{"id":9448,"date":"2015-07-31T11:55:19","date_gmt":"2015-07-31T15:55:19","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=9448"},"modified":"2020-02-27T03:58:20","modified_gmt":"2020-02-26T16:58:20","slug":"exploits-problem-explanation","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/exploits-problem-explanation\/9448\/","title":{"rendered":"What are exploits and why they are so scary?"},"content":{"rendered":"<p>Security experts often mention exploits as one of the most serious problems with data and systems safety; although it\u2019s not always clear what the difference is between exploits and the malware in general. We\u2019ll try to explain here.<\/p>\n<h3>What is an exploit?<\/h3>\n<p>Exploits are a subset of malware. These malicious programs contain data or executable code, which is able to take advantage of one or more vulnerabilities in the software running on a local or remote computer.<\/p>\n<p><i>Put Simply:<\/i> You have a browser and there is a vulnerability in it that allow \u201can arbitrary code\u201d to run (i.e. install and launch some malicious program) on your system without your knowledge. Most often the first step for the attackers is allowing privilege escalation, so they can do anything within the attacked system.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">HP\u2019s Zero Day Initiative has released four new <a href=\"https:\/\/twitter.com\/hashtag\/zeroday?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#zeroday<\/a> in <a href=\"https:\/\/twitter.com\/hashtag\/IE?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#IE<\/a> <a href=\"https:\/\/t.co\/3MvmBKikdU\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/3MvmBKikdU<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/fVuPQY4cxw\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/fVuPQY4cxw<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/624229438000091136?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 23, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Browsers, along with Flash, Java, and Microsoft Office, are among the most targeted software categories. Being ubiquitous, they are actively explored by security experts and hackers alike, and developers regularly have to release patches to fix vulnerabilities. It\u2019s best if these patches are applied at once, but unfortunately that is not always the case. For instance, you should close all browser tabs or documents to perform an update.<\/p>\n<p>Another problem is exploits for the yet unknown vulnerabilities, discovered and abused by blackhats: so-called <strong>zero-days or 0days<\/strong>. It may take a while before the vendors know they have a problem and work it over.<\/p>\n<h3>Infection routes<\/h3>\n<p>Cybercriminals often prefer exploits over other infection methods like social engineering \u2013 which can be hit or miss \u2013 the use of vulnerabilities continues to produce the desired results.<\/p>\n<p>There are two ways users can be \u201cfed\u201d exploits. First, by visiting a site that contains malicious exploit code. Second, by opening a seemingly legitimate file with hidden malicious code. As one may easily guess, it\u2019s most likely spam or <a href=\"https:\/\/www.kaspersky.com.au\/blog\/how-to-avoid-phishing\/\" target=\"_blank\" rel=\"noopener\">a phishing email<\/a> that will bring the exploit in.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Why <a href=\"https:\/\/twitter.com\/hashtag\/phishing?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#phishing<\/a> works and how to avoid it \u2013  <a href=\"https:\/\/t.co\/ksAYI9g2Jm\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/ksAYI9g2Jm<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/cybercrime?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#cybercrime<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/517329359859118080?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 1, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>As noted in Securelist, exploits are designed to strike specific versions of software that contain vulnerabilities. If the user has that version of the software to open the malicious object, or if a website is using that software to operate, the exploit is triggered.<\/p>\n<p>Once it gains access through the vulnerability, the exploit then loads additional malware from the criminals\u2019 server which performs malicious activity such as stealing personal data, using the computer as part of a botnet to distribute spam or carry out DDoS attacks, or whatever the culprits behind it intend to do.<\/p>\n<p>Exploits pose a threat even for the aware and diligent users who keep their software updated. The reason is a time gap between the discovery of vulnerability and a release of the patch to fix it. During that time, exploits are able to function freely and threaten the security of nearly all Internet users \u2013 unless there are automatic tools to prevent exploit attacks installed.<\/p>\n<p>And don\u2019t forget about above mentioned \u2018open tabs syndrome\u2019: there\u2019s a price to be paid for update, and not every user is ready to pay it right away when a patch is available.<\/p>\n<h3>Exploits run in packs<\/h3>\n<p>Exploits are often packed together so that an attacked system is checked against a wide range of vulnerabilities; once one or more are detected, the appropriate exploits enter. Exploit kits also widely use code obfuscation to avoid detection and encrypt URL paths to prevent researchers from unrooting them.<\/p>\n<p>Among the best known are:<\/p>\n<p><strong>Angler<\/strong> \u2013 one of the most sophisticated kits on the underground market. This one changed the game after it had begun detecting antivirus and virtual machines (often used by security researchers as honeypots), and deploying encrypted dropper files. It is one of the fastest kits to incorporate newly released zero-days and its malware runs from memory, without having to write to the hard drives of its victims. Technical description of the pack <a href=\"https:\/\/threatpost.com\/analyzing-angler-the-worlds-most-sophisticated-exploit-kit\/110904\" target=\"_blank\" rel=\"noopener nofollow\">is available here<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Angler Exploit Kit Exploiting New Adobe Vulnerability, Dropping Cryptowall 3.0 \u2013 <a href=\"http:\/\/t.co\/DFGhwiDeEa\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/DFGhwiDeEa<\/a> <a href=\"http:\/\/t.co\/IirQnTqxEO\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/IirQnTqxEO<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/604691335015243776?