1

Summary
Cybercriminals have
turned their attention
away from exploiting
Windows operating
systems to pursuing
the popular third-
party applications
installed on nearly
every PC around the
world. That is why
patch management
has become a critical
layer in your malware
defense.
If youve had the sense lately that cyber traps are everywhere, just waiting for
your users to open an infected document or click a compromised URL, you
would be justified. Despite tireless efforts by software and security vendors
to foil cybercriminals, malware continues to snowball, much of it these days
infecting machines via exploit kits purchased from black market websites.
Exploit kits are sold as commercial products in what has become a cottage
industry of cyber malfeasance that law enforcement finds extremely difficult
to contain. Even when kit creators are caught and arrested, as was the case in
October 2013 with the author of the infamous Blackhole kit, malicious code
remains in the ether, just waiting for another cybercrime entrepreneur to seed
his or her own malware venture with it.
Indeed, the crimeware industrys potential for growth rivals any legit fast-
expanding corporate entity backed by Wall Street, with new kits hitting the
vast underground cybercrime market at a relentless pace. Recently, Zero-day
attacks delivered through exploit kits such as Elderwood caused a lot of grief,
targeting defense firms, human rights organizations, technology and supply-
chain companies.
1
Malware is big business. At least one exploit kit has pulled in as much as
$50,000 a day, according to Microsoft.
2
That adds up to receipts of more
than $18 million a year. Multiply that by 10 or 20 other exploit kits, and you
can see just how much profit crimeware has the potential to generate. In the
December 2013 Microsoft Security Intelligence Report, the vendor offered this
perspective: Such numbers are increasingly attractive to criminals and this is
likely to be just the tip of the iceberg in terms of revenue from an exploit.
While crimeware generates handsome profits for cyber-attackers, it creates
enormous expenses for the business world. As a whole, the cost of cybercrime
including exploit kits now tops $100 billion a year.
3
The amount is
bound to continue increasing unless businesses, government agencies
and all organizations connected to the Internet collectively get better at
fighting cybercrime.
Exploit Kits:
Cybercrimes Growth Industry
One exploit kit earned its
developer $50,000 a day.
2
This means fortifying defenses on the frontlines
the endpoints with comprehensive antivirus (AV)
protection and automated patch management. Those
protections need to be backed by additional layers of
network security, such as firewalls, gateway appliances
and emerging advanced threat defenses that combine
behavior analysis and predictive threat intelligence to
combat data-breaching malware.
No Expertise Required
Early exploit kits, first introduced in 2006 with Web
Attacker, required some technical sophistication to
use. But that changed in 2010 with Blackhole, which
made kits accessible to novice cybercriminals looking
to exploit Common Vulnerabilities and Exposures (CVE)
software vulnerabilities that are publicly known as
well as Zero-day vulnerabilities cybercriminals keep
secret (for obvious reasons) in popular applications
such as Internet Explorer, Adobe Acrobat and the Java
programming language.
These vulnerabilities are flaws, weaknesses or mistakes
in software that hackers can exploit to access a system
or network. They enable hackers to execute commands
as the user, get around data restrictions to gain access
to otherwise protected systems and data, and even
conduct a denial-of-service (DOS) attack.
To take advantage of those vulnerabilities, exploit
authors for years have taken a page from the legitimate
software development world to offer their cybercriminal
customers user-friendly web interfaces and advanced
features downloadable at affordable prices. Anyone with
a criminal motivation can now give cybercrime a try.
The resulting exploits contain code with commands to
take advantage of vulnerabilities to trigger unintended
behavior in software and hardware, such as a DOS or
taking control of a system. Today, the list of exploit kits
has grown into an ever-expanding catalog of colorful
names like Eleonore, Phoenix, Sakura, Elderwood,
Neutrino, Sweet Orange, Styx, Angler, Nuclear, Hello,
Infinity, Glazunov, Sibhost, and of course Blackhole.
Blackhole attacks peaked in 2012. They came in various
forms, including spam with fake offers of free Microsoft
Windows 8 licenses,
4
bogus Apple iTunes invoices
5
with
inflated balances, and offers of fake antivirus products.
6

Spam recipients inevitably would click on links that
steered them to websites hosting infected files.
Neutrino delivers its payloads by targeting Java
vulnerabilities. It has used browser plugin detectors to
identify target environments, including multiple versions
of browsers, Java, Adobe Flash and Adobe Reader.
Elderwood exploits are packaged and delivered for ease
of use by cyber miscreants to deliver Zero-day attacks.
It targets vulnerabilities in applications such as Adobes
Flash and Microsofts Internet Explorer to snoop
around computers.
Elderwood was behind a series of attacks against
defense-related companies, people involved in human
rights campaigns and IT and supply-chain firms in
the so-called Operation Aurora attacks, according
to PCWorld.
