Cybercrime

From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > Cybercriminal Forum Traffic Analysis: Exploit Kits Are Out of Favor

Cybercriminal Forum Traffic Analysis: Exploit Kits Are Out of Favor

sampleuserphoto
Cybercrime

In the last 12 months, discussions in the Deep & Dark Web have highlighted the decreasing effectiveness of exploit kits. Exploit kits (EKs), as the term suggests, are bundles of malicious scripts that exploit known vulnerabilities in browser plugins, usually Adobe Flash and Reader, Microsoft Silverlight, or Java Runtime Environment (JRE). When an Internet user is redirected to the attack domain, the EK identifies a vulnerable plugin, gains a foothold in the attacked system, and injects the payload.

August and September 2015 saw numerous discussions on the subject on several Russian-language Deep Web forums. The members of the forums, seasoned veterans of the cybercriminal underground, attempted to get to the bottom of the issue. According to the discussions, the exploits remain effective against vulnerabilities in browser plugins, but infection rates have declined from 50% to 10% or even lower in some cases. The community analyzed potential issues relating to the age of the exploits, quality of the first-stage malware (loaders), crypting (malware obfuscation techniques), and proactive defenses, but determined they were not the source of the exploit kits’ reduced effectiveness.

Interestingly, a decrease in overall chatter about exploit kits correlates with this observed decline in the kits’ effectiveness, as shown below. As exploit kits are developed primarily by and for Russian-speaking members of the cybercriminal community, Flashpoint observed the frequency of the Russian cyber slang term for “exploit kit” and its linguistic derivatives as an indicator of chatter about exploit kits in the Deep and Dark Web.

ekmentions(1)

Figure 1: Messages containing the Russian cyber slang term for “exploit kit”

Following the steady drop-off of observable chatter beginning in March 2014, the sharp increase in messages mentioning exploit kits during August of 2015 correlates to the active discussions about the disappointing performance of commercial exploit kits. One message indicated that exposing the loaders on the open Internet enables automated malware detection measures to effectively disarm the exploit kit within an hour.

Finally, in one of the more recent comments, a forum members succinctly characterized the state of the race between the security industry and cybercriminals regarding detection of exploit kits and malware pushed by them:

The anti-virus companies are getting smart, soon they’ll own us :)
But regarding the subject, most likely, the software and hardware firewalls used by the top providers are just working better now.
There are more honeypots, more clouds, more information exchange between the
companies.

Indeed, this is welcome news against the landscape of almost daily data breaches. The information security industry has long appreciated that the timely sharing of threat information is crucial in understanding and defeating the threat. This intelligence from the Deep & Dark Web clearly suggests that joint efforts within the security industry are effectively neutralizing an old, but persistent threat.

For more information about understanding adversaries within the Deep & Dark Web, contact Flashpoint.