Skip to main content
SpringerLink
Log in

A Simple and Novel Technique for Counteracting Exploit Kits

  • Conference paper
  • First Online:
Book cover International Conference on Security and Privacy in Communication Networks (SecureComm 2014)

Abstract

Exploit kits have become a major cyber threat over the last few years. They are widely used in both massive and highly targeted cyber attack operations. The exploit kits make use of multiple exploits for major web browsers like Internet Explorer and popular browser plugins such as Adobe Flash and Reader. In this paper, a proactive approach to preventing this prevalent cyber threat from triggering their exploits is proposed. The suggested new technique called AFFAF proactively protects vulnerable systems using a fundamental characteristic of the exploit kits. Specifically, it utilises version information of web browsers and browser plugins. AFFAF is a zero-configuration solution, which means that users do not need to configure anything after installing it. In addition, it is an easy-to-employ methodology from the perspective of plugin developers. We have implemented a lightweight prototype and have shown that AFFAF enabled vulnerable systems can counteract 50 real-world and one locally deployed exploit kit URLs. Tested exploit kits include popular and well-maintained ones such as Blackhole 2.0, Redkit, Sakura, Cool and Bleeding Life 2. We have also demonstrated that the false positive rate of AFFAF is virtually zero, and it is robust enough to be effective against real web browser plugin scanners.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://hoyois.github.io/safariextensions/clicktoplugin/.

  2. 2.

    https://chrome.google.com/webstore/detail/flashblock/gofhjkjmkpinhpoiabjplobcaignabnl.

  3. 3.

    http://www.metasploit.com.

  4. 4.

    http://www.social-engineer.org.

  5. 5.

    http://helpx.adobe.com/flash/kb/object-tag-syntax-flash-professional.html.

  6. 6.

    In order to give correct information, all the data of this table is verified using the official CVE web site and ExploitPack Table 2013 that are available at http://cve.mitre.org and https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhTmphLUE respectively.

  7. 7.

    This is a simplified representation. For instance, many variables have been omitted whereas some others have been replaced with static strings.

  8. 8.

    http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html.

  9. 9.

    http://www.malwaredomainlist.com.

  10. 10.

    http://urlquery.net.

  11. 11.

    http://zulu.zscaler.com/.

  12. 12.

    http://www.pinlady.net/PluginDetect/.

  13. 13.

    http://www.ebizmba.com/articles/best-flash-sites.

  14. 14.

    http://browserscan.rapid7.com/scanme.

  15. 15.

    https://browsercheck.qualys.com.

References

  1. Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A.: Manufacturing compromise: the emergence of exploit-as-a-service. In: CCS 2012, Raleigh, North Carolina, USA (2012)

    Google Scholar 

  2. Fossi, M., Egan, G., Johnson, E., Mack, T., Adams, T., Blackbird, J., Graveland, B., McKinney, D.: Symantec report on attack kits and malicious websites. Technical report (2011)

    Google Scholar 

  3. Cannell, J.: Tools of the Trade: Exploit Kits, February 2013. http://blog.malwarebytes.org/intelligence/2013/02/tools-of-the-trade-exploit-kits/

  4. contagio: An Overview of Exploit Packs (Update 19.1), April 2013. http://contagiodump.blogspot.com

  5. Jones, J.: The State of Web Exploit Kits. Black Hat USA, Las Vegas, Nevada, USA (2012)

    Google Scholar 

  6. Lu, L., Yegneswaran, V., Porras, P., Lee, W.: Blade: an attack-agnostic approach for preventing drive-by malware infections. In: CCS 2010, Chicago, Illinois, USA (2010)

    Google Scholar 

  7. Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: 22nd USENIX Security Symposium, Washington, D.C., USA, August 2013

    Google Scholar 

  8. Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: WWW 2011, Hyderabad, India (2011)

    Google Scholar 

  9. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet malware. In: IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA (2012)

    Google Scholar 

  10. Invernizzi, L., Comparetti, P.M., Benvenuti, S., Kruegel, C., Cova, M., Vigna, G.: EVILSEED: a guided approach to finding malicious web pages. In: IEEE Security and Privacy, San Francisco, CA, USA (2012)

    Google Scholar 

  11. Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: fast and precise in-browser javascript malware detection. In: USENIX Security 2011, San Francisco, CA, USA (2011)

    Google Scholar 

  12. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: WWW 2010, Raleigh, North Carolina, USA (2010)

