Exploit kits: What are they and what is an exploit blocker?

Next story

What are exploit kits?

Unwary internet users may not realize that in the course of normal browsing they can be exposed to malicious exploit kits that lurk on some websites. Exploit kits consist of malicious code to exploit one or more potential vulnerabilities in common web browsing and document viewing software. More sophisticated exploit kits first scan the website visitors’ devices for vulnerable versions of such client software and then only target specific, vulnerable software versions in the attack.

To illustrate what a scan could look like, take a look at PluginDetect, a benign scanning tool that attackers could weaponize in an exploit kit. PluginDetect runs JavaScript code to detect the type of operating system and the versions of browsers, plugins or other software components you are using.

So, in terms of an exploit kit, if a scan should find you are running a version of software vulnerable to an exploit in the kit, then the attack can continue through to its ultimate goal – to deliver malware to your computer – unless other protections are in place, like a multilayered security solution.


Where are exploit kits found?

Exploit kits are often hosted on compromised or malicious websites, or even in malicious ads served via legitimate advertising networks. The fact that malicious code on a website you are visiting is scanning your device for vulnerabilities to exploit usually happens without any knowledge of the user. Further, as hackers like to take advantage of current news cycles or trending topics as lures to malicious sites, they improve their chances of successfully compromising a greater number of machines.

Recently, for example, ESET researchers discovered several malicious sites using the term “coronavirus” as part of their domain name – sites like coronavirusstatus[.]space. Users of ESET security solutions are protected from these malicious sites.

RELATED READING: The common threats found when using streaming sites


Exploit kits riding on the last legs of Adobe Flash

A lot of the power of exploit kits originates with users. They often (both knowingly and unknowingly) give exploit kits a greater opportunity to attack by running older, unpatched versions of software. Notoriously vulnerable software has included internet browsers and their plugins, Adobe Flash, Adobe Reader, Java and Microsoft Office applications, to name a few.

Fortunately, a number of efforts in the industry have been underway to minimize the attack surface on browsers, including providing patches for vulnerabilities faster and phasing out the use of chronically problematic client software components.

When Adobe announced the December 31, 2020 end-of-life date for Flash Player, Google, Mozilla and Microsoft initiated, in tandem, a multi-year plan to phase out Flash support in their browsers. The announcement addresses a widespread need to protect internet users from exploit kits that have been taking advantage of a host of vulnerabilities discovered in Adobe Flash over the years.

However, as the end of life of Adobe Flash approaches, ESET researchers still see older vulnerabilities in Adobe Flash, along with Internet Explorer, remaining at the top of the “hit list” for targeting by current exploit kits. Accordingly, ESET warns users to be especially wary of the following vulnerabilities: CVE-2018-15982 (Adobe Flash), CVE-2018-4878 (Adobe Flash) and CVE-2018-8174 (Internet Explorer).

As for the Flash Player CVEs, those relate to use-after-free bugs. Under certain circumstances, the process memory where Flash Player gets executed was incorrectly managed. In particular, the references (pointers) to allocated memory could be used after the memory was marked as free for reallocation. This meant that any use of these dangling pointers put the Flash Player at risk of experiencing a range of undesired behavior, including the corruption of valid data in program memory and the execution of malicious code injected by an attacker.

Similarly, in Internet Explorer there was a bug in the way the VBScript engine handled objects in memory.


Security for website visitors starts with patching

Users should remain vigilant about patching their systems against vulnerabilities. Both businesses and the general public alike have several options for better managing updates of popular browsers like Chrome, Firefox, Edge, Internet Explorer and Safari. To make sure Flash Player is up-to-date, users can follow the recommendations detailed here.


In addition to good patching practice, it is important to make sure that any protective layers deployed against exploit type behaviors in your security solution are turned on. By default, ESET endpoint products for Windows come with an Exploit Blocker module enabled that monitors the behavior of processes for suspicious activity that indicate the presence of an exploit:

If Exploit Blocker identifies a suspicious process, then it can stop the process immediately. The advantage of having such a module is that it provides a protective layer against the general behavior that characterizes exploits. That means you can be protected from an exploit kit, even should your computer be vulnerable to its exploits.

You can learn more about ESET’s Exploit Blocker technology here.