What are exploits? (And why you should care)

What are exploits? (And why you should care)

Exploits: they’re not your mama’s cyberthreats. At one point in the not-so-distant past, exploits were responsible for delivering 80 percent of malware to people’s systems. But exploits seem to be experiencing a lull today. Does this mean they’re gone for good and we can all let down our guard? Or is this simply the calm before the storm? Let’s break down this stealthy threat so you can not only know your enemy, but also be appropriately prepared should the exploit attacks return.

What is an exploit?

An exploit is a program or piece of code that finds and takes advantage of a security flaw in an application or system so that cybercriminals can use it for their benefit, i.e., exploit it.

Cybercriminals frequently deliver exploits to computers as part of a kit, or a collection of exploits, that is hosted on websites or hidden on invisible landing pages. When you land on one of these sites, the exploit kit automatically fingerprints your computer to see which operating system you are on, which programs and you have running, and most importantly, whether any of these have security flaws, called vulnerabilities. It is basically looking at your computer for weaknesses to exploit—not unlike the Trojans did with Achilles’ heel.

After discovering vulnerabilities, the exploit kit uses its pre-built code to essentially force the gaps open and deliver malware, bypassing many security programs.

So are exploits a form of malware? Technically, no. Exploits are not malware themselves, but rather methods for delivering the malware. An exploit kit doesn’t infect your computer. But it opens the door to let the malware in.

How do exploits attack?

People most often come across exploit kits from booby-trapped high-trafficked websites. Cybercriminals typically choose popular, reputable sites in order to reap the highest return on their investment. This means the news sites you read, the website you use to browse real estate, or the online store where you buy your books are all possible candidates. Sites such as yahoo.com, nytimes.com, and msn.com have been compromised in the past.

So you’re surfing the web, stopping by a website you love, and the compromised site redirects you in the background, without opening any new browser windows or alerting you in any other way so that you can be scanned for suitability for infection. Based on this, you are either selected for exploitation or discarded.

How is your favorite website compromised? In one of two ways: 1. A piece of malicious code is hidden in plain sight on the website (via good old-fashioned hacking) 2. An advertisement that is displayed on the website has been infected. These malicious ads, known as malvertising, are especially dangerous, as users don’t even need to click on the ad in order to be exposed to the threat. Both methods, hacked sites or malvertising, immediately redirect you (point your web browser) to an invisible landing page that is hosting the exploit kit. Once there, if you have vulnerabilities on your computer, it’s game over.

The exploit kit identifies vulnerabilities and launches the appropriate exploits in order to drop malicious payloads. These payloads (the malware) can then execute and infect your computer with all kinds of bad juju. Ransomware is a particular favorite payload of exploit kits these days.

Which software is vulnerable?

In theory, given enough time, every piece of software is potentially vulnerable. Specialist criminal teams spend lots of time pulling apart programs so they can find vulnerabilities. However, they typically focus on the applications with the highest user-base, as they present the richest targets. As with all forms of cybercrime, it’s a numbers game. Top application targets include Internet Explorer, Flash, Java, Adobe Reader, and Microsoft Office.

How security folks fight it

Software companies understand that the programs they develop may contain vulnerabilities. As incremental updates are made to the programs in order to improve functionality, looks, and experience, so too are security fixes made to close vulnerabilities. These fixes are called patches, and they are often released on a regular schedule. For example, Microsoft releases a cluster of patches for their programs on the second Tuesday of each month, known as Patch Tuesday.

Companies may also release patches for their programs ad-hoc when a critical vulnerability is discovered. These patches essentially sew up the hole so exploit kits can’t find their way in and drop off their malicious packages.

The problem with patches is they often aren’t released immediately after a vulnerability is discovered, so criminals have time to act and exploit. The other problem is that they rely on users downloading those “annoying” updates as soon as they come out. Most exploit kits target vulnerabilities that have already been patched for a long time because they know most people don’t update regularly.

For software vulnerabilities that have not yet been patched by the company who makes them, there are technologies and programs developed by cybersecurity companies that shield programs and systems known to be favorites for exploitation. These technologies essentially act as barriers against vulnerable programs and stop exploits in multiple stages of attack, that way, they never have a chance to drop off their malicious payload.

Types of exploits

Exploits can be grouped into two categories: known and unknown, also called zero-day exploits.

Known exploits are exploits that security researchers have already discovered and documented. These exploits take advantage of the known vulnerabilities in software programs and systems (that perhaps users haven’t updated in a long time). Security professionals and software developers have already created patches for these vulnerabilities, but it can be difficult to keep up with all the required patches for every piece of software—hence why these known exploits are still so successful.

Unknown exploits, or zero-days, are used on vulnerabilities that have not yet been reported to the general public. This means that cybercriminals have either spotted the flaw before the developers noticed it, or they’ve created an exploit before developers get a chance to fix the flaw. In some cases, developers may not even find the vulnerability in their program that led to an exploit for months, if not years! Zero-days are particularly dangerous because even if users have their software fully updated, they can still be exploited, and their security can be breached.

Biggest exploit offenders

The three exploit kits most active in the wild right now are named RIG, Neutrino, and Magnitude. RIG remains the most popular kit, and it’s being used in both malvertising and website compromising campaigns to infect people’s machines with ransomware. Neutrino is a Russian-made kit that’s been used in malvertising campaigns against top publishers, and it preys on Flash and Internet Explorer vulnerabilities (also to deliver ransomware). Magnitude is using malvertising to launch its attacks as well, though it’s strictly focused on countries in Asia.

Two lesser-known exploit campaigns, Pseudo-Darkleech and EITest, are currently the most popular redirection vehicles using compromised websites. These offenders inject code into sites such as WordPress, Joomla, or Drupal, and automatically redirect visitors to an exploit kit landing page.

As with all forms of cyberthreats, exploits, their methods of delivery, and the malware they drop are constantly evolving. It’s a good idea to stay on top of the most common forms to make sure the programs they target are patched on your computer.

Current exploit kit landscape

Right now, the exploit scene is pretty bleak, which is a good thing for those in the security industry and, essentially, for anyone using a computer. This is because in June 2016, Angler, a sophisticated exploit kit that was responsible for nearly 60 percent of all exploit attacks the year before, was shut down. There hasn’t been any other exploit kit that’s built up the same level of market share since.

Threat actors have been a bit gun shy about running back to exploit kits, for fear of another Angler takedown. Once Angler was dismantled, cybercriminals turned their focus back to some more traditional forms of attack, including phishing and emails with malicious attachments (malspam). But rest assured, they’ll be back once a new, more reliable exploit kit proves effective in the black market.

How to protect against exploits

The instinct may be to take little to no action to protect against exploits, since there’s not a lot of exploit-related cybercriminal activity right now. But that would be like choosing not to lock your doors since there hasn’t been a robbery in your neighborhood in a year. A couple of simple security practices can help you stay ahead of the game.

First, make sure you keep your software programs, plugins, and operating systems updated at all times. This is done by simply following instructions when reminded by those programs that updates are ready. You can also check settings from time to time to see if there are patch notifications that may have fallen off your radar.

Second, invest in cybersecurity that protects against both known and unknown exploits. Several next-generation cybersecurity companies, including Malwarebytes, have started integrating anti-exploit technology into their products.

So you can either kick back and pray that we’ve seen the last of exploits. Or, you can keep your shields up by consistently updating your programs and operating systems, and using top-notch anti-exploit security programs. The smart money says exploits will be back. And when they return, you won’t have a weak heel to expose to them.


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.