Trend Micro research – Evolution of Exploit Kits


TrendMicro_logoTrend Micro has released the publication of a new research paper – Exploit Kit Landscape 2014 – on the evolution of exploit kits. This paper tackles how exploit kits work, the techniques attackers used to evade detection, and how this threat evolved over the years. It also highlights the trends on exploit kits observed during Trend Micro’s threat monitoring.

Exploit kits are becoming a preferred means to perform web-based attacks and distribute malware. A possible reason for their popularity is the scalability exploit kits offer; they let attackers either target specific users or affect a wide number of users.

Over the past weeks, there has been an increase in the use of exploit kits in malicious ads. The same kits have zero-days included in them—something frequently used in targeted attacks. This heightens the risk for users. Just this January, for example, we already saw two zero-day incidents involving Adobe Flash exploits.

The US is most affected by exploit kit-related attacks, getting 57% of the global tally. It is followed by Japan and Australia with 19% and 4%, respectively.

Flash is the new Java. Both PDF and Java vulnerabilities are no longer the most used in exploit kits. Though kits using Microsoft Silverlight increased throughout 2013 to 2014, Microsoft developed a tool to counter this. This made attackers shift to exploiting Adobe Flash Player.

The number of active exploit kits rose from 2006 until 2013, and then dropped in 2014—perhaps caused by the arrest of Paunch, the creator of the Blackhole Exploit Kit. Despite the decrease, the current available exploit kits have become more sophisticated. The most noteworthy improvements include evasion techniques like file obfuscation, antivirus and virtual machine detection, and the inclusion of zero-days.

Since exploit kits are multicomponent threats, users will need to look into security solutions that offer web-based and file-based detection, and monitor software behaviour.