An exploit kit (EK) is a software product sold on the underground market, designed to run on top of web servers in order to spread malware to victims browsing to infected websites.
EKs first try to detect vulnerabilities in the victim's browser or its plugins, and then try to execute an exploit against the specific detected product configuration.
Successful exploitation often means that the cyber-crook was able to run malicious code on the victim's machine. The executed code is often referred to as the payload and can be a Trojan, ransomware, or any other kind of malware. This scenario, of a user browsing to infected website and downloading malicious code to his machine is also known as drive-by download.
Preventing Exploit Kits Infections
Exploits are not cheap, and may vary in their price, starting at 5,000$ for a simple web-framework exploit and up to 500,000$ for OS level one. Cyber criminals out of cost-efficiency considerations try to keep the exploit unknown to security product vendors as long as they can – as the vendors will prevent it from being used soon after it is detected.
As a measure taken to prevent this early detection of their covert operations, they try to perform basic risk assessments before using the more expensive exploits against a potential victim.
Ironically, they often do this by using yet another exploit - usually CVE-2013-7331, enabling them to check whether certain files are present on the victims' machine.
Depending on the type of files they seek, they may detect the following:
- Virtual machines, often used for malware analysis.
- Malware analysis tools, e.g. network traffic sniffers such as Fiddler.
- Security products, which may detect either the exploitation attempt or the payload itself. Even if only a single part of their attack is detected by a security vendor, it may trigger further investigation that will unveil their precious exploit.
Minerva prevents attacks by all of the aforementioned exploit kits, creating the impression that the endpoint is a security researcher machine, fortified by premium security products. The attackers, deterred by the drawn image, simply give up on the machine – even before an exploitation attempt was made. Our innovative solution prevents this way a wide range of malware, oblivious to the nature of either the exploit or the payload.