7
A series of Elderwood-based Zero-day
attacks targeting IE led Microsoft to issue emergency
patches
8
even for the unsupported Windows XP.
Luring the Victim
Exploit kits target endpoints like PCs, laptops and
workstations to exploit vulnerabilities in popular
software applications from vendors such as Microsoft,
Google, Adobe, Oracle and Mozilla. Attackers employ
tried-and-true methods such as spam, phishing, link-
baiting on social media and SEO poisoning to trick users
into clicking infected URLs or opening malicious files.
Java, iTunes, Skype, Facebook, the Android operating
system and PDF files have all been used in some way to
deliver malicious payloads.
Attackers employ various methods to deliver payloads,
but here is a preferred course of action:
1. An attacker hacks an existing website or creates
one specifically to host an exploit, then chooses a
payload to deliver to its target.
2. An end user receives a phishing email and clicks
a link in the email that sends the user to the site
hosting the exploit.
3. Clicking a link on the site or downloading a file
causes the payload to be delivered.
This fake Google Chrome update page looked real, but clicking the
download button infected the user with an exploit kit.
3
4. The payload is downloaded to the victims system
and executed.
5. The malware corrupts files or steals information
through a communication channel with the attacker.
Often, unwitting users install infected files on their
machines with no visible indication anything bad is
happening. Such incidents are called drive-by malware
attacks, which can happen by luring victims to
compromised websites as described above or simply by
browsing and landing on such a site by happenstance.
Drive-by payloads include viruses that crash machines,
remote-access software, spyware and key-loggers, and
Trojans designed to steal data.
9
Contributors to Malwares Success
Blackhole, Elderwood and other exploit kits succeed
for several reasons. For one thing, wily malware authors
know how to cover their tracks through hardened
servers, redirects and frequently changing IP addresses.
Cybercriminals design payloads to elude detection,
exploit undiscovered vulnerabilities and deliver viruses
for which AV vendors dont yet have signatures.
Increasingly, payloads consist of advanced targeted
attacks that go after specific individuals or organizations
to access critical systems, spread malware and swipe
intellectual property.
Human behavior also contributes to the success of
malware. Curiosity is one factor, with users clicking links
they shouldnt. In many cases, however, users have been
told by IT staffs not to click on anything even links
from known sources. This is a good practice generally,
which IT professionals encourage in their attempts to
prevent phishing and other social engineering tactics
that infect machines. But it also leads to users ignoring
legitimate and necessary security patch prompts.
So even though software vendors have gotten better
about reacting to new threats with regular patches, even
issuing emergency fixes at times, users ignore them
because they are conditioned not to click on links. Of
course, failure to run updates and patches exposes the
very vulnerabilities for which exploit kits are designed.
Suppliers and Sellers
By April of 2014, 67 million exploit kit-related events
had already been detected for the year.
10
As already
noted, kits are easy to access and use. Crimeware has
created a cyber underground network that, much like
a drug cartel, runs on trust between a web of suppliers
and sellers. Kit authors who find the vulnerabilities profit
handsomely by passing on the exploits to assorted
hackers and spies.
Adobe Flash is a popular target for exploit developers. By stealing this well-
known brand, cybercriminals hoped to catch users off guard to infect PCs
with this malicious site.
VIPRE Patch Management Defends You
Against Vulnerable Software
VIPRE Business Premium is the endpoint
security solution that offers integrated patch
management, seamlessly controlled from the
VIPRE console. Heres how it works:
Patch definitions for supported products are
delivered within VIPRE definition updates
During a patch scan, the VIPRE agent compares
the definitions versions with products installed
When a patch is needed, the agent software
downloads the software from the vendors site
The agents call to download the patch goes
through the VIPRE server as a caching proxy
The VIPRE server caches patches to limit
bandwidth consumption
VIPRE also provides users the flexibility to
customize how their systems are patched
by either, fully automating the scanning and
patching of all applications; automating
scanning but deploying patches only when
approved by the VIPRE admin; or manually
initiating scans and patch deployment.
Learn more at
www.ThreatTrackSecurity.com/VIPRE
To learn more about ThreatTrack Security
call +1-855-885-5566 or visit www.ThreatTrackSecurity.com.
The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to
the implied warranties of merchantability, tness for a particular purpose, and non-infringement. ThreatTrack Security, Inc. is not liable for any damages, including any consequential damages, of
any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable efort has been made to ensure the accuracy of the data
provided, ThreatTrack Security, Inc. makes no claim, promise or guarantee about the completeness, accuracy, relevancy or adequacy of information and is not responsible for misprints, out-of-date
information, or errors. ThreatTrack Security, Inc. makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained
in this document. All products mentioned are trademarks or registered trademarks of their respective companies.
