< Back to Blog


September 25, 2017

Exploit-Kits in a Nutshell

When thinking about internet based attacks, most users tend to think they are on the safe side as long as they don’t open unknown files on their machine. However, most users aren’t aware that many other types of attacks exists online, some of which don’t even require user interaction.

One type of these attacks, referred to as Exploit-kit is a whole operation that we won’t go into details about in this blog post, but here’s a quick overview of the attack.

A user lands on a website which redirects him/her to the Exploit-kit gate. This first site in the chain is usually a hacked site, referred to as a compromised site. Its whole purpose is to redirect the victim to the exploit-kit gate, which is where things become interesting.

The gate is a server that scans the victim’s machine looking for vulnerabilities that it can exploit. If found, the gate will redirect the victim to the next server in the chain, which may be another gate but usually it’s the exploit server. If not, the gate will redirect the victim to a benign site, and with that, end the attack.

The exploit server contains the specific exploits a user is vulnerable to and it is when landing on this server that the user is exploited and the infection chain starts.

Due to the fact that the user is using a web browser to access these servers, the gate and exploit server can only access the browser and its plugins (such as Adobe flash player) to look for vulnerabilities and then exploit them. This means, that if the user is using a browser with no vulnerabilities which uses plugins with no vulnerabilities, the user would be protected from these kind of attacks.

The Decline of Exploit-kits

As Exploit-kits (EKs) grow more sophisticated, users who have visited a compromised website or page displaying malicious advertisements can find themselves infected with malware delivered by one of several high-profile exploit kits. By May of 2016, however, the activity of EKs had dropped 94% since January of the same year.

The most effective exploits are zero-day vulnerabilities, infecting a great number of victims in the days before patches become available, as well as in the period shortly thereafter, before patches have become widely applied by potential victims. And, these zero-days don’t come cheap; if an exploit-kit author wishes to incorporate them into his venture, it will cost a good sum of money, knowing they’ll be patched soon and not remaining profitable forever.

Additionally, as more websites refrain from using vulnerable media platforms like Flash, Silverlight, and Java, alongside browser and operating system vendors issuing patches at a faster rate, malicious actors will have to invest much more time and effort in finding and exploiting these vulnerabilities. For these reasons and more, we will see a steady decline in the market of exploit-kits, meaning that these malicious actors will have to gradually decrease their use of exploit-kits and move on to other attack methods.

Where will attackers turn now?

Considering the above, it’s no surprise that cyber-criminals are leaving exploit-kits and looking for the next lucrative attack. While exploit-kits won’t disappear completely any time soon, we can already see changes in places where exploit-kits used to be. So, we have to now ask ourselves, where will they go to next? In an effort to stay ahead of cyber criminals and keep organizations and users protected, it’s important that we prepare.

However, as it turns out nothing beats the good old attacks of yesterday. It’s not by chance that spam mail– with malicious attachments including documents,images, or archives– is still around after all these years, and the reason this is, is because it works. And requires only a small investment, allowing malicious actors are to form an attack that is able to evade security solutions and fool users into infecting their machine.

While this may not be a fact, we strongly believe that spam attacks with malicious attachments are here to stay– and it’s likely that these types of attacks will continue to grow in numbers.

What can be done to prevent these types of attacks?

With Votiro’s Advanced CDR technology, instead of tracking down problems and retroactively solving them, Advanced CDR puts the onus on files to “prove” their code is proper– without that proof, CDR will simply dismiss the file, without giving it the opportunity to cause mayhem – or potential mayhem, as in the case listed here.

CDR or the Content Disarm and Reconstruction approach, as designed by Votiro, is the solution to this and many other security holes that hackers take advantage of. CDR involves disarming potential exploits by dissecting files (like RTFs) and performing thorough analysis. The system is able to determine the implications of modifications, whether they are written to specifications, and whether they need to be patched, etc. Once analyzed and vetted for proper form and safety – the file is reconstructed and passed on to the system keeping all functionality intact, while disarming any malicious, suspicious or potentially harmful objects.