Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Exposed: An inside look at the Magnitude Exploit Kit

Steve Ragan | Aug. 6, 2014
Researchers at Trustwave have provided CSO with an inside look at the Magnitude Exploit Kit's infrastructure.

A successful traffic campaign will be richly rewarded, because those who are able to leverage Magnitude in their campaigns get a feature-packed, scalable infrastructure that provides proven exploits, asset tracking and analytics, in addition to a constant rotation of malware and landing pages in order to help their campaign remain undetected for as long as possible. If done correctly, a given campaign can last weeks, if not months, undetected.

Controlling and managing the chaos:

Magnitude's core administration panel is minimal when it comes to design, but the lack of dazzle is offset by the analytical details collected for each campaign. In addition to raw traffic numbers, the panel offers infection rates, AV detection rates for payloads and exploits (provided by Check4You), the ability to blacklist domains, and more.

Another feature in the admin panel is the ability for campaign managers to upload their own custom executable payloads, or provide a URL for a payload that Magnitude will pull down once every three hours.

There's also a FAQ, explaining some essentials when it comes to campaign management and security, including a note that campaign operators are responsible for updating their landing page URL in order to keep it form being blacklisted. In addition, customers are told that the malware being delivered is checked once every thirty minutes against commercial AV for detection rates, and rotated as needed.

However, as of October 2013, several small countries in Asia, as well as East Africa, South America, and the former USSR, are automatically blocked by the kit. There are a couple of reasons for the country filter, Trustwave's Mador explained, such as the fact that many of those listed have extradition policies with Russia, and since Magnitude's author is believed to reside there, it's pure protection on their part.

However, there's also the fact that some countries provide better ROI for malware distributors, and so the focus is to limit infections unless the victim meets pre-defined criteria including geo-location, OS, and browser.

When it comes to victims, the FAQ explains that Magnitude "will only exploit Internet Explorer" and that if the customer believes other browsers can be exploited, they should first talk to support.

For traffic exchanges, criminals run the risk of exposing the fact that the traffic they've purchased is heading towards a malicious source. In order to address this, Magnitude allows the campaign manager to define a fake website that will pass the standard checks.

"...the content that will be served from the malicious domain will be a replica of some legitimate site — effectively impersonating our malicious site with the content of a legitimate website. Once the traffic exchange admin has verified the legitimacy of our 'fake website' the customer of Magnitude can turn off that option and from that point on his domain will serve Magnitude's landing page. Simple, yet very effective," the FAQ explains.


Previous Page  1  2  3  4  5  6  Next Page 

Sign up for Computerworld eNewsletters.