It is very interesting to see how short the lifespan of an exploit kit is. Some kits that were once popular and infected thousands of users are no longer being used. Even more interesting is the fact that some old kits make a comeback rearmed with fresh new exploits and reach the top of the rankings in serving malware.
However, the most interesting area of study is how current exploits are used and their targets.
In order to get some perspective, let?s start by analyzing the situation in 2010. The most common exploit kits last year were:
However, by the end of 2010 there was a rapid decline in the use of Phoenix and an increase in the number of malicious servers serving NeoSploit.
By analyzing the vulnerabilities targeted by these exploit kits, we can infer the main attack vector:
The main point here is not the static picture but the dynamic one. In this case, Java vulnerabilities managed to climb to 3rd place in just one year. 40% of all new exploits used by the top five kits in 2010 targeted Java. According to my colleague Dan Guido, 11 out of the 15 top kits included at least one Java exploit and seven out of the top 15 kits included more than one.
Let?s contrast this information with some more data. According to Microsoft Malware protection center, last year there was a peak in Java exploitation attempts:
Our own records point to a similar situation. Here you can see the creation of Java-related signatures in response to these detected threats:
These exploitation attempts were detected in our customer base as well:
The question is: why Java? I have been pondering this for some time, but the answer came after attending Dino Dai Zovi?s keynote presentation at SOURCE Conference. It was so obvious! The answer is that Java exploits are the easiest way to bypass OS security countermeasures. An image is worth a thousand words in this case:
What is the situation so far this year? Has anything changed? Some things have, namely the top exploit kits for the first half of the year:
Two new players have emerged: BlackHole and Incognito. Let?s see what they target.
Basically, we have here the usual things that almost all kits include, the only difference being the first two vulnerabilities – CVE-2010-1885 and CVE-2010-1423. The latter of these two targets Java.
What about Incognito? Here is the corresponding list:
Apart from the last two (CVE-2006-4704 and CVE-2004-0549), this list is exactly the same as the one for BlackHole.
So, what is the verdict? These two kits are not adding anything new to the landscape and are still using the same exploits and targeting Java.
After this review, there are a few conclusions we can reach:
Cybercriminals are showing once again how much they care about their return on investment and go just as far as they need to stay one step ahead of protection mechanisms. In this case, another well known claim can be applied: security is as strong as the weakest link – Java is the weakest link in this case.
Here at Kaspersky Lab, we will continue to study the landscape for the rest of the year and will closely follow any interesting changes to the attack vectors.