Exploit packs

Exploit packs

Exploit packs are very commonly used in today’s drive-by attacks. An exploit pack is a set of programs that exploit vulnerabilities in legitimate software programs running on the victim machine. In other words, the exploits open a sort of back door via which malicious programs can infect the computer. Since attacks on the web take place through the browser, cybercriminals need to exploit vulnerabilities in the browser, in browser add-ons, or in third-party software which is used by the browser to process content. The main purpose of exploit packs is to download and launch executable malicious files without the user noticing.
The screenshot below shows a typical set of add-ons for Firefox. The versions with vulnerabilities that have been exploited in previous attacks against users are highlighted. Furthermore, other vulnerabilities have been identified (and exploited) in Firefox itself.

Today, exploit packs represent the evolutionary peak of drive-by download attacks, and are regularly modified and updated. This is to ensure that they both include exploits for new vulnerabilities and are able to effectively counteract security measures.
Exploit packs have consolidated their niche on the cybercrime services market. At present, there are a great many exploit packs for sale on the black market; they differ in terms of price, the number of exploits included, the usability of the admin interface, and the level of customer service offered. In addition to the “off-the-shelf” exploit packs offered for sale, exploit packs can also be made to order, a service that is used by some cybercrime gangs.

s an example, let’s take a look at one of the most common exploit packs currently on open sale: Crimepack Exploit System.
Crimepack features its own control panel with a high-quality user interface.

Crimepack admin panel: the authentication screen
The admin panel web interface can be used to modify the configuration of the exploit pack. It also provides statistics on the number of downloads, successful exploits, and the operating systems and browsers running on victim computers.

Crimepacks statistics page in the admin panel The exploit pack itself is an encrypted and obfuscated HTML page that includes JavaScript.

Crimepack exploits: source code Analysis of the decrypted page makes it possible to trace Crimepack’s main functionality. The script within the page attempts, at set intervals, to exploit vulnerabilities in Internet Explorer, DirectX, Java, and Adobe Reader. During exploit attempts, a range of components are used, including malicious PDF and JAR files, which are loaded as the original script runs.

Crimepack exploits: main functionality By early July 2010, Crimepack Exploit System had reached its third version, which contains 14 exploits targeting Microsoft, Adobe, Mozilla, and Opera products.