# Exploit kit

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Exploit_kit
> Markdown URL: https://mediated.wiki/source/Exploit_kit.md
> Source: https://en.wikipedia.org/wiki/Exploit_kit
> Source revision: 1292260615
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{short description|Collection of security exploit tools}}
{{use dmy dates|date=April 2022}}

An '''exploit kit''' is a tool used for automatically managing and deploying [exploits](/source/Exploit_(computer_security)) against a target computer. Exploit kits allow attackers to deliver [malware](/source/malware) without having advanced knowledge of the exploits being used. [Browser exploit](/source/Browser_exploit)s are typically used, although they may also include exploits targeting common software, such as [Adobe Reader](/source/Adobe_Reader), or the [operating system](/source/operating_system) itself. Most kits are written in [PHP](/source/PHP).<ref name="mb-tools"/>

Exploit kits are often sold on the [black market](/source/black_market), both as standalone kits, and as a [service](/source/Software_as_a_service).

==History==

Some of the first exploit kits were [WebAttacker](/source/WebAttacker) and [MPack](/source/MPack_(software)), both created in 2006. They were sold on black markets, enabling attackers to use exploits without advanced knowledge of [computer security](/source/computer_security).<ref name="Evolution of Exploit Kits">{{Cite web |last1=Chen |first1=Joseph |last2=Li |first2=Brooks |title=Evolution of Exploit Kits |url=https://documents.trendmicro.com/assets/wp/wp-evolution-of-exploit-kits.pdf |access-date=2022-04-08 |publisher=[Trend Micro](/source/Trend_Micro)}}</ref><ref name="Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar">{{Cite web |year=2014 |title=Markets for Cybercrime Tools and Stolen Data |url=https://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf |publisher=[RAND Corporation](/source/RAND_Corporation)}}</ref>

The [Blackhole exploit kit](/source/Blackhole_exploit_kit) was released in 2010, and could either be purchased outright, or rented for a fee.<ref>{{Cite web |date=2013-10-09 |title=Blackhole malware exploit kit suspect arrested |url=https://www.bbc.com/news/technology-24456988 |access-date=2022-04-08 |website=BBC News |language=en-GB}}</ref> Malwarebytes stated that Blackhole was the primary method of delivering malware in 2012 and much of 2013.<ref name="mwb-threat-2013">{{Cite web |last=Kujawa |first=Adam |date=2013-12-04 |title=Malwarebytes 2013 Threat Report |url=https://blog.malwarebytes.com/security-world/2013/12/malwarebytes-2013-threat-report/ |access-date=2022-04-08 |website=Malwarebytes Labs |language=en-US}}</ref> After the arrest of the authors in late 2013, use of the kit sharply declined.<ref name="mwb-threat-2013" /><ref>{{Cite web |last=Zorabedian |first=John |date=9 October 2013 |title=Is the Blackhole exploit kit finished? |url=https://news.sophos.com/en-us/2013/10/09/is-the-blackhole-exploit-kit-finished/ |access-date=3 April 2022 |website=Sophos News}}</ref><ref>{{Cite web |last=Fisher |first=Dennis |title=Blackhole and Cool Exploit Kits Nearly Extinct |url=https://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034/ |access-date=3 April 2022 |website=threatpost.com |date=26 November 2013 |language=en}}</ref>

Neutrino was first detected in 2012,<ref name="cyware-neutrino">{{Cite web |title=Neutrino Exploit kit: A walk-through into the exploit kit's campaigns distributing various ransomware |url=https://cyware.com/news/neutrino-exploit-kit-a-walk-through-into-the-exploit-kits-campaigns-distributing-various-ransomware-cb14cdb8 |access-date=2022-04-08 |website=Cyware Labs |language=en}}</ref> and was used in a number of [ransomware](/source/ransomware) campaigns. It exploited vulnerabilities in [Adobe Reader](/source/Adobe_Reader), the [Java Runtime Environment](/source/Java_Runtime_Environment), and [Adobe Flash](/source/Adobe_Flash).<ref name="mwb-neutrino">{{Cite web |title=Neutrino |url=https://blog.malwarebytes.com/threats/neutrino/ |access-date=2022-04-08 |website=Malwarebytes Labs |language=en-US}}</ref> Following a joint-operation between [Cisco Talos](/source/Cisco_Talos) and [GoDaddy](/source/GoDaddy) to disrupt a Neutrino [malvertising](/source/malvertising) campaign,<ref>{{Cite web |title=Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down |url=https://threatpost.com/malvertising-campaign-pushing-neutrino-exploit-kit-shut-down/120322/ |access-date=2022-04-08 |website=threatpost.com |date=September 2016 |language=en}}</ref> the authors stopped selling the kit, deciding to only provide support and updates to previous clients. Despite this, development of the kit continued, and new exploits were added.<ref>{{Cite web |title=Former Major Player Neutrino Exploit Kit Has Gone Dark |url=https://www.bleepingcomputer.com/news/security/former-major-player-neutrino-exploit-kit-has-gone-dark/ |access-date=2022-04-08 |website=[Bleeping Computer](/source/Bleeping_Computer) |language=en-us}}</ref> As of April 2017, Neutrino activity ceased.<ref>{{Cite web |last=Schwartz |first=Mathew |date=2017-06-15 |title=Neutrino Exploit Kit: No Signs of Life |url=https://www.bankinfosecurity.com/neutrino-exploit-kit-no-signs-life-a-9999 |access-date=2022-04-08 |website=www.bankinfosecurity.com |language=en}}</ref> On June 15, 2017, [F-Secure](/source/F-Secure) tweeted "R.I.P. Neutrino exploit kit. We'll miss you (not)." with a graph showing the complete decline of Neutrino detections.<ref>{{Cite tweet |number=875275005625597953 |user=FSLabs |title=R.I.P. Neutrino exploit kit. We'll miss you (not). |author=[F-Secure](/source/F-Secure)}}</ref>

