Exploit kit

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.

Exploit kits are often sold on the black market, both as standalone kits, and as a service.

History
Some of the first exploit kits were WebAttacker and MPack, both created in 2006. They were sold on black markets, enabling attackers to use exploits without advanced knowledge of computer security.

The Blackhole exploit kit was released in 2010, and could either be purchased outright, or rented for a fee. Malwarebytes stated that Blackhole was the primary method of delivering malware in 2012 and much of 2013. After the arrest of the authors in late 2013, use of the kit sharply declined.

Neutrino was first detected in 2012, and was used in a number of ransomware campaigns. It exploited vulnerabilities in Adobe Reader, the Java Runtime Environment, and Adobe Flash. Following a joint-operation between Cisco Talos and GoDaddy to disrupt a Neutrino malvertising campaign, the authors stopped selling the kit, deciding to only provide support and updates to previous clients. Despite this, development of the kit continued, and new exploits were added. As of April 2017, Neutrino activity ceased. On June 15, 2017, F-Secure tweeted "R.I.P. Neutrino exploit kit. We'll miss you (not)." with a graph showing the complete decline of Neutrino detections.

From 2017 onwards, the usage of exploit kits has dwindled. There are a number of factors which may have caused this, including arrests of cybercriminals, improvements in security making exploitation harder, and cybercriminals turning to other method of malware delivery, such as Microsoft Office macros and social engineering.

There are many systems that work to protect against attacks from exploit kits. These include gateway anti-virus, intrusion prevention, and anti-spyware. There are also ways for subscribers to receive these prevention systems on a continuous basis, which helps them to better defend themselves against attacks.

Exploitation process
The general process of exploitation by an exploit kit is as follows:


 * 1) The victim navigates to a website infected by an exploit kit. Links to infected pages can be spread via spam, malvertising, or by compromising legitimate sites.
 * 2) The victim is redirected to the landing page of the exploit kit.
 * 3) The exploit kit determines which vulnerabilities are present, and which exploit to deploy against the target.
 * 4) The exploit is deployed. If successful, a payload of the attacker's choosing (i.e. malware) can then be deployed on the target.

Features
Exploit kits employ a variety of evasion techniques to avoid detection. Some of these techniques include obfuscating the code, and using fingerprinting to ensure malicious content is only delivered to likely targets.

Modern exploit kits include features such as web interfaces and statistics, tracking the number of visitors and victims.