Abstract
Exploit kits have become a major cyber threat over the last few years. They are widely used in both massive and highly targeted cyber attack operations. The exploit kits make use of multiple exploits for major web browsers like Internet Explorer and popular browser plugins such as Adobe Flash and Reader. In this paper, a proactive approach to preventing this prevalent cyber threat from triggering their exploits is proposed. The suggested new technique called AFFAF proactively protects vulnerable systems using a fundamental characteristic of the exploit kits. Specifically, it utilises version information of web browsers and browser plugins. AFFAF is a zero-configuration solution, which means that users do not need to configure anything after installing it. In addition, it is an easy-to-employ methodology from the perspective of plugin developers. We have implemented a lightweight prototype and have shown that AFFAF enabled vulnerable systems can counteract 50 real-world and one locally deployed exploit kit URLs. Tested exploit kits include popular and well-maintained ones such as Blackhole 2.0, Redkit, Sakura, Cool and Bleeding Life 2. We have also demonstrated that the false positive rate of AFFAF is virtually zero, and it is robust enough to be effective against real web browser plugin scanners.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
In order to give correct information, all the data of this table is verified using the official CVE web site and ExploitPack Table 2013 that are available at http://cve.mitre.org and https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhTmphLUE respectively.
- 7.
This is a simplified representation. For instance, many variables have been omitted whereas some others have been replaced with static strings.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
References
Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A.: Manufacturing compromise: the emergence of exploit-as-a-service. In: CCS 2012, Raleigh, North Carolina, USA (2012)
Fossi, M., Egan, G., Johnson, E., Mack, T., Adams, T., Blackbird, J., Graveland, B., McKinney, D.: Symantec report on attack kits and malicious websites. Technical report (2011)
Cannell, J.: Tools of the Trade: Exploit Kits, February 2013. http://blog.malwarebytes.org/intelligence/2013/02/tools-of-the-trade-exploit-kits/
contagio: An Overview of Exploit Packs (Update 19.1), April 2013. http://contagiodump.blogspot.com
Jones, J.: The State of Web Exploit Kits. Black Hat USA, Las Vegas, Nevada, USA (2012)
Lu, L., Yegneswaran, V., Porras, P., Lee, W.: Blade: an attack-agnostic approach for preventing drive-by malware infections. In: CCS 2010, Chicago, Illinois, USA (2010)
Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: 22nd USENIX Security Symposium, Washington, D.C., USA, August 2013
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: WWW 2011, Hyderabad, India (2011)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet malware. In: IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA (2012)
Invernizzi, L., Comparetti, P.M., Benvenuti, S., Kruegel, C., Cova, M., Vigna, G.: EVILSEED: a guided approach to finding malicious web pages. In: IEEE Security and Privacy, San Francisco, CA, USA (2012)
Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: fast and precise in-browser javascript malware detection. In: USENIX Security 2011, San Francisco, CA, USA (2011)
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: WWW 2010, Raleigh, North Carolina, USA (2010)
Richards, J.: Dangerous Drive-by Downloads: Protecting yourself with NoScript, September 2012. http://cmu95752.wordpress.com/2012/09/27/dangerous-drive-by-downloads-protecting-yourself-with-noscript/
Ducklin, P.: Apple bans outdated Adobe Flash plugins from Safari, March 2013. http://nakedsecurity.sophos.com/2013/03/04/apple-bans-oudated-adobe-flash-plugins-from-safari/
Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In: IEEE Symposium on Security and Privacy (S&P) 2013, Berkeley, CA, USA (2013)
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security 2010: Proceedings of the 19th USENIX Conference on Security, August 2010
Wang, Y.M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys. In: Network & Distributed System Security Symposium (NDSS), San Diego, CA, USA (2006)
Nappa, A., Rafique, M.Z., Caballero, J.: Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 1–20. Springer, Heidelberg (2013)
Rajab, M., Ballard, L., Jagpal, N., Mavrommatis, P., Nojiri, D., Provos, N., Schmidt, L.: Trends in circumventing web-malware detection. Technical report (2011)
Oliver, J., Cheng, S., Manly, L., Zhu, J., Dela Paz, R., Sioting, S., Leopando, J.: Blackhole exploit kit: a spam campaign. Not a Series of Individual Spam Runs, Technical report (2012)
Desai, D., Haq, T.: Blackhole exploit kit: rise & evolution. Technical report, September 2012
Mieres, J.: Phoenix exploit’s kit from the mythology to a criminal business. Technical report, August 2010
Kotov, V., Massacci, F.: Anatomy of exploit kits: preliminary analysis of exploit kits as software artefacts. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 181–196. Springer, Heidelberg (2013)
Sood, A.K., Enbody, R.J.: Browser exploit packs - exploitation tactics. In: Virus Bulletin Conference, Barcelona, Spain, October 2011
Higgins, K.J.: No Java Patch For You: 93 Percent of Users Run Older Versions of the App, June 2013. http://www.darkreading.com/vulnerability/no-java-patch-for-you-93-percent-of-user/240156053
Rashid, F.Y.: Most Adobe Reader Users Running Outdated, Unpatched Versions, July 2011. http://www.eweek.com/c/a/Messaging-and-Collaboration/Most-Adobe-Reader-Users-Running-Outdated-Unpatched-Versions-213010/
Bit9: java vulnerabilities: write once, pwn anywhere. Technical report (2013)
Mozilla support: Outdated Adobe Acrobat plugin, March 2013. http://support.mozilla.org/en-US/questions/953805
Chua, J.P.: Whitehole Exploit Kit Emerges, February 2013. http://blog.trendmicro.com/trendlabs-security-intelligence/whitehole-exploit-kit-emerges/
wmetcalf: Monthly Archives, May 2013. http://www.emergingthreats.net/2013/05/
Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: ACSAC 2010, Austin, Texas, USA (2010)
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: CCS 2012, Raleigh, North Carolina, USA (2012)
Schlumberger, J., Kruegel, C., Vigna, G.: Jarhead analysis and detection of malicious Java applets. In: ACSAC 2012, Orlando, Florida, USA (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Min, B., Varadharajan, V. (2015). A Simple and Novel Technique for Counteracting Exploit Kits. In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 152. Springer, Cham. https://doi.org/10.1007/978-3-319-23829-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-23829-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23828-9
Online ISBN: 978-3-319-23829-6
eBook Packages: Computer ScienceComputer Science (R0)