The number of exploit kits on the Web dramatically decreased last year, but some have become more sophisticated and shifted their focus to software that is less frequently updated.
The end of 2013 was marked by the arrest in Russia of 12 suspected cybercriminals involved in the creation and distribution of Blackhole, the most widely used exploit kit at the time, including the attack tool's main author who used the online alias Paunch.
Exploit kits are malicious Web applications that contain exploits for vulnerabilities in Web browsers and browser plug-ins, like Java, Flash Player, Adobe Reader and Silverlight. Users get redirected from compromised websites or malicious advertisements to exploit kit landing pages, which then check the version of their browser and plug-ins and launch the appropriate exploits. If successful, the exploits install malware on users' computers.
No other exploit kit reached the prevalence of Blackhole after its demise, according to security researchers from Cisco Systems. In fact, the number of unique hits from exploit kits decreased by 88 percent between May and November 2014, they said in the Cisco 2015 Annual Security Report released Tuesday.
"Since [the] takedown of Paunch and Blackhole, more exploit kit users appear to be taking care to invest in kits known to be technically sophisticated in terms of their ability to evade detection," the Cisco researchers said.
One exploit kit called Angler is notable for advances in this area. Since September, the attack tool no longer drops executable files on compromised systems following successful exploitation. Instead, it injects malicious code directly into the browser process, making it harder for antivirus programs to detect the infection.
Another exploit kit-related trend is a decline in their targeting of Java vulnerabilities. Java exploits remain one of the top attack vectors on the Web, but their use has been on a steady decline for over a year, according to Cisco's data. They are now almost on par with Flash Player exploits.
This decrease was likely caused by security improvements made by Oracle and browser vendors. Modern versions of Java do not execute unsigned code without user interaction and have automatic updates. Some browsers also automatically block vulnerable versions of Java.
"Online criminals have discovered easier targets and have turned their attention to non-Java vectors that deliver higher return on investment," the Cisco researchers said. "For example, many users fail to update Adobe Flash and PDF readers or browsers regularly, providing criminals with a wider range of both old and new vulnerabilities to exploit."
Another browser plug-in that many users apparently fail to patch is Microsoft Silverlight. The volume of attacks that exploit vulnerabilities in Silverlight has increased by almost 230 percent since December 2012.
Sign up for Computerworld eNewsletters.