth enormously. Proliferation of malware is in part due to the ease which criminals have access to automated tools to infect new victims.
Steve Santorelli:A package that contains everything needed to infect and leverage those infected machines without needing to know much coding, if any. One of the major problems is that this enables a far broader base of criminals to adopt and use these kits as a lack of technical knowledge is no longer a barrier. There is also often centralized, highly reactive and highly experienced development and technical support available to the exploit kit users. Advertising, pricing and reputation all come into play here, just as with any other type of sales 'in real life'.
Lenny Zeltser:An exploit kit is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser. Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player.
A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit kit typically provides a user-friendly web interface that helps the attacker track the infection campaign.
Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.
b) Do you suspect that the phenomena of an exploit kit disabling one another, will appear more? In other words, do you think the authors of these kits will more and more start to target each other to infect more users or to steal each other's botnets?
Iftach Ian Amit:I'm assuming here you either refer to Trojan-builders or auto-pawn tools (which infect legitimate websites with the malicious code from exploit kits). These two tool categories have shown over the last few years (at least 3-4 years from my personal experience) that the competition is fierce in the online criminal world, as they have been added with features to disable/uninstall "competing" tools.
I'm definitely expecting the competition in the Trojan market to step up in terms of gaining more marketshare - especially if it’s affecting a competing botnet.
Luis Corrons:We have seen malware disabling other malware since a long time ago. Some of you may remember the fight that the Netsky and Bagle authors had 6 years ago, they were at that time creating some variants that were disabling or uninstalling each other’s malware. The exploits kits are used to install malware, so from a criminal point of view it is useful to remove other malware that is present there and could interfere with their business.
David Harley:I don’t know if it will increase, but it’s not unlikely: piggybacking and botnet theft have long been prevalent at the malicious application level, and it makes sense that such targeting is seen as a selling point for exploit kits too.
Mikko H. Hypponen:Exploit kits are often commercial in the sense that they are being sold in the underground between hackers. This means that there's concrete competition between these criminals. As a result we do see cases where particular attacks will try to disable previous attacks from a machine in order to gain control of them.
Paolo Milani:That's quite possible, we've seen this back in the day of network worms that were scanning for each other's backdoors. Also, security researchers have been known to take over botnets that do not use strong authentication for bot commands. However, in the future I expect increasing professionalism and sophistication on the part of the bot masters, who I think will more and more use standard cryptography or other sound technical means to ensure they maintain control of their bots.
David Sancho:Botnet kits have had a tendency lately of disabling each other. This is possibly a sign of rivalry between the programmers of each kit. Stealing other botnet's clients is definitely a possibility and if they haven't thought of it, they will pretty soon. I actually think this will become commonplace because once a bot takes over a victim machine, if it was previously infected, that bot belongs to both botnets. Checking this eventuality and preventing it purely denies competing botnets access to their own resources.
Steve Santorelli:SpyEye has had a 'Kill Zeus' option for a while now. Most evolution of tools and techniques in the Underground Economy is driven by business/economic need and a desire to maintain a low risk and high reward ratio. As such if you approach a position where the majority of infect-able machines are already infected, it's logical to assume that miscreants will start to fight over the pool of available machines: they are making good money so they won't stop just because it's becoming slightly harder to do business.
They will adapt and overcome: we see this constantly in the Underground Economy.
Lenny Zeltser:I may be defining an exploit kit more narrowly than how you use the term. In my mind, the exploit kit is the launching platform used to deliver other payload, which may include a bot, a backdoor, spyware or another type of malware. In this context, exploit kit authors and distributors compete for customers.
Overall, it’s not uncommon for criminals of all shapes and sizes to battle one another for control. I’m not surprised we’re seeing such battles in the Internet world as well. Though there are a lot of potential targets for competing attackers to infect, it’s natural for the attacker to wish to assert full control over newly-compromised system. If the host is already infected, the new attacker will need to remove the presence of a competing entity. It’s a variation of a children’s game called King of the Hill, though obviously with more severe repercussions.
c) More and more exploit kits are sold in underground forums, which is increasing the use of these kits. Do you expect that the source of attacks will be more widespread, i.e. more countries getting involved instead of the traditional ones? (Russia, China, ..)
Iftach Ian Amit:Definitely - even the forums are opening up more and more to members that are not specifically from the "local" countries. We have been seeing that in the pricing models used for selling such tools (speaking Russian/Chinese usually means a lower price), as well as in the openness tosell to foreigners that identify themselves as such (whereas in the past you had to "prove" some locality to get the really tricked up kits).
This, in addition to more criminal venues finding the online market a major additional revenue source, and the limping economy which brings more people to try and find ways to make a quick buck, is a sure way to see continued growth in the popularity of exploit kits and Trojan creation/management kits.
