Understanding crimeware exploit kits, fighting Angler
By Wana Tun October 29, 2015
- Exploit kits infect users in a process that can occur completely invisibly
- Enterprises can adopt a multi-pronged approach to protect themselves
THE exploit kit business is a malware redistribution network that involves developing exploits, packaging them to work reliably, bringing in traffic, throwing out malware, measuring what’s working, marketing the ‘service,’ and getting paid on results.
In the last few years, exploit kits have been widely adopted by criminals looking to infect users with malware in a process known as a drive-by download, which invisibly directs a user’s browser to a malicious website that hosts an exploit kit.
These exploit kits are packaged with exploit codes and target commonly installed software such as Adobe Flash, Java and Internet Explorer. The kits exploit security vulnerabilities in the installed software to infect the user with malware, and the entire process can occur completely invisibly.
The kits and malicious codes have paved the way for a business model called Crimeware-as-a-Service (CaaS), which provides malware-on-demand to the infected host.
As CaaS can mutate remotely via a command over HTTP, these malicious codes can successfully evade antivirus engines, and they can protect cybercriminals from the law by as they may not necessarily conduct direct criminal activities related to the data that is being compromised.
Today, the ‘Angler’ exploit kit is the market leader. Angler has a serious impact on anyone browsing the Web today, and it is extremely prevalent.
First appearing in late 2013, it has significantly grown in popularity in the cyber-underworld. In May 2015, Sophos Labs uncovered thousands of new webpages booby-trapped with Angler landing pages, every day.
Angler has risen above its competitors. In the last eight months, it has had an exponential growth in market share from 25% to 83% and has accounted for more than 75% of malware infections caused by exploit kits.
This could be down to many factors: Higher traffic to Angler-infected pages; exploits with a better hit-rate in delivering malware; slicker marketing amongst the criminal fraternity; and more attractive pricing.
In other words, good returns for the criminals who are buying ‘pay-per-install’ malware services from the team behind Angler.
Anatomy of an Angler attack
Entry point: A user accesses a hijacked website and the malware downloads silently. The user does not know his or her computer is being infected, especially as 82% of malicious sites are legitimate sites that have been hacked.
Distribution: The booby-trapped website sends users to a webpage where a range of different exploits, attack the user based on his or her software combination – for example, Windows + Internet Explorer + Safari and Flash.
Exploit: Angler will then attempt to leverage vulnerabilities in the operating system, browser, Java, Flash, PDF reader, media player and other plugins.
Infection: The malware downloads a malicious payload such as Vawtrack, a zombie malware that steals financial data, or ransomware such as CryptoWall or TeslaCrypt to extort money from the user.
Execution: Vawtrak calls the user’s home with sensitive data like credentials, banking or credit card information; ransomware encrypts files and demands a payment for the encryption key.
Why is it difficult to detect Angler?
Angler ensures it remains a moving target, by rapidly switching the hostnames and IP (Internet Protocol) numbers it uses. It trades on (and ruins in the process) the online reputation of legitimate companies by piggybacking on their DNS (Domain Name System) servers.
The crimeware mutates its attack components for each potential victim using a variety of encoding and encryption techniques that bypass naive content filters.
It also hinders security researchers who are tracking it, through tricks such as obfuscation and anti-sandboxing.
How to safeguard
Enterprises can adopt a multi-pronged approach with these recommended steps:
- Implement a comprehensive security solution with strong protection against exploitation on web applications and vulnerabilities such as cross-site-scripting and cookie tampering.
- Seek multi-layered proven protection that offers the flexibility to choose the level of protection, making it possible to add specifics such as wireless, webserver and endpoint protection, as your needs evolve.
- Choose an endpoint security solution that has host intrusion prevention system (HIPS) technology built in, as this can stop malware by monitoring the behaviour of codes. A layered HIPS can detect over 85% of unknown threats and is capable of intercepting threats that could not be detected before execution.
- Configure antivirus software to automatically scan all email and file attachments. It is critical to exercise extra caution when opening attachments and ensure that attachments are not set to open automatically.
- Look for a vendor with a global threat analysis operation that constantly monitors the web for the latest threats, to provide users with instant updates to emerging threats. It is vital to seek a solution that not only provides effective protection, but which is simple to deploy and manage.
Wana Tun is regional technical evangelist at Sophos.
Uncovering loopholes in today’s networks
Hacking Team leaks: We’re not out of the woods yet
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.