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 30, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>Nuclear Pack<\/strong> \u2013 hits its victims with Java and Adobe PDF exploits, as well as dropping Caphaw \u2013 a notorious banking Trojan. <a href=\"https:\/\/threatpost.com\/askmen-site-compromised-by-nuclear-pack-exploit-kit\/106822\" target=\"_blank\" rel=\"noopener nofollow\">You can read more here<\/a>.<\/p>\n<p><strong>Neutrino<\/strong> \u2013 a Russian-made kit containing a few Java exploits, <a href=\"http:\/\/news.softpedia.com\/news\/Neutrino-Exploit-Kit-Reportedly-Put-Up-for-Sale-by-Its-Author-430253.shtml\" target=\"_blank\" rel=\"noopener nofollow\">made headlines last year<\/a> due to the fact that its owner has put it on sale for a very modest price \u2013 $34,000. Most likely it was done following the arrest of a certain Paunch, creator of the next exploit kit we\u2019re going to talk about.<\/p>\n<p><strong>Blackhole Kit<\/strong> \u2013 the most prevalent web threat of 2012, it targets vulnerabilities in old versions of browsers such as Firefox, Chrome, Internet Explorer, and Safari as well as many popular plugins like Adobe Flash, Adobe Acrobat, and Java. After a victim is lured or redirected to a landing page, the kit determines what is on the victim\u2019s computers and loads all exploits to which this computer is vulnerable.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">'Paunch' Arrest Puts Blackhole Hackers on Data Diet, Kaspersky's <a href=\"https:\/\/twitter.com\/k_sec?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@K_Sec<\/a> weighs in. <a href=\"http:\/\/t.co\/uao2eINlkZ\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/uao2eINlkZ<\/a> via <a href=\"https:\/\/twitter.com\/technewsworld?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@TechNewsWorld<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/390214721829601282?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 15, 2013<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Blackhole, unlike most of the others kits, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Blackhole_exploit_kit\" target=\"_blank\" rel=\"noopener nofollow\">has a dedicated entry in Wikipedia<\/a>, although after Paunch\u2019s arrest the <a href=\"https:\/\/threatpost.com\/blackhole-and-cool-exploit-kits-nearly-extinct\/103034\" target=\"_blank\" rel=\"noopener nofollow\">kit itself has almost died out<\/a>.<\/p>\n<h3>Conclusion<\/h3>\n<p>Exploits are not always detectable by security software. To successfully detect exploit the security software should employ behavior analysis \u2013 it\u2019s the only good way to beat exploits. Malware programs may be plentiful and varied, but most of them have similar behavioral patterns.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>What are exploits and why they are so scary?<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fex3K&amp;text=What+are+exploits+and+why+they+are+so+scary%3F\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><a href=\"https:\/\/www.kaspersky.com\/advert\/multi-device-security?redef=1&amp;THRU&amp;reseller=gl_KDpost_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a>, as well as other Kaspersky Lab\u2019s flagship products employ a technology which is called <strong>Automatic Exploit Prevention<\/strong> and uses the information about the most typical behavior of the known exploits. The characteristic behaviour of such malicious programs helps to prevent infection even in the case of a previously unknown zero-day vulnerability exploit.<\/p>\n<p>More information on Automatic Exploit Prevention technology <a href=\"https:\/\/business.kaspersky.com\/case-6-automatic-exploit-prevention-against-targeted-attacks\/1338\" target=\"_blank\" rel=\"noopener nofollow\">is available here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security experts often mention exploits as one of the most serious problems, although it\u2019s not always clear why exploits are so special and scary. We\u2019ll try to explain here.<\/p>\n","protected":false},"author":40,"featured_media":9449,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2646],"tags":[1181,256,1180,1171,36,192,97,422],"class_list":{"0":"post-9448","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-aep","10":"tag-automatic-exploit-prevention","11":"tag-exploit-kits","12":"tag-exploits","13":"tag-malware-2","14":"tag-protection","15":"tag-security-2","16":"tag-threats"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/exploits-problem-explanation\/9448\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/exploits-problem-explanation\/6049\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/exploits-problem-explanation\/5859\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/exploits-problem-explanation\/6520\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/exploits-problem-explanation\/6393\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/exploits-problem-explanation\/8459\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/exploits-problem-explanation\/9448\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/exploits-problem-explanation\/4741\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/exploits-problem-explanation\/6010\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/exploits-problem-explanation\/5905\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/exploits-problem-explanation\/8327\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/exploits-problem-explanation\/8459\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/exploits-problem-explanation\/9448\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/aep\/","name":"AEP"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/9448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=9448"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/9448\/revisions"}],"predecessor-version":[{"id":26730,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/9448\/revisions\/26730"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/9449"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=9448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=9448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=9448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}