Luis Corrons:This should makes us think a few things. It seems that if you are a good developer and you’re living in the US, Europe or Japan, you’d work any good IT company that will pay you really well. But if you are living in China or Russia, and you need food to eat, for you and your family, and you are a really good developer but with no choice to work for an IT company, what would you do? Those are the guys that can make a lot of money developing these kits and selling them, it’s an easy way to make a lot of money really fast.
So answering the question, even though these attacks happen everywhere, and from each and every country, I don’t think we’ll see anytime soon a major change in the actual situation where certain countries are the ones attacking the most. Explanation: Easy money + little risk + no other choices
David Harley:While certain kinds of attack are particularly and popularly associated with certain regions, I don’t actually think that regionalization has ever been such a hard and fast issue, and in a depressed economic climate the old differences between hobby malware and malware for profit have tended to dissipate, and I’d expect the trend to be upward.
Mikko H. Hypponen:We do expect most of these kits continue to be from the usual suspects. Russia, Ukraine, Belarus, China etc.
Paolo Milani:Hard to say. I think this type of patterns can also change dramatically with the legal and regulatory framework around the internet and internet crime in individual countries (like the recent change in the domain registration policies in china).
David Sancho:This is already happening. The Mariposa botnet surfaced in February 2010 in Spain, which is a country not normally tied to these kinds of attacks. There have been other instances of new botnets surfacing everywhere else and this is no doubt caused by the wide availability of botnet kits and other software designed to make criminals' lives easier.
Steve Santorelli:We are already seeing it: miscreants from multiple countries and regions, all co-operating irrespective of any cultural, language or even religious differences that might separate them in real life: they are all primarily and overwhelmingly interested in making money whilst maintaining a low risk and high reward equation.
Lenny Zeltser:I haven’t researched geographic patterns associated with the usage of exploit kits. Certainly some of the toolkits are developed and marketed in a specific country and, therefore, will be used more widely by attackers who speak that language or who hang out in those forums. However, the “beauty” of exploit kits is that they can be developed in Country A, sold in Country B, and used in Country C to attack Country D by using systems hosted in Country E. My point is that it’s hard to attribute malicious activity to actors located in a particular country by simply looking at IP addresses observed during the immediate attack.
d) Additionally, the kits are getting cheaper and more options are available. Is it acceptable to presume that more and more users with low or no technical skills will use these kits for profit? For example look at the Mariposa case, where the botnet operators had little knowledge about technical subjects.
Iftach Ian Amit:Of course. In a lot of the cases that we have been seeing, the botnet herder wasn't really technically savvy. The kits are designed to focus on the "business" side of things and takes care of all the major technical aspects of running a successful botnet. As I mentioned before, criminal operations that seek to enter the online market find it very easy to just buy a kit, have a few henchmen run it, and if needed take the fall for it (see Mariposa again).
Luis Corrons:Yes, of course, these packages are point – and click, as I was saying it is for dummies, you don’t need to be an expert, not even an average user to learn how to use them.
David Harley:I’d agree with that, in general.
Mikko H. Hypponen:Yes, most of the exploit kit customers have limited technical skills and would be unable to create the exploits themselves.
Paolo Milani:Yes, I think this is part of the specialization of the industry. More technologically savvy actors develop malicious software, which in many countries is not in and of itself a crime. Other actors, who may not be as technically competent but are more willing to take risks, actually go out and use the software to commit crimes.
David Sancho:Exactly. I don't even think the cost is a factor anymore. Zeus is a very popular botnet kit that is not precisely cheap but a resourceful criminal can amortize the cost in no time. This is becoming such a bountiful market that a high license fee, say between $5,000 and $10,000, is a reasonable investment for cybercriminals.
Steve Santorelli:Yes, as answered in a), this is one of the major problems - it is a package that contains everything needed to infect and leverage those infected machines without needing to know much coding. This enables a far broader base of criminals to adopt and use these kits as a lack of technical knowledge is no longer a barrier.
Lenny Zeltser:Indeed, the ease of use and affordability of exploit kits makes it possible even for people with low technical skills to become a “hacker,” be it for profit, politics or other reasons.
e) And, last but not least, how can we prevent these exploit kits to spread and what are the best practices for users to protect themselves against mischief?
Iftach Ian Amit:Fortunately, most of the kits do not contain 0-day exploits. Unfortunately, most home (as well as business) users do not patch their systems and are left an easy prey for those kits. It's a combined effort from both software vendors to quickly patch (and test!) their software, as well as users to be more responsible in terms of making sure they are running the latest version of the software available to them. The numbers speak for themselves, and right now most kits have a good enough success rate without the true need for 0-days in them. If the status-quo will change and we will see more resilient software that updates itself quickly and seamlessly, as well as users that demand a secure operating environment, the exploit kits would have a hard time maintaining their reign over us.
