Browser exploit packs - exploitation paradigm presented at Virus Bulletin 2011

by Aditya K Sood (Michigan state university),


Summary : "Malware infection is proliferating day by day. In spite of the new advanced protection features, subverting the infections
that happen through browsers and take control of the victim's machine remains an arduous task. Exploit packs and attack
toolkits play a critical role in the success of malware infections. Browser Exploit Packs (BEPs) are based on the basic
philosophy of exploiting the extensibility of browsers by utilizing the technology and developing a code which should
work in line with the browser classes. The eExtensibility of browsers has differential impacts in the context of security. However, the malware writer is not
concerned about this layout and concentrates on exploiting the technology in the best possible way. Malware writers have
demonstrated a lot of maturity in developing exploit packs that infect systems through web browsers. More specifically,
BEPs are used in conjunction with botnets to exploit victim browsers through drive-by download attacks in order to
successfully load the malware binary on the victim machine. Browser exploit packs such as Fragus, Fiesta, Yes, Crimepack,
Phoenix, Red Dice, MPack, SPack, Bleeding Life etc. have demonstrated this kind of notorious behaviour. Continuous
research has shown that it is becoming crucial to be able to grapple with new and more advanced BEPs in the near
future. Phoenix BEP is one of the most widely used BEPs which is used in collaboration with the Zeus and SpyEye
botnets. This research is an outcome of extensive analysis of Phoenix and other BEPs, which are primary weapons in the
underground community for spreading malware. Protection solutions will be proposed during this talk.