Once the exploits become available on the Internet,
the network of cybercriminals propagates them, with
hackers modifying and customizing kits for their own
purposes. This makes it almost impossible to eradicate
crimeware from a law-enforcement perspective.
When Russian authorities arrested Paunch, the author of
the popular Blackhole kit, in October 2013, crimeware
propagation slowed a little, but no one really expected it
to last long.
Kit-related events have continued. The most recent
include attacks targeting the Firefox, Internet Explorer
and Opera browsers, as well as flaws in Adobe Flash.
The attacks are carried out using the Infinity kit, which
hackers can buy in the underground malware-as-a-
service market for $100 per day.
11
Infinity ads are written
in Russian, indicating it may originate in an Eastern
European country.
Fighting the Threat
Fighting exploit kit threats requires the right tools.
For many organizations, endpoint protection with
integrated patch management is an ideal solution a
single tool for malware defense and for eliminating
the threat created by vulnerable software applications
by ensuring all available patches are applied. Even the
threats posed by exploits developed to evade detection
by antivirus engines are nullified if the systems they
encounter are fully patched.
Moreover, since users tend to ignore prompts for
security patches and software updates, automated,
centralized software patching takes users out of the
equation, putting IT admins in charge of their endpoint
security. Automated patch management is also an
effective way to address the dozens, possibly hundreds,
of patches software vendors issue each year. It makes
it possible to run regularly scheduled software and
network audits to identify potential problems and assess
vulnerabilities. Patch management is quick and efficient,
and as such, it is essential to fighting exploit kit threats
Conclusion
With exploit kit threats on the rise, security patch
management has never been more important. Setting
up a routine, automated protocol is key to ensuring
that patches arent ignored, exposing the vulnerabilities
that exploit kits are designed to target. To avoid
becoming the next victim of an exploit kit attack, every
organization needs to assess its security infrastructure
and move fast to implement automated patch
management alongside its AV solution.
About ThreatTrack Security Inc.
ThreatTrack Security specializes in helping organizations
identify and stop Advanced Persistent Threats (APTs),
targeted attacks and other sophisticated malware
designed to evade the traditional cyber-defenses
deployed by enterprises and government agencies
around the world. The company develops advanced
cybersecurity solutions that Expose, Analyze and
Eliminate the latest malicious threats, including
its ThreatSecure advanced threat detection and
remediation platform, ThreatAnalyzer malware
behavioral analysis sandbox, ThreatIQ real-time threat
intelligence service, and VIPRE business antivirus
endpoint protection.
1. PC World, Elderwood hackers continue to set pace for zero-day exploits, May 2014:
http://www.pcworld.com/article/2156140/elderwood-hackers-continue-to-set-pace-for-
zeroday-exploits.html
2. Microsoft.com, Microsoft Security Intelligence Report, December 2013: http://www.
microsoft.com/security/sir/default.aspx
3. Business2Community.com, Staggering Cost of Malware Now Over $100 Billion a Year,
June 2013: http://www.business2community.com/tech-gadgets/staggering-cost-of-
malware-now-over-100-billion-a-year-0559763#!PzND1
4. ThreatTrack Security, Bogus Windows License Spam is in the Wild, October, 2012: http://
www.threattracksecurity.com/it-blog/bogus-windows-license-spam-is-in-the-wild/
5. ThreatTrack Security, Email Roundup for the week, November, 2012: http://www.
threattracksecurity.com/it-blog/gfi-labs-email-roundup-for-the-week-2/
6. Solutionary.com, Exploit Kits v1.0, January 2013: http://www.solutionary.com/_assets/
pdf/sert-exploit-kit-overview-1174sr.pdf
7. PC World, Elderwood Hackers Continue to Set Pace for Zero-day Exploits, May 2014:
http://www.pcworld.com/article/2156140/elderwood-hackers-continue-to-set-pace-for-
zeroday-exploits.html
8. CRN, Microsoft Issues Emergency Internet Explorer Patch,ay 2014: http://www.crn.com/
news/security/300072693/microsoft-issues-emergency-internet-explorer-patch.htm
9. CIO.com, 6 Ways to Defend Against Drive-by Downloads, February 2012: http://www.
cio.com/article/699970/6_Ways_to_Defend_Against_Drive_by_Downloads?page=2&taxo
nomyId=3089
10. Dark Reading, Advanced Attacks Are the New Norm, Study Says, April 2014: http://www.
darkreading.com/informationweek-home/advanced-attacks-are-the-new-norm-study-
says/d/d-id/1174127
11. SC Magazine, Infinity Exploit Targets IE, Firefox, Opera to Deliver Malware, May
2014:http://www.scmagazine.com/infinity-exploit-kit-targets-ie-firefox-opera-to-deliver-
malware/article/347590/
67 million exploit-kit
related events were
detected in the first 3
months of 2014.