How to avoid being a victim of a Exploit Pack?

Exploit packs are one of the most common means of infecting users on the internet today. Manipulating users to visit malicious web pages through email social-networking and infecting popular webpages with malicious javascript to redirect the user to the landing page of exploit kits. These landing pages use javascript functions such as PluginDetect to determine what plugins and browser the user has installed and their versions. Once this information is obtained the page attempts to exploit the discovered software to force the user to download malicious binaries that will allow the attacker to gain control of the host machine. Once infected these hots typically report back over HTTP/S and other popular protocols to the attackers control panel. These control panels are used to control the infected machines, this setup is typically known as bonnet. Recently, new vulnerability have been added to popular exploit kits that have a high level of success. One of particulate importance is the addition of the XML Core services vulnerability (CVE-2012-1889). This vulnerability was published after Microsoft patch Tuesday, providing attackers with a big window to weaponize this vulnerability and add it to existing exploit packs before Microsoft was able to release a patch for the vulnerability. This addition was quickly implemented into popular exploit packs . It is recommended that you ensure you have patched this vulnerability. At Alertlogic we actively detect users falling victim to these exploit kits and generate incidents to make the customer aware of these attacks. In 2012 we have created over 2500 incidents related to exploit kits. Over 1900 of these incidents were deemed to be potentially successfully at exploiting the user and installing malicious software. Since January we have noticed and increasing number of these attacks, this is a testament to the popularity and ease of use of these attacks. Requiring increasing vigilance to prevent them. The most important part of these attacks are how to prevent them from occurring. Having up-to-date browsers and browser plugins (particularly java and flash) is one of the most import countermeasures that users can take in order to prevent successful attacks. By preventing javascript and other client scripting languages from executing in your browser you can greatly minimize your chances of successful attacks. Many browser plugins exist to accomplish this goal, one of the most popular being NoScript. A crucial part of detecting users potentially being exploit is an IDS with up-to-date signatures to monitor for the latest vulnerabilities used by exploit kits. At Alert Logic we ensure that the Alert Logic Threat Manager has the absolute latest coverage for emerging threats. Exploit packs are a growing threat that have become highly monetized and simple to use. We will continue to monitor the trends of these exploit packs and ensuring our customers are covered.

By Andrew Torres, Security Researcher