Exploit kits are toolkits that malicious developers use to take advantage of client-side vulnerabilities, targeting web browsers and programs that can be accessed through browsers. The most common exploit targets are Java, Flash, PDFs, and Silverlight. Exploit kits use lots of techniques to evade detection by security products.
Exploit kits use several common techniques:
- Code obfuscation using commercial packers
- String manipulation
- Dummy or garbage functions as anti-emulation tricks
The latest exploit kits on the black market are very stealthy. They look for the presence of virtual machines (VMs) and antimalware products on a system before infecting it. These techniques help evade automated analysis and detection, and they also make reverse-engineering the malware tricky. At McAfee Labs we recently investigated two recent exploit kits and reversed their techniques to understand how they work.
Angler Exploit Kit
Before exploiting a vulnerable program in a web browser, the landing page of the Angler Exploit Kit searches for the presence of VM and security product driver files in windir%\system32\drivers.
File enumeration through the Microsoft XMLDOM ActiveX control.
Angler searches for several files, including:
- A virtual keyboard plug-in to identify Kaspersky software
- tmactmon.sys, tmevtmgr.sys, tmeext.sys, tmnciesc.sys, tmtdi.sys, tmcomm.sys, and TMEBC32.sys (Trend Micro)
- vm3dmp.sys, vmusbmouse.sys, vmmouse.sys, and vmhgfs.sys (VMware)
- VBoxGuest.sys, VBoxMouse.sys, VBoxSF.sys, and VBoxVideo.sys (Virtual Box VM)
- prl_boot.sys, prl_fs.sys, prl_kmdd.sys, prl_memdev.sys, prl_mouf.sys, prl_pv32.sys, prl_sound.sys, prl_strg.sys, prl_tg.sys, and prl_time.sys (Parallel Desktop virtualization)
The malware also checks certain file locations to find antimalware products or VMs by enumerating their corresponding files using the Res:// protocol. It also checks for ActiveX or browser plug-ins related to security products.
File enumeration through the res:// protocol.
Nuclear Exploit Kit
Recent versions of the Nuclear Exploit Kit use the same technique to detect VMs and security products on a compromised machine. One difference is that Nuclear uses these techniques in its redirectors, unlike other kits that used them on the landing pages. Once these redirectors confirm that there is no trace of VM or security products, then it redirects to the actual landing page.
Nuclear Exploit Kit’s redirector.
We have seen similar tricks used by Rigkit to evade detection. At McAfee Labs we closely monitor these kits and offer generic coverage for them through our DATs.