Exploit Kit Evades Detection ‘On Fly’

Monday, October 19, 2015 @ 06:10 PM gHale

New Flash Player exploits end up automatically generated in a Nuclear EK attack, researchers said.

In order to keep up with the developers of other exploit kits, Nuclear EK developers made improvements to their creation.

Adobe Zero Day Under Attack
Trojan Targets XP Users
New Trojan Resides in Registry
Websites a Ransomware Risk

The changes made to Nuclear EK increase the chances of bypassing signature and behavior-based solutions, and make it more difficult for security professionals to analyze attacks, said researchers at Israel-based cyber defense firm Morphisec.

“In order to bypass most security solutions, we observed that Nuclear Exploit Kit randomly polymorphs the delivered malicious files throughout the day; the URLs and URL patterns are continuously changed; the kit’s host server, which holds the encryption key, changes; and the encryption changes for each access, that is, the exploit is delivered only once to a single IP,” said Michael Gorelik, Morphisec’s vice president of research and development.

Morphisec found the changes made to the Nuclear exploit kit while analyzing three websites compromised to redirect visitors to Nuclear EK hosts.

Malicious Flash files served by the exploit kit sites change their content every time, but they maintain the same size, experts said. They said Flash files, designed to exploit a patched Flash Player vulnerability in an effort to push malware onto victims’ computers, are generally the same, but the names of functions and variables change every time.

“This led us to the conclusion that Nuclear Exploit Kit generates new exploits on the fly to bypass any signature or hash based solution, and it does it very successfully,” Gorelik said in a blog post.

Researchers also found the exploit kit host tracks victims’ IP addresses to ensure the same exploit does not end up served to the same user twice from the same host. This offers two advantages for the attackers: It helps them evade man-in-the-middle (MitM) defenses, and prevents researchers from replaying the attack and reverse engineering the exploit.

Another modification can make it more difficult for experts to extract the exploit from the malicious file.