Getting to the root of exploit kits
Hadi Jaafarawi, managing director, Qualys ME, demystifies this old but still potent cyber threat
Exploit kits have been in existence for close to 10 years now, however there are still many that do not fully comprehend how they function.
At its core, an exploit kit is a tool that cyber criminals use to take advantage of the flaws in your system and infect it with malware. It works in three ways, first by scanning the victim’s system for vulnerabilities, second by downloading suspect code and finally by executing and installing the malware. Such kits typically target web browsers and popular programs like Adobe Reader, Java Runtime Environment, Adobe Flash Player. Once a system has been penetrated, root kits can force it to behave abnormally and disrupt activity in the software, hardware and all other electronic components.
The accessibility and user friendliness of root kits is also an area of concern, since hackers can easily buy or rent them to attack the computers of users who land on their rogue websites via phishing campaigns, malicious ads or compromised web pages. Once in command of compromised devices, hackers steal data for ID theft, hijack online accounts, and demand money to decrypt files (ransomware) and so on.
Due to these reasons we’ve seen the popularity of root kits explode recently amongst attackers and their technical sophistication skyrocket, to the dismay of CISOs. The names of notorious ones have been well documented; Angler, BlackHole, Neutrino. They have victimised millions of individuals and organisations over the years. Unfortunately the exploit kit threat is intensifying: their convenience and effectiveness makes them one of hackers’ preferred weapons. Due to the fact that criminals are able to carry out malware infection attacks on a massive scale, and automate the exploitation of vulnerabilities.
In 2015’s fourth quarter, the number of visits to exploit kit-related URLs that were blocked by Trend Micro products surged, doubling year-on-year. With exploit kits becoming more destructive, it’s critical that organisations fix their IT assets’ vulnerabilities. Remediating vulnerabilities offers the best protection against cyber-attacks, especially those leveraging exploit kits. Here we explain why - when deciding which vulnerabilities to address immediately, IT departments must crunch and correlate mounds of internal and external threat data and weigh multiple risk criteria. An element that uniformly affects this prioritisation calculation are the vulnerabilities that are in included in root kits.
While the task may sound daunting, there a number of steps security teams can take to help protect their networks against exploits. One of the most effective ways to do so, is taking a preventative approach rather than a reactive one. This means having a robust vulnerability management solution in place which constantly detects and thwarts against attacks whenever and wherever they appear. Paying close attention to suspicious activity is also necessary, although rootkits don't actively give you signs you are compromised, there are ways to tell. If you've received reports from various sources that you are sending out spam, the chances that your system is infected by a botnet which is the direct result of a rootkit is high.
An additional simple, yet tried and true method is turning your machine off after it’s been infected. In doing so, you can prevent the malware from spreading and causing further damage. This gives you adequate time to assess the next best course of action to take. For those that are more technically inclined, memory dumping is also an option. You can force an offload of the infected system that will capture any functioning rootkit. The dump can then be examined with a debugging tool. During the analysis, the rootkit can't conceal its actions and will be identified, enabling you to take the necessary steps to remove the malicious program completely.
In short, when prioritising IT asset remediation work, all information security team members must stay in the know of what’s going on in the Internet’s sinister corners where these software packs sprout. While it’s difficult to completely avoid exploit kit attacks, one of the most effective ways of thwarting them is remediating vulnerabilities they try to leverage, neutralising risks before they spiral out of control.