Exploits and exploit kits

Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.

How exploits and exploit kits work

Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations.

Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting various software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java.

The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.

The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage.

example of how exploit kits work.

Figure 1. Example of how to exploit kits work

Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.

Examples of exploit kits:

To learn more about exploits, read this blog post on taking apart a double zero-day sample discovered in joint hunt with ESET.

How we name exploits

We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.

A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778. The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.

You can read more on the CVE website.

How to protect against exploits

The best prevention for exploits is to keep your organization's software up to date. Software vendors provide updates for many known vulnerabilities, so make sure these updates are applied to all devices.

For more general tips, see prevent malware infection.