Browser exploit packs - exploitation paradigm

Aditya Sood Michigan State University
Richard J. Enbody Michigan State University

  download slides (PDF)

Malware infection is proliferating day by day. In spite of the new advanced protection features, subverting the infections that happen through browsers and take control of the victim's machine remains an arduous task. Exploit packs and attack toolkits play a critical role in the success of malware infections. Browser Exploit Packs (BEPs) are based on the basic philosophy of exploiting the extensibility of browsers by utilizing the technology and developing a code which should work in line with the browser classes.

The eExtensibility of browsers has differential impacts in the context of security. However, the malware writer is not concerned about this layout and concentrates on exploiting the technology in the best possible way. Malware writers have demonstrated a lot of maturity in developing exploit packs that infect systems through web browsers. More specifically, BEPs are used in conjunction with botnets to exploit victim browsers through drive-by download attacks in order to successfully load the malware binary on the victim machine. Browser exploit packs such as Fragus, Fiesta, Yes, Crimepack, Phoenix, Red Dice, MPack, SPack, Bleeding Life etc. have demonstrated this kind of notorious behaviour. Continuous research has shown that it is becoming crucial to be able to grapple with new and more advanced BEPs in the near future. Phoenix BEP is one of the most widely used BEPs which is used in collaboration with the Zeus and SpyEye botnets. This research is an outcome of extensive analysis of Phoenix and other BEPs, which are primary weapons in the underground community for spreading malware. Protection solutions will be proposed during this talk.