IN recent years, exploit kits have become widely adopted by criminals looking to infect users with malicious software (malware). These exploit kits are packaged with exploit codes and target commonly installed software, such as Adobe Flash, Java and Internet Explorer.
In a process known as a drive-by download, a user’s browser is invisibly directed to a malicious web site that hosts an exploit kit, which then proceeds to exploit security holes, also known as vulnerabilities, to infect the user with malware. The entire process can occur invisibly, without any action required from the user.
These exploit kits and malicious codes have paved the way for a model called Crimeware-as-a-Service (CaaS), which provides malware on demand to the infected host. As CaaS can mutate remotely via a command over HTTP, these malicious codes can succesfully evade antivirus engines.
According to a recent research by SophosLabs, currently, the most prevalent exploit kit is the Angler. In the last eight months, it has risen above its competitors with an exponential growth in market share from a quarter to 83 percent and has accounted for more than three-quarters of malware infections caused by exploit kits. Here are the five stages of an Angler attack:
Entry Point. A user accesses a hijacked web site and malware downloads silently. The user does not notice his or her computer is being infected, especially because 82 percent of malicious sites are in fact legitimate sites that have been hacked.
Distribution. The initial booby-trapped web site sends users to a Web page where a range of different exploits, attack the user based on his or her software combination. For example, Windows + Internet Explorer + Safari and Flash.
Exploit. Angler will attempt to leverage vulnerabilities in the operating system, browser, Java, Flash, PDF reader, media player and other plugins.
Infection. The malware downloads a malicious payload, such as Vawtrack, a zombie malware that steals financial data, or ransomware such as CryptoWall or TeslaCrypt to extort money from the user.
Execution. Vawtrak calls the user’s home with sensitive data like credentials, banking or credit-card information; ransomware encrypts files and demands a payment for the encryption key.
Angler makes itself a moving target by rapidly switching the hostnames and Internet protocol numbers it uses. It trades on (and ruins in the process) the online reputation of legitimate companies by piggybacking on their domain name system servers.
Additionally, Angler mutates its attack components for each potential victim using a variety of encoding and encryption techniques that bypass naive content filters. It also hinders security researchers who are tracking it through tricks such as obfuscation and anti-sandboxing.
Enterprises can adopt a multi-pronged approach with these recommended steps to safeguard against the Angler Exploit Kit:
- Implement a comprehensive security solution with strong protection against exploitation on Web applications and vulnerabilities such as cross-site-scripting and cookie tampering.
- Seek a multilayered proven protection that offers the flexibility to choose the level of protection, making it possible to add specific layers of protection like wireless protection, Web-server protection and endpoint protection as one’s needs evolve.
- Choose an endpoint security solution with host intrusion prevention system technology built-in, as it can stop malware by monitoring the behavior of codes.
- Configure antivirus software to automatically scan all e-mail and file attachments. It is critical to exercise extra caution when opening attachments and ensure that attachments are not set to open automatically.
- Look for a vendor with a global threat analysis operation that is constantly monitoring the web for the latest threats to provide users with instant updates to emerging threats.
Most important, always act with caution and be vigilant about attachments and unsolicited messages.
****
Wana Tun is regional technical evangelist at Sophos Plc. The views expressed in this abridged version of Tun’s article does not necessarily reflect that of the BusinessMirror’s.