Beyond the breaches: Understanding the Angler exploit kit

Angler fish courtesy of Shutterstock

Beyond the breaches

The big security news stories these days are often about “this big breach“, “that sneaky malware” or “these latest new exploits“.

You can see why: many attacks involve some or all of these components.

For example, you can imagine the Target crooks at work, spending time figuring out the right trick to get in, breaching the perimeter, mapping the network, preparing their RAM-scraping malware, and then launching their attack over several weeks.

It’s like a modern day Great Train Robbery – worth the effort of planning because, if it comes off, you’ll have 40,000,000 credit card numbers in one big bag.

But how does a ransomware cybercriminal make money if he has to attack 200,000 computers on thousands of different networks in hundreds of different countries?

More than that, how does he put into play his whole exploit-breach-infect-cashout sequence on those 200,000 victims, one-by-one?

The exploit kit scene

The answer is this – cybercriminals turns to the increasingly competitive “exploit kit” scene, where other crooks offer them what amounts to Crimeware-as-a-Service.

Exploit kits are often explained very simply as malware tools that you install on a server and use to automate the process of foisting malware onto innocent web visitors.

Indeed, some articles about exploit kits focus, understandably, on the technical trickery used in the automated hacking-a-victim process, which typically involves a geeky mixture of buzzwords like HTML, JavaScript injection and shellcode.

But the “exploit kit” business involves a lot more that just web-based tools for hacking into computers automatically.

It’s a whole malware redistribution network – heck, an exploit kit is to a ransomware extortionist (or a banking Trojan spreader, or a spam zombie pusher) what iTunes is to a musician, except that an exploit kit is illegal, underground and often invisible.

Exploit kits are about a whole mix of activities: figuring out the latest and the best exploits, packaging them to work reliably, bringing in traffic, slinging out malware, measuring what’s working, marketing the “service”, and getting paid on results.

Angler – market leader

One exploit kit crew is heading the marketplace right now: Angler.

(Why “Angler”? Because it goes fishing for victims for you.)

In a fascinating new report from SophosLabs, crimeware expert Fraser Howard takes a top-to-bottom look at Angler.

Fraser not only explains how it works, from preparing a funnel of victims to playing cat-and-mouse with security researchers, but also presents some vital insights into what you can do to fight back.

The thing is, the Angler gang isn’t trying to infect you with zombies, password stealers, spyware and ransomware.

Angler uses you to let crooks do all of those things to other people.

These guys purloin your servers, your online reputation, and your bandwidth.

Then they rent our your stuff to other crooks in order to infect innocent users by the truckload. (Hold onto your hat when you read the statistics in the report!)

Learn how to protect yourself

Are you ready to take these crooks on?

Fraser gives you the threat intelligence you need to turn your network into an exclusion zone for malware distribution networks like Angler.

A highly recommended read.

Leave a Reply