PExy: The Other Side of Exploit Kits

  • Giancarlo De Maio
  • Alexandros Kapravelos
  • Yan Shoshitaishvili
  • Christopher Kruegel
  • Giovanni Vigna
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8550)


The drive-by download scene has changed dramatically in the last few years. What was a disorganized ad-hoc generation of malicious pages by individuals has evolved into sophisticated, easily extensible frameworks that incorporate multiple exploits at the same time and are highly configurable. We are now dealing with exploit kits.

In this paper we focus on the server-side part of drive-by downloads by automatically analyzing the source code of multiple exploit kits. We discover through static analysis what checks exploit-kit authors perform on the server to decide which exploit is served to which client and we automatically generate the configurations to extract all possible exploits from every exploit kit. We also examine the source code of exploit kits and look for interesting coding practices, their detection mitigation techniques, the similarities between them and the rise of Exploit-as-a-Service through a highly customizable design. Our results indicate that even with a perfect drive-by download analyzer it is not trivial to trigger the expected behavior from an exploit kit so that it is classified appropriately as malicious.


User Agent Control Flow Graph Branch Condition Behavioral Element Taint Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    UA Tracker statistics,
  3. 3.
    Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: FPDetective: dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM (2013)Google Scholar
  4. 4.
    Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: Proc. of the International World Wide Web Conference, WWW (2010)Google Scholar
  5. 5.
    Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A., Provos, N., Rafique, M.Z., Rajab, M.A., Rossow, C., Thomas, K., Paxson, V., Savage, S., Voelker, G.M.: Manufacturing Compromise: The Emergence of Exploit-as-a-Service. In: Proc. of the ACM Conference on Computer and Communications Security, CCS (2012)Google Scholar
  6. 6.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, p. 6. IEEE (2006)Google Scholar
  7. 7.
    Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: An Automated Approach to the Detection of Evasive Web-based Malware. In: USENIX Security (2013)Google Scholar
  8. 8.
    Kotov, V., Massacci, F.: Anatomy of exploit kits. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 181–196. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  9. 9.
    Lu, L., Yegneswaran, V., Porras, P., Lee, W.: Blade: an attack-agnostic approach for preventing drive-by malware infections. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 440–450. ACM (2010)Google Scholar
  10. 10.
    Nazario, J.: PhoneyC: A Virtual Client Honeypot. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2009)Google Scholar
  11. 11.
    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy (SP). IEEE (2013)Google Scholar
  12. 12.
    Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All Your iFRAMEs Point to Us. In: Proc. of the USENIX Security Symposium (2008)Google Scholar
  13. 13.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost in the Browser: Analysis of Web-based Malware. In: Proc. of the USENIX Workshop on Hot Topics in Understanding Botnet (2007)Google Scholar
  14. 14.
    Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A Defense Against Heap-spraying Code Injection Attacks. In: Proc. of the USENIX Security Symposium (2009)Google Scholar
  15. 15.
    Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Proc. of the Symposium on Network and Distributed System Security, NDSS (2006)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Giancarlo De Maio
    • 1
  • Alexandros Kapravelos
    • 2
  • Yan Shoshitaishvili
    • 2
  • Christopher Kruegel
    • 2
  • Giovanni Vigna
    • 2
  1. 1.University of SalernoItaly
  2. 2.UC Santa BarbaraUSA

Personalised recommendations