Recently I blogged about some exploit packs. In that post I showed a table that had ten common malware kits which I listed the vulnerabilities used, referenced by their Common Vulnerabilities & Exposures (CVE) names. They were 45 vulnerabilities in the table.
From this data, this idea was taken up by Mila Parkour via her Contagio malware blog. Making use of data from various others researchers blogs (MalwareIntelligence, Kahu Security, XyliBox, etc) her latest version (the fifteenth) lists 64 kits and more than 100 vulnerabilities.
The first of these packs appeared around 2006/2007. Many people remember Icepack, Mpack and Web Attacker as being prolific during this time!
One of the most prolific years, in vulnerability terms anyway, is 2010 with 28 vulnerabilities exploited in one or across several kits. On the exploit packs side, it is the year 2011, with 15 kits and 23 versions listed inside the Mila list.
Vulnerabilities disclosed in 2010 were rapidly included in exploit packs (Crimepack, from March 2010). However we needed to wait until May 2011 to encounter the first pack (Eleonore) using an exploit from that year. As of today, we are in February 2012, and one of the first vulnerabilities of the year (CVE-2012-0003) is already exploited in the wild (Zhi Zhu exploit pack). It is a good entry for a sixteenth version I think!
So far in 2012 most of these packs include 10 exploits at the most. It is slightly lower than in 2011. That year, ironically, the Zero Exploit Kit was announced with 62 exploit PDF on a hacker forum. The most common vulnerabilities encountered in exploits packs are: CVE-2006-0003 (MDAC), CVE-2007-5659/2008-0655 (PDF Collab), CVE-2008-2992 (PDF Printf) & CVE-2009-0927 (PDF GetIcon). But the most interesting fact (to me anyways) is the high number of new exploits packs since December 2011, since the October disclose of the Java Rhino vulnerability (CVE-2011-3544).
Next to the regular updates of some well-known packs (Phoenix, Blackhole), are 5 new comers: Zhi Zhu, Yang Pack, Techno Xpack, Hierarchy and Sakura.
The following table shows the latest status (please click on the image to enlarge it). Packs from the Eastern Europe are still predominant, but Chinese packs are increasing.
As always, make sure you stay updated and educated against the latest threats!
Leave a reply
