Exploit kits attack vector – mid-year update

It is very interesting to see how short the lifespan of an exploit kit is. Some kits that were once popular and infected thousands of users are no longer being used. Even more interesting is the fact that some old kits make a comeback rearmed with fresh new exploits and reach the top of the rankings in serving malware.

However, the most interesting area of study is how current exploits are used and their targets.

2010

In order to get some perspective, let?s start by analyzing the situation in 2010. The most common exploit kits last year were:

1. Phoenix
2. Eleonore
3. Neosploit
4. YESExploitKit
5. SEOSploitPack

However, by the end of 2010 there was a rapid decline in the use of Phoenix and an increase in the number of malicious servers serving NeoSploit.

By analyzing the vulnerabilities targeted by these exploit kits, we can infer the main attack vector:

The main point here is not the static picture but the dynamic one. In this case, Java vulnerabilities managed to climb to 3rd place in just one year. 40% of all new exploits used by the top five kits in 2010 targeted Java. According to my colleague Dan Guido, 11 out of the 15 top kits included at least one Java exploit and seven out of the top 15 kits included more than one.

Let?s contrast this information with some more data. According to Microsoft Malware protection center, last year there was a peak in Java exploitation attempts:

Source: arstechnica.com/business/news

Our own records point to a similar situation. Here you can see the creation of Java-related signatures in response to these detected threats:

These exploitation attempts were detected in our customer base as well:

The question is: why Java? I have been pondering this for some time, but the answer came after attending Dino Dai Zovi?s keynote presentation at SOURCE Conference. It was so obvious! The answer is that Java exploits are the easiest way to bypass OS security countermeasures. An image is worth a thousand words in this case:

2011

What is the situation so far this year? Has anything changed? Some things have, namely the top exploit kits for the first half of the year:

Two new players have emerged: BlackHole and Incognito. Let?s see what they target.

BlackHole:

• CVE-2010-1885 HCP
• CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
• CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
• CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
• CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
• CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
• CVE-2009-0927 Adobe Reader Collab GetIcon
• CVE-2008-2992 Adobe Reader util.printf
• CVE-2007-5659 Adobe Reader CollectEmailInfo
• CVE-2006-0003 IE MDAC

Basically, we have here the usual things that almost all kits include, the only difference being the first two vulnerabilities – CVE-2010-1885 and CVE-2010-1423. The latter of these two targets Java.

What about Incognito? Here is the corresponding list:

• CVE-2010-1885 HCP
• CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
• CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
• CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
• CVE-2009-0927 Adobe Reader Collab GetIcon
• CVE-2008-2992 Adobe Reader util.printf
• CVE-2007-5659/2008-0655 Adobe Reader CollectEmailInfo
• CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
• CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

Apart from the last two (CVE-2006-4704 and CVE-2004-0549), this list is exactly the same as the one for BlackHole.

So, what is the verdict? These two kits are not adding anything new to the landscape and are still using the same exploits and targeting Java.

After this review, there are a few conclusions we can reach:

• The reason that Java is becoming the most targeted platform is because it is the easiest way to avoid the main OS protection mechanisms.
• The changes in the Top 5 most widespread exploit kits are not related to the exploits being used.
• There is no need to use valuable zero-days while older vulnerabilities continue to be exploited on unpatched machines.

Cybercriminals are showing once again how much they care about their return on investment and go just as far as they need to stay one step ahead of protection mechanisms. In this case, another well known claim can be applied: security is as strong as the weakest link – Java is the weakest link in this case.

Here at Kaspersky Lab, we will continue to study the landscape for the rest of the year and will closely follow any interesting changes to the attack vectors.