It’s only been a few days since we said goodbye to 2012 and we are already seeing what many predicted for 2013: an increase in the creation, enhancement, and usage of numerous exploit kits by cyber criminals. Cyber criminals don’t take long vacations in December. On the contrary, they “work hard” and make lots of money during the holiday season! These criminals are continuously improving their tools to keep up with us (the good guys) and continue enhancing their “money-making machines.” A real-life example is how cyber criminals were able to quickly incorporate the exploits of the recently found Java vulnerability that I described in a post a few days ago.

Exploit kits make it easy for these criminals because they can easily spread malicious software that exploits well-known and new vulnerabilities. New exploit kits are loaded with some of the most dangerous zero-day exploits and other features that allow criminals to increase their profits.

The criminals often leverage “drive-by download” tricks to distribute their exploit kits to unsuspecting victims. Drive-by downloads take advantage of vulnerabilities in browsers, plug-ins, and other end-user software to trigger silent downloads of malware in the background. Drive-by downloads can be triggered anytime a victim visits a site that has been modified for this purpose. In some cases, the infection may come from a compromised advertising network slipping malicious banner ads into an otherwise legitimate website. In most cases, even highly experienced computer users would not notice the background activity. A post by Cornell University explains why drive-by downloads are so prevalent:

  • A legitimate web server may have vulnerabilities that allow a hostile site to deliver content.
  • Most drive-by downloads exploit the victim’s willingness to dismissively click popups and warnings as they navigate to the desired content.
  • Very few drive-by downloads can be prevented by keeping software up to date.

You may have heard of the Blackhole exploit kit, which has been one of the most popular exploit kits sold underground for quite some time now. Exploit kits nowadays are very sophisticated. For example, the Blackhole exploit kit has a “feature” that keeps track of which exploits worked with what operating systems, browsers, and other software. This allows cybercriminals to rank and keep metrics about which exploits are most effective in different environments. XyliBox has several examples of the BlackHole and other exploit kits at its website.

Other examples of exploit kits that are available and making money in the underground economy are:

There is a “new kid on the block!” One of the most recent exploit kits is called the Cool exploit kit. It was first seen in October 2012; however, it’s gaining popularity in the underground community very fast! The Cool exploit kit is jam-packed (and continuously updated) with numerous zero-day exploits. Many expect it to be more successful than the Blackhole exploit kit. However, it appears that Blackhole and Cool come from the same creator.

These exploit kits are sold on the underground market every minute, every hour, every day. They mostly concentrate on client-based vulnerabilities, such as vulnerabilities in browsers, plug-ins, and other end-user software. These exploit kits are sold for a lot of money in the underground economy. They run from several hundreds of U.S. dollars per month to a few thousand! Many criminals sell them and many others buy them.

Typically, exploit kits include:

  • botnet command and control (C&C) software
  • configuration scripts for automation and other tasks
  • a control panel
  • fake antivirus software
  • malware installers
  • numerous Exploits (including zero-day)
  • statistics and metrics engines
  • trojans
  • …and much more



The best tactic against these exploit kits is a defense in depth approach. Of course, remember to always maintain and quickly patch operating systems and system applications. An automated approach is definitely recommended. In several cases, patches do not exist for some of these zero-day vulnerabilities, making active exploitation possible. This is why an increasing number of organizations are considering the shift to security software-as-a-service (SaaS) based solutions, such as Cisco Cloud Web Security.

Cisco Cloud Web Security provides content scanning and other malware protection services for web traffic. It can also redirect and report about web traffic based on user identity. If you are using a Cisco Adaptive Security Appliance (ASA), now you can use Cloud Web Security services without having to install additional hardware. The Cisco ASA can redirect HTTP and HTTPS traffic to the Cloud Web Security proxy servers. The Cloud Web Security proxy servers then scan the content and allow, block, or send a warning about the traffic based on the policy configured in Cisco ScanCenter to enforce acceptable use and to protect users from malware. The Cisco ASA can even authenticate and identify users with Identity Firewall (IDFW) and authentication, authorization, and accounting (AAA) policies. For information on how to deploy and configure the Cisco ASA to use Cloud Web Security services via the command-line interface (CLI) visit:

For information on how to configure the Cisco ASA to use the Cloud Web Security services using the Adaptive Security Device Manager (ADSM) visit: http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/protect_cloud_web_security.html#wp1323971

Also, remember that you can get early-warning security intelligence and information about many mitigation techniques that can be deployed on infrastructure devices at the Cisco Security Intelligence Operations (SIO) portal. You can search for multivendor security alerts and read Cyber Risk Reports, which provide strategic intelligence of current security activity.