The Exploit Kit "Four Horsemen"

[Another good look at the world of exploit kits from Jeff. --C.L.]

Meet the "Four Horsemen" of the Exploit Kit market:

A week or so ago, Finnish security firm F-Secure released a report of the most common exploit kits that they see. There were a few in their list whose percentages surprised me, so I thought I would do a similar study for comparison.

I'm also hoping to shed some light on less well-known exploit kits that have quite a lot of "market share" out there. We get submissions from customers about domains or IP addresses hosting exploit kits that they've spotted, and about 90% of these submissions are for Blackhole. We rarely get any submissions for other exploit kits, even though they are as much of a threat as Blackhole is. [Perhaps that's why there's a market for the other exkits -- Blackhole is used so widely it's become relatively easy to recognize? -- C.L.]

In our logs, we are seeing four popular exploit kits combining to hold more than 75% of the exkit market. These figures represent the number of new IP addresses we found in January to be exclusively hosting that exploit kit. I feel that this gives a more accurate representation of the infrastructure that each exploit kit uses. Here's a quick summary of each of the Four Horsemen:

Blackhole  (BHEK)

Blackhole is easily the most widely known celebrity of all of the exploit kits. Any Google search of "blackhole" will bring a plethora of articles about attacks leveraging the Blackhole kit. So it's not surprising that Blackhole is still the king. Exploits used include:

CVE-2006-0003 *
CVE-2010-0188
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
CVE-2012-4969 (promised)

Sweet Orange

We often see new exploit kits come out like a dud firework, taking off quickly in the beginning but soon fizzling out, never to be seen again. Sweet Orange, however, has been doing well for several months now, challenging Blackhole for supremacy. Exploits used include:

CVE-2006-0003 *
CVE-2010-0188
CVE-2011-3544
CVE-2012-4681

Impact

Another kit that is only a few months old is Impact. This kit has surprised me with its sustained growth. It seems to be similar to many of the kits that fizzled out after their initial popularity, so I will be curious to see what happens in the future. Exploits used include:

CVE-2010-0188 *
CVE-2008-0655
CVE-2012-1723
CVE-2012-5076

Cool

This kit is made by the same people who created Blackhole. As Brian Donohue of Kaspersky wrote, if you think of Blackhole as the reliable and cheap Toyota Camry of exploit kits, Cool Exploit kit is the Lexus LS. This is mostly because of the $100,000 they supposedly spent on acquiring new, exclusive exploits for this kit, and that the rent for Cool is a whopping $10,000 a month. Some have speculated that this price range would put it out of reach for many "customers", and although we don't know how many people are using it, it is clear that there are enough of them to make it a credible threat. Exploits used include:

CVE-2006-0003 *
CVE-2010-0188
CVE-2011-3402
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681

(Dis-)Honorable Mentions

There are two exploit kits that didn't make it onto this list, due to differences in how they are used compared to the others.

g01Pack is a very popular exploit kit for malvertising attacks. What makes this exploit kit unique is that it is used almost exclusively on Dynamic DNS services like dyndns.org, homedns.org, etc. This is an easy exploit kit to take care of, because almost nothing good seems to appear on dynamic DNS services these days, and therefore we encourage all of our customers to block this category.

Redkit is another popular kit that we have seen a lot of in recent weeks. We've seen it in some malvertising campaigns, as well as in the NBC.com compromise. What makes this kit unique is that they like to host their payloads on legitimate but compromised domains. Victims of this kit may be redirected through several compromised sites until they finally receive the payload. Also, another researcher here at Blue Coat has been tracking a group that has been using a combination of Blackhole and Redkit to distribute the Kelihos botnet. These attacks have been quite large but not as sucessful. Between this group and the NBC.com attacks, Redkit is definitely one to keep an eye on. (And we will.)

--J.D.

* CVE's are according to Contagio's research. I've been looking into this aspect as well, and will try to get a post out soon.