Exploit kits are automated toolkits or frameworks designed to scan a victim's web browser, find vulnerabilities and then exploit them in order to deliver a malicious payload to the victim's machine.
This is often achieved by an attacker compromising an existing legitimate website and installing the kit within it, or alternatively buying advertising space on a site and using code embedded within adverts to deploy the kits, which is known as 'malvertising'. These techniques take advantage of traffic traversing to legitimate domains as well as providing a level of anonymity for the attacker.
Since the Windows Metafile software code exploit first made an appearance on the underground market in 2005 (www.kb.cert.org/vuls/id/181038), exploit kits have grown to be the tool of choice for cyber-criminals.
The reason exploit kits continue to remain such a formidable threat is their ability to quickly exploit vulnerabilities which have not yet been patched by vendors, or for which patches have not yet been applied. The development of new exploits for these kits is often performed rapidly in the wake of a vulnerability being disclosed. This allows kits to combine current and effective exploits with an easy-to-use interface for the criminal, with many of the elements being automated.
In order to fully understand the exploit kit, this paper has been written from the perspective of the criminals who would purchase a kit and then operate it. It offers a general overview of several of the most common explot kits targeting the UK, explaining the attack process and operation. However, the ultimate aim of this paper is to offer network defenders a firm understanding of the growing threat from exploit kits so a defensive plan and mitigation strategy can be created.