Are Exploit Kits Doomed? New F-Secure Threat Report Says Yes
March 2016 by F-Secure
Exploit kits face a disruptive future, according to F-Secure’s new Threat Report for 2015. The report, released today, details the trends and events in global cyber threats that hit consumers and companies last year.
Prominent on last year’s malware scene were the Angler and Nuclear exploit kits, both of which, like the other top exploit kits, mostly took advantage of vulnerabilities in Flash to do their dirty work. But Sean Sullivan, Security Advisor in F-Secure Labs, predicts in the report that Google Chrome will kill Flash support in early 2017, and Mozilla Firefox and Microsoft Edge will follow. Sullivan predicts that by spring of 2017, Flash will no longer bear fruit for exploit kit makers.
Exploits, which have become one of the most common vehicles for malware in the past decade, need out-of-date software in order to accomplish their goal of getting through security holes. But that software, Sullivan says, will be harder and harder to find. For example, with HTML 5’s capability to “do it all”, the need for third party browser plugins has mostly been eliminated. And today’s browsers themselves are auto-updated, without the need for the user to intervene, so users always have the latest version.
Other programs don’t offer much fruit. Microsoft’s software is much more secure than it used to be, and patches roll out very quickly. Adobe’s other software is more and more cloud based, rather than being local on people’s machines. And browser developers have forced Java into a restricted place. So what will happen to exploit kits if there’s no new fruit?
“Hopefully, they die,” Sullivan says. “Wouldn’t be the first time that a business model collapsed in the malware scene. Or they may focus on browsers, but then they’ll need to find zero day vulnerabilities.”
Macro malware re-appears
As exploit kits face an eventual decline, the report predicts that commoditized malware services will only accelerate their use of email attachment-based malware schemes. One such scheme is macro malware, which re-emerged in 2015 after lying low since the early 2000s.
Malware authors use the macro feature in Office to implant malicious code to documents they email as attachments. With Office 2003, Microsoft changed default settings to no longer run macros automatically, making attacks much more difficult. Today’s macro malware attempts to get around Microsoft’s default settings by displaying text in the open document that claims it is a "protected" document that requires the user to enable macros.
Other Notable Highlights from F-Secure’s 2015 Threat Report:
• Police-themed ransomware decreased, but crypto-ransomware saw an increase in activity
• Worms accounted for a greater portion of malware (18%) than the previous year (10%)
• A look at the Dukes cyber espionage group through their years of employing malware to gather intelligence for the Russian Federation
• The most notable threats facing different countries and regions
• The top threats to Windows, Mac and Android operating systems
• Today’s threats as viewed through the Chain of Compromise, a user-centered model that illustrates how cyber attacks compromise devices and networks
• The top vulnerabilities used by the top exploit kits in 2015