From 2017 onwards, the usage of exploit kits has dwindled. There are a number of factors which may have caused this, including arrests of cybercriminals, improvements in security making exploitation harder, and cybercriminals turning to other method of malware delivery, such as [Microsoft Office](/source/Microsoft_Office) [macros](/source/Macro_virus) and [social engineering](/source/Social_engineering_(security)).<ref>{{Cite web |title=Where Have All The Exploit Kits Gone? |url=https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/ |access-date=2022-04-08 |website=threatpost.com |date=15 March 2017 |language=en}}</ref>

There are many systems that work to protect against attacks from exploit kits. These include [gateway anti-virus](/source/Antivirus_software), intrusion prevention, and anti-spyware. There are also ways for subscribers to receive these prevention systems on a continuous basis, which helps them to better defend themselves against attacks.<ref>{{Cite journal |last=Malecki |first=Florian |date=June 2013 |title=Defending your business from exploit kits |url=https://linkinghub.elsevier.com/retrieve/pii/S1361372313700563 |journal=Computer Fraud & Security |language=en |volume=2013 |issue=6 |pages=19–20 |doi=10.1016/S1361-3723(13)70056-3|url-access=subscription }}</ref>

==Overview==
===Exploitation process===
<!-- can be rephrased or copyedited later -->
The general process of exploitation by an exploit kit is as follows:

# The victim navigates to a website infected by an exploit kit. Links to infected pages can be spread via [spam](/source/Spamming), [malvertising](/source/malvertising), or by compromising legitimate sites.
# The victim is redirected to the landing page of the exploit kit.
# The exploit kit determines which vulnerabilities are present, and which exploit to deploy against the target.
# The exploit is deployed. If successful, a payload of the attacker's choosing (i.e. malware) can then be deployed on the target.<ref name="mb-tools">{{Cite web |last=Cannell |first=Joshua |date=2013-02-11 |title=Tools of the Trade: Exploit Kits |url=https://blog.malwarebytes.com/cybercrime/2013/02/tools-of-the-trade-exploit-kits/ |access-date=2022-04-08 |website=Malwarebytes Labs |language=en-US}}</ref><ref>{{Cite web |title=exploit kit - Definition |url=https://www.trendmicro.com/vinfo/us/security/definition/exploit-kit |access-date=2022-04-08 |publisher=[Trend Micro](/source/Trend_Micro)}}</ref>

===Features===
Exploit kits employ a variety of [evasion techniques](/source/Evasion_(network_security)) to avoid detection. Some of these techniques include [obfuscating](/source/Obfuscation_(software)) the code,<ref>{{Cite web |date=2014-11-12 |title=Exploit Kits Improve Evasion Techniques |url=https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-exploit-kits-improve-evasion-techniques/ |access-date=2022-04-08 |website=McAfee Blog |language=en-US}}</ref> and using [fingerprinting](/source/Device_fingerprint) to ensure malicious content is only delivered to likely targets.<ref>{{Cite web |date=2016-01-11 |title=Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised |url=https://unit42.paloaltonetworks.com/angler-exploit-kit-continues-to-evade-detection-over-90000-websites-compromised/ |access-date=2022-04-08 |website=Unit42 |language=en-US}}</ref><ref name="mb-tools"/>

Modern exploit kits include features such as [web interfaces](/source/Web_application) and statistics, tracking the number of visitors and victims.<ref name="mb-tools"/>

== See also ==
{{columns-list|colwidth=30em|
* [Dendroid (Malware)](/source/Dendroid_(Malware))
* [Trojan horse (computing)](/source/Trojan_horse_(computing))
* [Spyware](/source/Spyware)
* [Botnet](/source/Botnet)
* [Computer virus](/source/Computer_virus)
* [Backdoor (computing)](/source/Backdoor_(computing))
* [Tiny Banker Trojan](/source/Tiny_Banker_Trojan)
* [Zeus (malware)](/source/Zeus_(malware))
* [Gameover ZeuS](/source/Gameover_ZeuS)
}}

== References ==
{{reflist}}

Category:Malware toolkits
Category:Spyware
Category:Computer security exploits

---
Adapted from the Wikipedia article [Exploit kit](https://en.wikipedia.org/wiki/Exploit_kit) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Exploit_kit?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
