Thursday, May 5, 2011

Whitepaper: A Criminal Perspective on Exploit Packs


Criminals refer to it as a “BEP”. As the name intones the entire computer exploit process begins with a web browser. The web browser’s ubiquitous use in daily life has given rise to the Browser Exploit Pack as the infection vehicle darling of the Underground.

There are multiple Internet channels available for pushing malware to a victim such as email, P2P file sharing, instant messenger, and social media. A live exploit pack only requires a victim “drive by” – a trivial website visit – a soft push after exploring layer 7 for vulnerabilities.

We installed and configured over 40 exploit packs in order to better understand the different family's value in criminal use scenarios. In this paper we chronicle the exploit pack genesis and historical evolution. We discuss the spectrum of technical acumen required to successfully install and use different exploit pack families. Finally we detail the monetization and code protection mechanisms currently in place as well as the overall effectiveness of these different exploit pack families.

For optimal exploration we created dedicated networks for exploit pack installation. The client machine acting as a drive by victim was running Windows XP SP2 and we excluded all further patches. To further give these exploit packs every chance of exploitation success we installed old version of Internet Explorer, Firefox, Opera, Adobe Reader, Flash, Java Virtual Machine, Windows Media Player and other applications. Generally the application version was matched to a release in late 2004 or early 2005 since that was the approximate time frame that the first exploit packs were released.

No comments:

Post a Comment