Exploits and exploit kits

Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.

How exploits and exploit kits work

Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called "shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled networks. This allows hackers to infect devices and infiltrate organizations.

Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java and Sun Java.

The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.

The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage is visited.

example of how exploit kits work

Figure 1. Example of how exploit kits work

Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.

Examples of exploit kits:

To learn more about exploits, read this blog post on taking apart a double zero-day sample discovered in joint hunt with ESET.

How we name exploits

We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.

A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778. The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.

You can read more on the CVE website.

How to protect against exploits

The best prevention for exploits is to keep your organization's software up to date. Software vendors provide updates for many known vulnerabilities and making sure these updates are applied to all devices is an important step to prevent malware.

For more general tips, see prevent malware infection.