    Google Scholar 

  13. Richards, J.: Dangerous Drive-by Downloads: Protecting yourself with NoScript, September 2012. http://cmu95752.wordpress.com/2012/09/27/dangerous-drive-by-downloads-protecting-yourself-with-noscript/

  14. Ducklin, P.: Apple bans outdated Adobe Flash plugins from Safari, March 2013. http://nakedsecurity.sophos.com/2013/03/04/apple-bans-oudated-adobe-flash-plugins-from-safari/

  15. Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In: IEEE Symposium on Security and Privacy (S&P) 2013, Berkeley, CA, USA (2013)

    Google Scholar 

  16. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security 2010: Proceedings of the 19th USENIX Conference on Security, August 2010

    Google Scholar 

  17. Wang, Y.M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys. In: Network & Distributed System Security Symposium (NDSS), San Diego, CA, USA (2006)

    Google Scholar 

  18. Nappa, A., Rafique, M.Z., Caballero, J.: Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 1–20. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  19. Rajab, M., Ballard, L., Jagpal, N., Mavrommatis, P., Nojiri, D., Provos, N., Schmidt, L.: Trends in circumventing web-malware detection. Technical report (2011)

    Google Scholar 

  20. Oliver, J., Cheng, S., Manly, L., Zhu, J., Dela Paz, R., Sioting, S., Leopando, J.: Blackhole exploit kit: a spam campaign. Not a Series of Individual Spam Runs, Technical report (2012)

    Google Scholar 

  21. Desai, D., Haq, T.: Blackhole exploit kit: rise & evolution. Technical report, September 2012

    Google Scholar 

  22. Mieres, J.: Phoenix exploit’s kit from the mythology to a criminal business. Technical report, August 2010

    Google Scholar 

  23. Kotov, V., Massacci, F.: Anatomy of exploit kits: preliminary analysis of exploit kits as software artefacts. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 181–196. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  24. Sood, A.K., Enbody, R.J.: Browser exploit packs - exploitation tactics. In: Virus Bulletin Conference, Barcelona, Spain, October 2011

    Google Scholar 

  25. Higgins, K.J.: No Java Patch For You: 93 Percent of Users Run Older Versions of the App, June 2013. http://www.darkreading.com/vulnerability/no-java-patch-for-you-93-percent-of-user/240156053

  26. Rashid, F.Y.: Most Adobe Reader Users Running Outdated, Unpatched Versions, July 2011. http://www.eweek.com/c/a/Messaging-and-Collaboration/Most-Adobe-Reader-Users-Running-Outdated-Unpatched-Versions-213010/

  27. Bit9: java vulnerabilities: write once, pwn anywhere. Technical report (2013)

    Google Scholar 

  28. Mozilla support: Outdated Adobe Acrobat plugin, March 2013. http://support.mozilla.org/en-US/questions/953805

  29. Chua, J.P.: Whitehole Exploit Kit Emerges, February 2013. http://blog.trendmicro.com/trendlabs-security-intelligence/whitehole-exploit-kit-emerges/

  30. wmetcalf: Monthly Archives, May 2013. http://www.emergingthreats.net/2013/05/

  31. Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: ACSAC 2010, Austin, Texas, USA (2010)

    Google Scholar 

  32. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: CCS 2012, Raleigh, North Carolina, USA (2012)

    Google Scholar 

  33. Schlumberger, J., Kruegel, C., Vigna, G.: Jarhead analysis and detection of malicious Java applets. In: ACSAC 2012, Orlando, Florida, USA (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Advanced Cyber Security Research Centre, Department of Computing, Macquarie University, Sydney, Australia

    Byungho Min & Vijay Varadharajan

Authors
  1. Byungho Min
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vijay Varadharajan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Byungho Min .

Editor information

Editors and Affiliations

  1. CAS, Institute of Information Engineering CAS, Beijing, China

    Jing Tian

  2. Institute of Information Engineering, CAS, Beijing, China

    Jiwu Jing

  3. IBM Thomas J. Watson Research Center, New York, New York, USA

    Mudhakar Srivatsa

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Min, B., Varadharajan, V. (2015). A Simple and Novel Technique for Counteracting Exploit Kits. In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 152. Springer, Cham. https://doi.org/10.1007/978-3-319-23829-6_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23829-6_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23828-9

  • Online ISBN: 978-3-319-23829-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation