Exploit Kits Improve Evasion Techniques

By on

Exploit kits are toolkits that malicious developers use to take advantage of client-side vulnerabilities, targeting web browsers and programs that can be accessed through browsers. The most common exploit targets are Java, Flash, PDFs, and Silverlight. Exploit kits use lots of techniques to evade detection by security products.

Exploit kits use several common techniques:

  • Code obfuscation using commercial packers
  • String manipulation
  • Dummy or garbage functions as anti-emulation tricks

The latest exploit kits on the black market are very stealthy. They look for the presence of virtual machines (VMs) and antimalware products on a system before infecting it. These techniques help evade automated analysis and detection, and they also make reverse-engineering the malware tricky. At McAfee Labs we recently investigated two recent exploit kits and reversed their techniques to understand how they work.

Angler Exploit Kit

Before exploiting a vulnerable program in a web browser, the landing page of the Angler Exploit Kit searches for the presence of VM and security product driver files in windir%\system32\drivers.

File Enumeration Through Microsoft XMLDOM ActiveXFile enumeration through the Microsoft XMLDOM ActiveX control.

Angler searches for several files, including:

  • A virtual keyboard plug-in to identify Kaspersky software
  • tmactmon.sys, tmevtmgr.sys, tmeext.sys, tmnciesc.sys, tmtdi.sys, tmcomm.sys, and TMEBC32.sys (Trend Micro)
  • vm3dmp.sys, vmusbmouse.sys, vmmouse.sys, and vmhgfs.sys (VMware)
  • VBoxGuest.sys, VBoxMouse.sys, VBoxSF.sys, and VBoxVideo.sys (Virtual Box VM)
  • prl_boot.sys, prl_fs.sys, prl_kmdd.sys, prl_memdev.sys, prl_mouf.sys, prl_pv32.sys, prl_sound.sys, prl_strg.sys, prl_tg.sys, and prl_time.sys (Parallel Desktop virtualization)

The malware also checks certain file locations to find antimalware products or VMs by enumerating their corresponding files using the Res:// protocol. It also checks for ActiveX or browser plug-ins related to security products.

AV_productFile enumeration through the res:// protocol.

Nuclear Exploit Kit

Recent versions of the Nuclear Exploit Kit use the same technique to detect VMs and security products on a compromised machine. One difference is that Nuclear uses these techniques in its redirectors, unlike other kits that used them on the landing pages. Once these redirectors confirm that there is no trace of VM or security products, then it redirects to the actual landing page.

nuclearkitNuclear Exploit Kit’s redirector.

We have seen similar tricks used by Rigkit to evade detection. At McAfee Labs we closely monitor these kits and offer generic coverage for them through our DATs.

Leave a Comment

Similar articles

The topics parents need to discuss with kids today can be tough compared to even a few years ago. The digital scams are getting more sophisticated and the social culture poses new, more inherent risks. Weekly, we have to breach very adult conversations with our kids. Significant conversations about sexting, bullying, online scams, identity fraud, ...
Read Blog
You’re familiar with the cybercriminals that go after users’ credit card information and look to spread malicious links, but recently, one hacker decided to send a different message. According to Vice's Motherboard, a hacker accessed TOMS Shoes’ mailing list and sent an email encouraging users to log off and go enjoy the outdoors. The email ...
Read Blog