What is an Exploit Kit?

An exploit kit is a malicious toolkit that automates the exploitation of client-side vulnerabilities, usually targeting browsers and programs that a website can invoke through the browser. Common exploit targets have included vulnerabilities in Adobe Acrobat Reader, Java Runtime Environment and Adobe Flash Player. Security professionals might not agree on the exact definition of an exploit kit, as evidenced by Blaze's Botnet Wars Q&A, but they agree on the general characteristics of this type of malware. Here's my perspective on the nature of such attack tools.

Characteristics of Exploit Kits

A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn't need to know how to create exploits to attack systems by purchasing or otherwise obtaining an exploit kit from a third party. Furthermore, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign.

The functionality of an exploit kit tends to focus on compromising systems to run malicious payload of the attacker's choice on the victim's computer. For example, malware that an exploit kit delivers might have the ability to remotely control exploited systems, creating a botnet for further malicious activities. For an overview of the key characteristics of some exploit kits, see Mila's Overview of Exploit Packs, which includes a spreadsheet of historical exploit kit features.

To increase the duration for which the exploits and the websites hosting exploit kits remain unknown to security researchers, exploit kit developers often incorporate analysis evasion tactics into their creations. For instance, malicious JavaScript running inside a browser can probe certain aspects of its runtime environment, looking for artifacts associated with malware analysis tools. Such exploit kits will not attack if they get "spooked" by the presence of such tools, as discussed in Minerva Lab's report on this topic.

Some of exploit kits are developed and marketed in a specific country and, therefore, will be used more widely by attackers who speak that language or who hang out in those forums. However, the "beauty" of exploit kits is that they can be developed in Country A, sold in Country B, and used in Country C to attack Country D by using systems hosted in Country E. As the result, is that it's hard to attribute malicious activity to actors located in a particular country by simply looking at IP addresses observed during the immediate attack.

Competing for Customers

Exploit kits are often developed by financially-motivated criminal organizations. These groups compete for customers based on several attributes, such as the frequency with which exploits are updates and how easy it is to set up and conduct attack campaigns. Commercial exploit kit developers even provide customer service to their clients. In some cases, miscreants specialize on using exploit kits to infect systems, earning money for every compromise.

The ease of use and affordability of exploit packs makes it possible even for people with low technical skills to become a "hacker," be it for profit, politics or other reasons. The user friendliness of the control interface of the exploit kit might be one a market differentiator, helping it stand out from the competition.

It's not uncommon for criminals of all shapes and sizes to battle one another for control. Though there are a lot of potential targets for competing attackers to infect, it's natural for the attacker to wish to assert full control over newly-compromised system. If the host is already infected, the new attacker will need to remove the presence of a competing entity. It's a variation of a children's game called King of the Hill, though obviously with more severe repercussions.

Resisting Exploit Kit Attacks

Though some exploit packs target zero-day vulnerabilities, a large number of exploits go after vulnerabilities for which patches exist. For some examples of the vulnerabilities exploited by exploit kits, take a look at the Malware Don't Need Coffee blog.

End-users and organizations should look closely at how they keep up with security patches on the desktop. End-users at home should use auto-update mechanisms of the targeted applications as well as enable auto-update capabilities built into the OS, such as Windows Update and macOS App Store.

Enterprise environments should use automated tools to identify vulnerable systems, install relevant patches and validate that the patches are installed. It's also important to lock down the environment so that when an individual system is affected, the attack is contained and discovered quickly. Countermeasures should also include exploit mitigation measures built into the OS and antivirus tools. (The product for which I'm responsible at Minerva Labs, our Anti-Evasion Platform, is effective at repelling evasive exploit kit attacks, among others.)


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more