Luis Corrons:Most of the exploit kits use known exploits that are not 0-day, so that means that there is a patch for each one. If people would patch, which means to update each and every piece of software installed in a computer, the kits would be useless.
David Harley:I don’t see this as (primarily) an area in which users can do much except to take the usual precautions (sound security software properly updated, patching, caution against social engineering and so on.) The most effective preventative measures are almost invisible to end users: anti-malware technology, of course, but also at the level of cooperation with law enforcement, ISPs and so forth at an international level, takedown of exploit resources, unobtrusive monitoring of new families and trends, etc.
Mikko H. Hypponen:Security companies must be very active in gaining access to the latest versions of various kits and then build generic detections against all the exploits they can generate. Alternatively, generic exploit-detection technologies help.
Paolo Milani:I'm not sure we can prevent exploit kits from spreading. Insofar as they are traded on mostly open forums, security practitioners can do some amount of monitoring of what happens in these markets (see recent work at our lab: http://seclab.tuwien.ac.at/papers/underground_dimva.pdf).
Once the bad guys take the trading onto private channels, nothing short of police infiltration can really make a dent, and we know how hard that is across national jurisdiction boundaries.
David Sancho:Botnet kits and exploit kit sales happen in the underground so it's key that security companies keep an eye on what's happening there. Law enforcement agencies around the world are especially keen on apprehending the criminals so it's in their own interest that information flows. This is already happening and security professionals gather in private and public forums to exchange intelligence so that we can be on top of the attacks as soon as they happen.
From the user's perspective, if they don't want to become a victim they need to be aware of the tactics that the criminals use to infect and always be protected with an antivirus suite.
Steve Santorelli:Wow - this answer would take up a book. At a basic, user level, follow our tips here:
http://www.team-cymru.org/ReadingRoom/Tips/. At a network Administrator level, ping us at outreach[AT]cymru[DOT]com... We've got over 30 different community services that we offer at no cost that can help network admins protect their users but above all: DON'T PANIC and leverage the IT Security Community to help you. Some very smart folks (much smarter than me) have been working to combat these problems for years and they relish the opportunity to help anyone else who is willing to fight the good fight!
Lenny Zeltser:Though some exploit kits target zero-day vulnerabilities, a large number of exploits go after vulnerabilities for which patches exist. End-users and organizations should look closely at how they keep up with security patches on the desktop. End-users at home can use auto-update mechanisms of the targeted applications or specialized tools such as Secunia PSI. Enterprise environments should use automated tools to identify vulnerable systems, install relevant patches and validate that the patches are installed. It’s also important to lock down the environment so that when an individual system is affected, the attack is contained and discovered quickly.
I think we may come to the conclusion that Exploit Kits these days are easy-to-use and as one expert said; "it is a kit for infecting computers for dummies.” They usually exist of web front-ends to infect the user.
Will malware authors be targeting each other ? This is of course hard to predict, but it might be more common in the future.
A new development is however happening, as posted by Brian Krebs:
"Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests."
Will the attacks be more wide spread ? Yes, most experts think it will. One expert noted:
"However, the “beauty” of exploit kits is that they can be developed in Country A, sold in Country B, and used in Country C to attack Country D by using systems hosted in Country E. "
Will more and more users with bad intentions use these kits for profit ?
Yes, as been said before, take a look at the Mariposa case. The botnet herders weren't exactly technical savvy - the ease of use "is part of the specialization of the industry." Also, "The kits are designed to focus on the "business" side of things and takes care of all the major technical aspects of running a successful botnet."
How can we protect ourselves and which countermeasures can we take against these kits ?
The answer is: PATCH PATCH PATCH. Keep your Operating System up-to-date and use an Antivirus with a strong Firewall.
"Security companies must be very active in gaining access to the latest versions of various kits and then build generic detections against all the exploits they can generate. Alternatively, generic exploit-detection technologies help."
"Law enforcement agencies around the world are especially keen on apprehending the criminals so it's in their own interest that information flows. This is already happening and security professionals gather in private and public forums to exchange intelligence so that we can be on top of the attacks as soon as they happen."
Security companies must work together, cooperate, unite even, against these kits and the authors/operators behind it:
"The most effective preventative measures are almost invisible to end users: anti-malware technology, of course, but also at the level of cooperation with law enforcement, ISPs and so forth at an international level, takedown of exploit resources, unobtrusive monitoring of new families and trends, etc."
I would like to thank the experts for their time and of course their professional insight on the subject.
I currently work at Panda Security as a Technical Support Engineer. Obviously, my main interest lies in Malware Research.
If you would like to learn more, don't hesitate to contact me on Twitter:
Thank you for reading and until next time.