Threat Management, Malware, Network Security

Terror Exploit Kit ditches carpet bombing techniques; attacks now more surgical

The Terror Exploit Kit is rapidly evolving, no longer bombarding victims with multiple exploits in scattershot fashion, but rather applying only the hacking tools that work best against a specific compromised machine, according to research from Cisco's Talos threat intelligence team.

Talos researchers observed the change in the kit's tactics after spotting a potentially compromised legitimate website that initially redirected visitors to a RIG EK landing page, before switching to a Terror EK land page one day later. This particular campaign, which infected victims with the Terdot.A/Zloader malware downloader, uncovered changes to the EK's repertoire and tactics.

"[Terror] has added further exploits and no longer carpet bombs the victim," Talos stated in a blog post published on Thursday. "Instead, it evaluates data regarding the victim's environment and then picks potentially successful exploits depending on the victim's operating system, patch level, browser version, and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have."

Leveraging the Microsoft Internet Explorer 6-10 vulnerability CVE-2013-2551 – a use-after-free condition that can be leveraged by a specially crafted web page to remotely execute code – the exploit page uses obfuscated Javascript code to probe a victim's machine and learn more about its environment, Talos reports. This includes version information about browser plug-ins for ActiveX, Flash, PDF reader, Java, Silverlight, QuickTime, and other programs.

Based on what it discovers, the malicious site delivers relevant exploits that will capitalize on the affected computer's vulnerabilities.

"We have seen that the exploit kit market is experiencing an ongoing change," the blog post states. "Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving they quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.