An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP. [1]
Exploit kits are often sold on the black market, both as standalone kits, and as a service.
Some of the first exploit kits were WebAttacker and MPack, both created in 2006. They were sold on black markets, enabling attackers to use exploits without advanced knowledge of computer security. [2] [3]
The Blackhole exploit kit was released in 2010, and could either be purchased outright, or rented for a fee. [4] Malwarebytes stated that Blackhole was the primary method of delivering malware in 2012 and much of 2013. [5] After the arrest of the authors in late 2013, use of the kit sharply declined. [5] [6] [7]
Neutrino was first detected in 2012, [8] and was used in a number of ransomware campaigns. It exploited vulnerabilities in Adobe Reader, the Java Runtime Environment, and Adobe Flash. [9] Following a joint-operation between Cisco Talos and GoDaddy to disrupt a Neutrino malvertising campaign, [10] the authors stopped selling the kit, deciding to only provide support and updates to previous clients. Despite this, development of the kit continued, and new exploits were added. [11] As of April 2017, Neutrino activity ceased. [12] On June 15, 2017, F-Secure tweeted "R.I.P. Neutrino exploit kit. We'll miss you (not)." with a graph showing the complete decline of Neutrino detections. [13]
From 2017 onwards, the usage of exploit kits has dwindled. There are a number of factors which may have caused this, including arrests of cybercriminals, improvements in security making exploitation harder, and cybercriminals turning to other method of malware delivery, such as Microsoft Office macros and social engineering. [14]
There are many systems that work to protect against attacks from exploit kits. These include gateway anti-virus, intrusion prevention, and anti-spyware. There are also ways for subscribers to receive these prevention systems on a continuous basis, which helps them to better defend themselves against attacks. [15]
The general process of exploitation by an exploit kit is as follows:
Exploit kits employ a variety of evasion techniques to avoid detection. Some of these techniques include obfuscating the code, [17] and using fingerprinting to ensure malicious content is only delivered to likely targets. [18] [1]
Modern exploit kits include features such as web interfaces and statistics, tracking the number of visitors and victims. [1]
Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.
This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.
Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.
Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.
ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.
Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Malwarebytes is anti-malware software for Microsoft Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. This is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.
Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.
Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.
Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.
Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."
The Blackhole exploit kit was, as of 2012, the most prevalent web threat, where 29% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit. Its purpose is to deliver a malicious payload to a victim's computer. According to Trend Micro the majority of infections due to this exploit kit were done in a series of high volume spam runs. The kit incorporates tracking mechanisms so that people maintaining the kit know considerable information about the victims arriving at the kit's landing page. The information tracked includes the victim's country, operating system, browser and which piece of software on the victim's computer was exploited. These details are shown in the kit's user interface.
HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.
Marcin Kleczynski is the chief executive officer (CEO) and co-founder of American Internet security company, Malwarebytes. After a period working as a computer repair technician and being involved in forums in the mid-2000s, Kleczynski co-founded Malwarebytes with Bruce Harrison in January 2008. By 2014, Malwarebytes had treated over 250 million computers worldwide, with a range of popular products including Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit, and more recently, advanced anti-ransomware package Endpoint Security. Kleczynski was named one of Forbes Magazine's "30 Under 30" Rising Stars of Enterprise Technology in 2015.
DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack. A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.
ZeuS Panda, Panda Banker, or Panda is a variant of the original Zeus under the banking Trojan category. Its discovery was in 2016 in Brazil around the time of the Olympic Games. The majority of the code is derived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke logging, and form grabbing attacks. ZeuS Panda launches attack campaigns with a variety of exploit kits and loaders by way of drive-by downloads and phishing emails, and also hooking internet search results to infected pages. Stealth capabilities make not only detecting but analyzing the malware difficult.
Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.
Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.
BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.