Manufacturing Compromise: The Emergence of Exploit-as-a-Service

We investigate the emergence of the exploit-as-a-service model for
driveby browser compromise. In this regime, attackers pay for an
exploit kit or service to do the “dirty work” of exploiting a victim’s
browser, decoupling the complexities of browser and plugin
vulnerabilities from the challenges of generating traffic to a website
under the attacker’s control. Upon a successful exploit, these
kits load and execute a binary provided by the attacker, effectively
transferring control of a victim’s machine to the attacker.
In order to understand the impact of the exploit-as-a-service
paradigm on the malware ecosystem, we perform a detailed analysis
of the prevalence of exploit kits, the families of malware installed
upon a successful exploit, and the volume of traffic that malicious
web sites receive. To carry out this study, we analyze 77,000
malicious URLs received from Google Safe Browsing, along with
a crowd-sourced feed of blacklisted URLs known to direct to exploit
kits. These URLs led to over 10,000 distinct binaries, which
we ran in a contained environment.
Our results show that many of the most prominent families of
malware now propagate through driveby downloads—32 families
in all. Their activities are supported by a handful of exploit kits,
with Blackhole accounting for 29% of all malicious URLs in our
data, followed in popularity by Incognito. We use DNS traffic from
real networks to provide a unique perspective on the popularity of
malware families based on the frequency that their binaries are installed
by drivebys, as well as the lifetime and popularity of domains
funneling users to exploits.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s