HP Security Expert: Exploit Kits More Sophisticated, Harder to Detect

At the Black Hat show, Jason Jones of HP will discuss the evolving nature of Web exploit kits, which increasingly are targeting Java vulnerabilities.

Web exploit kits are getting more complex and harder to detect, and the cyber-criminals developing such toolkits as Blackhole and Phoenix are themselves becoming more sophisticated as they leverage a more traditional software business model, according to a security expert from Hewlett-Packard.

In addition, these attackers are increasingly targeting Java in their efforts, finding that many enterprises and consumers are failing to apply fixes in a timely fashion, making themselves more vulnerable, according to Jason Jones, the team lead for advanced security intelligence for HP€™s DVLabs.

€œAll these guys are [constantly improving] their stuff and they take what they do seriously,€ Jones told eWEEK in a recent interview.

Jones is scheduled to give a presentation July 26 at the Black Hat 2012 show in Las Vegas, outlining his research into some of the more common Web exploit toolkits on the market, including Blackhole and Phoenix.

Exploit toolkits are becoming an increasingly popular way for cyber-criminals to attack vulnerabilities in systems, he said. They have proven to be easy to use and easy to adapt, and people can make a lot of money not only using these kits, but also developing and leasing them to others, sometimes for thousands of dollars a month.

At the same time, toolkit developers are creating more of a traditional software model around the malware€”sending out updates, making fixes, offering basic quality-assurance guarantees, making the toolkits easier to install€”and changing the coding just enough to make it difficult to detect and combat the toolkits.

And by making the exploit toolkits easier to install and use, developers are now finding a larger number of people to sell to, Jones said.

€œYou€™ve just actually increased your user base,€ he said, adding that when others €œsee something that€™s very successful, they€™re going to run with it.€

For several years, the Phoenix toolkit was among the most popular, though it has been eclipsed over the past year by the Blackhole platform. A report by researchers at M86 Security in February found that of the malicious URLs identified between July and December 2011, Blackhole was the source of about 95 percent of them. More than half of the most common exploits during those months could be launched using Blackhole, including those targeting vulnerabilities in Adobe, Java and Microsoft products.

By contrast, M86 found that Phoenix infected only 1.3 percent of the links analyzed. The researchers suggested that Blackhole's growing popularity could come from the fact that last year, the people behind the kit made the source code available for free for anyone to download and modify. A commercial version of the kit sells for about $1,500 in the criminal underground, they said.

Blackhole developers also are good at what Jones calls €œobfuscation techniques,€ where they will change the coding just enough to make it difficult to detect and identify.

Other exploit toolkits also are being developed to be difficult to detect. One coming out of Russia, dubbed €œSweet Orange,€ has been hard to nail down because the people behind it are being particularly careful in how they give out information and sell the kit. There aren€™t any samples available on the Internet, Jones said.

Increasingly, attackers are targeting Java vulnerabilities to exploit, he said. The success rate in attacking Java is high, in large part due to the fact that users are slow to deploy available security updates in a timely fashion. A typical success rate for a Java exploit is 12 to 14 percent, he said, adding that a Java exploit incorporated into Backhole last year had a success of more than 80 percent. Because of this, the amount of malware targeting Java has increased, and that trend will continue as long as people are lax in updating the security.

Jones also urged Oracle€”which took over Java after buying Sun Microsystems in 2010€”to be more forceful in its messages to users about updating Java.

The development of exploit toolkits also is beginning to expand geographically, he said. Most toolkits are created by people in Russia and Eastern Europe. However, a small but growing number of toolkits are coming out of China, though they are less sophisticated and might not have all the features as other malware, such as complex user interfaces, Web administration tools or control panels. However, it€™s an indication that the money that can be made via Web exploit toolkits is fueling interest worldwide.

€œThey€™ll continue to [migrate] to other regions,€ Jones said. €œIt€™s becoming too much of a profitable market [attracting] people who might want to do this.€

Until that changes, there will continue to be a booming market for successful exploit toolkits like Blackhole and Phoenix.

€œThese guys really aren€™t doing anything really sophisticated,€ Jones said. €œThey€™re doing enough to keep themselves making money and avoiding detection.€