Exploit kits have become a major cyber threat over the last few years. They are widely used in both massive and highly targeted cyber attack operations. The exploit kits make use of multiple exploits for major web browsers like Internet Explorer and popular browser plugins such as Adobe Flash and Reader. In this paper, a proactive approach to preventing this prevalent cyber threat from triggering their exploits is proposed. The suggested new technique called AFFAF proactively protects vulnerable systems using a fundamental characteristic of the exploit kits. Specifically, it utilises version information of web browsers and browser plugins. AFFAF is a zero-configuration solution, which means that users do not need to configure anything after installing it. In addition, it is an easy-to-employ methodology from the perspective of plugin developers. We have implemented a lightweight prototype and have shown that AFFAF enabled vulnerable systems can counteract 50 real-world and one locally deployed exploit kit URLs. Tested exploit kits include popular and well-maintained ones such as Blackhole 2.0, Redkit, Sakura, Cool and Bleeding Life 2. We have also demonstrated that the false positive rate of AFFAF is virtually zero, and it is robust enough to be effective against real web browser plugin scanners.


Exploit kit Malware Web browser security 


  1. 1.
    Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A.: Manufacturing compromise: the emergence of exploit-as-a-service. In: CCS 2012, Raleigh, North Carolina, USA (2012)Google Scholar
  2. 2.
    Fossi, M., Egan, G., Johnson, E., Mack, T., Adams, T., Blackbird, J., Graveland, B., McKinney, D.: Symantec report on attack kits and malicious websites. Technical report (2011)Google Scholar
  3. 3.
    Cannell, J.: Tools of the Trade: Exploit Kits, February 2013.
  4. 4.
    contagio: An Overview of Exploit Packs (Update 19.1), April 2013.
  5. 5.
    Jones, J.: The State of Web Exploit Kits. Black Hat USA, Las Vegas, Nevada, USA (2012)Google Scholar
  6. 6.
    Lu, L., Yegneswaran, V., Porras, P., Lee, W.: Blade: an attack-agnostic approach for preventing drive-by malware infections. In: CCS 2010, Chicago, Illinois, USA (2010)Google Scholar
  7. 7.
    Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: 22nd USENIX Security Symposium, Washington, D.C., USA, August 2013Google Scholar
  8. 8.
    Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: WWW 2011, Hyderabad, India (2011)Google Scholar
  9. 9.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet malware. In: IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA (2012)Google Scholar
  10. 10.
    Invernizzi, L., Comparetti, P.M., Benvenuti, S., Kruegel, C., Cova, M., Vigna, G.: EVILSEED: a guided approach to finding malicious web pages. In: IEEE Security and Privacy, San Francisco, CA, USA (2012)Google Scholar
  11. 11.
    Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: fast and precise in-browser javascript malware detection. In: USENIX Security 2011, San Francisco, CA, USA (2011)Google Scholar
  12. 12.
    Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: WWW 2010, Raleigh, North Carolina, USA (2010)Google Scholar
  13. 13.
    Richards, J.: Dangerous Drive-by Downloads: Protecting yourself with NoScript, September 2012.
  14. 14.
    Ducklin, P.: Apple bans outdated Adobe Flash plugins from Safari, March 2013.
  15. 15.
    Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In: IEEE Symposium on Security and Privacy (S&P) 2013, Berkeley, CA, USA (2013)Google Scholar
  16. 16.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security 2010: Proceedings of the 19th USENIX Conference on Security, August 2010Google Scholar
  17. 17.
    Wang, Y.M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys. In: Network & Distributed System Security Symposium (NDSS), San Diego, CA, USA (2006)Google Scholar
  18. 18.
    Nappa, A., Rafique, M.Z., Caballero, J.: Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 1–20. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  19. 19.
    Rajab, M., Ballard, L., Jagpal, N., Mavrommatis, P., Nojiri, D., Provos, N., Schmidt, L.: Trends in circumventing web-malware detection. Technical report (2011)Google Scholar
  20. 20.
    Oliver, J., Cheng, S., Manly, L., Zhu, J., Dela Paz, R., Sioting, S., Leopando, J.: Blackhole exploit kit: a spam campaign. Not a Series of Individual Spam Runs, Technical report (2012)Google Scholar
  21. 21.
    Desai, D., Haq, T.: Blackhole exploit kit: rise & evolution. Technical report, September 2012Google Scholar
  22. 22.
    Mieres, J.: Phoenix exploit’s kit from the mythology to a criminal business. Technical report, August 2010Google Scholar
  23. 23.
    Kotov, V., Massacci, F.: Anatomy of exploit kits: preliminary analysis of exploit kits as software artefacts. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 181–196. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  24. 24.
    Sood, A.K., Enbody, R.J.: Browser exploit packs - exploitation tactics. In: Virus Bulletin Conference, Barcelona, Spain, October 2011Google Scholar
  25. 25.
    Higgins, K.J.: No Java Patch For You: 93 Percent of Users Run Older Versions of the App, June 2013.
  26. 26.
    Rashid, F.Y.: Most Adobe Reader Users Running Outdated, Unpatched Versions, July 2011.
  27. 27.
    Bit9: java vulnerabilities: write once, pwn anywhere. Technical report (2013)Google Scholar
  28. 28.
    Mozilla support: Outdated Adobe Acrobat plugin, March 2013.
  29. 29.
  30. 30.
    wmetcalf: Monthly Archives, May 2013.
  31. 31.
    Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: ACSAC 2010, Austin, Texas, USA (2010)Google Scholar
  32. 32.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: CCS 2012, Raleigh, North Carolina, USA (2012)Google Scholar
  33. 33.
    Schlumberger, J., Kruegel, C., Vigna, G.: Jarhead analysis and detection of malicious Java applets. In: ACSAC 2012, Orlando, Florida, USA (2012)Google Scholar

Copyright information

© Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2015

Authors and Affiliations

  1. 1.Advanced Cyber Security Research Centre, Department of ComputingMacquarie UniversitySydneyAustralia

Personalised recommendations