An exploit kit is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client. One of the earlier kits was MPack, in 2006. Exploit kits are often designed to be modular and easy to use, enabling the addition of new vulnerabilities and the removal of existing ones. Exploit kits also provide a user interface for the person who controls them, which typically includes information on success rates and other types of statistics, as well as the ability to control their settings. A typical kit is a collection of PHP scripts that target security holes in commonly used programs such as Apple Quicktime or Mozilla Firefox. Widely used software such as Oracle Java and Adobe Systems products are targeted particularly often.
The exploit kit gathers information on the victim machine, finds vulnerabilities and determines the appropriate exploit, and delivers the exploit, which typically silently drive-by downloads and executes malware. Kits are becoming ever more sophisticated. They tend to be neatly packaged, and do not require any understanding of exploits, and very little computer proficiency. Kits may have a Web interface showing active victims and statistics. They may have a support period and updates like commercial software.
Exploit kits are sold in cybercriminal circles, often with vulnerabilities already loaded onto them.
A study by Solutionary’s Security Engineering Research Team (SERT) found about 70% of exploit kits released in Q4 2012 come from Russia, followed by China and Brazil, with 20% not attributed. A typical, relatively unsophisticated kit may cost US$500 per month. Licenses for advanced kits have been reported to cost as much as $10,000 per month. Exploit kits are often encoded, instead of in plain PHP, to prevent unlicensed use and complicate anti-malware analysis.
Further Research from Recorded Future's Threat Intelligence Team revealed that Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Flash Player’s popularity with cyber criminals remains even after increased Adobe security issue mitigation efforts.
Kits continue to include exploitation of vulnerabilities that were patched years back, as there continues to be a significant population of unpatched machines.
Exploit kits tend to be deployed covertly on legitimate Web sites that have been hacked, unknown to the site operators and visitors.
Exploit kits that have been named include the MPack, Phoenix, Blackhole, Crimepack, RIG and Angler exploit kits.