Another Overview of Exploit Packs

Recently I blogged about some exploit packs. In that post I showed a table that had 10 common malware kits. I listed the vulnerabilities used, referenced by their Common Vulnerabilities & Exposures (CVE) names. There were 45 vulnerabilities in the table.

From the data, this idea was taken up by Mila Parkour via her Contagio malware blog. Making use of data from other researchers blogs (MalwareIntelligence, Kahu Security, XyliBox, etc) her latest version (the 15th) lists 64 kits and more than 100 vulnerabilities.

The first of these packs appeared around 2006-2007. Many people remember Icepack, Mpack, and Web Attacker as prolific during this time!

One of the most prolific years, in vulnerability terms, was 2010–with 28 vulnerabilities exploited in one or across several kits. For exploit packs, the big year was 2011, with 15 kits and 23 versions named on the Mila list.
Vulnerabilities disclosed in 2010 were rapidly included in exploit packs (Crimepack, from March 2010). However, we needed to wait until May 2011 to encounter the first pack (Eleonore) using an exploit from that year. As of February 2012, one of the first vulnerabilities of the year (CVE-2012-0003) is already exploited in the wild (Zhi Zhu exploit pack). It is a good entry for a 16th version, I think!

So far in 2012 most of these packs include 10 or fewer exploits. That figure is slightly lower than in 2011. That year, ironically, the Zero Exploit Kit was announced with 62 exploit PDFs on a hacker forum. The most common vulnerabilities encountered in exploits packs are CVE-2006-0003 (MDAC), CVE-2007-5659/2008-0655 (PDF Collab), CVE-2008-2992 (PDF Printf), and CVE-2009-0927 (PDF GetIcon). But the most interesting fact (for me, anyway) is the high number of new exploits packs since December 2011, after the October disclose of the Java Rhino vulnerability (CVE-2011-3544).

Next to the regular updates of some well-known packs (Phoenix, Blackhole), are five newcomers: Zhi Zhu, Yang Pack, Techno Xpack, Hierarchy, and Sakura.

The following table shows the latest status (click the image to enlarge it). Packs from Eastern Europe are still predominant, but the number of Chinese packs is increasing.

As always, make sure you stay updated and educated about the latest threats!