The Modern Day Hydra.

If you all thought threats and security issues are difficult and weird and complicated today, wait until the RIG 3.0 exploit kit finds its high gear – uh-oh!

Whaaa???

All my J-school buddies said don’t write about this; it’s too dense and technical. I say phooey. I say you need to understand the fundamental architecture of a breach before you can think about how to defend against it. Analogies spring to mind, but I won’t go there. Instead, here is a simple (I think) explanation for how an exploit kit works and why you should care.

So, exploit kits are a type of malicious toolkit used to exploit security holes found in software applications for the purpose of spreading malware. Good so far?

They come with pre-written code and are estimated to be responsible for the vast majority of malware infections worldwide (which is why you should care).  RIG 3.0 is now the most successful of these kits and its targets are specifically Internet Explorer, Java, Silverlight, Flash, and other Adobe products. It also enjoys penetrating any other outdated software you may be running. Why do I keep getting this visual of the Village People every time I think of RIG 3.0?

Here is how an exploit kit (designed for ransom and extortion) works:

1. A victim unwittingly visits a website whose server has been hacked by cybercriminals,
2. The victim is redirected through various intermediary servers and ends up at a rogue server hosting the exploit kit,
3. The exploit kit gathers information on the victim and determines the exploit to deliver
4. The exploit, containing a malicious payload, some ransomware called Cryptowall is then delivered to the victim’s computer,
5. That payload, which is similar to (the now notorious) CryptoLocker, encrypts local files and instructs users to pay a ransom in order to recover them,
6. Cryptowall is also now resident in the victim’s computer and can easily proliferate onto the network upon which it resides, creating new opportunities to extort funds from businesses as well.

Voila!

In the case of RIG 3.0, during the last few weeks security experts have been able to identify the websites hosting their malicious ads which include ebay.in, altervista.org, apps.facebook.com, wiki.answers.com, theguardian.com and go.com, all of which are either compromised legitimate websites or newly-registered domains.

And if you or your company runs a website on Wordpress, you may have noticed a high volume of brute-force attacks recently, which are being used by these kit makers to hijack the legitimate Wordpress domains for the purposes of hosting these exploits. In the case of RIG 3.0, malvertising is the vector of choice for targeting victims, which means that large news sites are among those most infected. But, investment consulting firms, hedge funds and IT service providers have also been heavily targeted because it is an easy way to get to lots of client sites.

Using these existing legitimate sites to host the exploit kits alleviates the need to create and maintain a dedicated domain infrastructure, and mitigates some of the problems associated with doing so (like registering new domains, randomizing naming, using multiple email addresses, etc.), in order to avoid investigative attribution (being caught).

How much is this worth to the perpetrators? About $80-100,000 a month is how much an average exploit kit customer (hacker) is able to earn with a single kit that rents for around $500/month. Our investors would love those margins!

And, how successful have they been?

Well, since appearing on the market 46 days ago, RIG 3.0 has succeeded in infecting 1.25 million machines to-date, meaning on average, a whopping 27,000 infected machines per day. This means they have achieved an infection ratio of 34 percent against their targets. This is an impressive and unprecedented successful exploit rate of one in three. And, the numbers are expected to increase over the next few weeks.

You like irony? This incredible success rate is in spite of the fact that the kit authors had to recover from a massive blow resulting from one of their resellers’ leaking parts of their source code. Since then they have patched various security vulnerabilities in their code {smile} and have updated the URL scheme of the exploit pages in order to provide their customers with better evasion from security defense products. And, to demonstrate their interests in commercial marketing, they also rewrote the admin panel interface and gave it a hipper, more contemporary new look. No; I am not making this stuff up.

So, how do you avoid this exploit?

You probably don’t. Coming across a landing page of any exploit kit, including RIG's, is essentially unavoidable. Users are simply browsing the web - perhaps browsing their favorite local news website - and without any visual indication, an exploit page can be loaded in a hidden iframe, which is a result of a malicious advertisement that was loaded in the context of that website.

The problem is that not only the website, but also the ad provider of that website, can't do much in order to prevent the malicious ads from being displayed. They are both, in fact, a victim in this scheme, just like the end-user who is infected.

But … you can do what we kind-of always say in this column:

• Keep your software up to date – especially anything Adobe or Microsoft,
• Keep your browsers and their plug-ins up to date, including MS Office,
• Enable click-to-play in your browsers so you can avoid the automatic downloads of Flash and other plug-in content as soon as you open a web page,
• Deploy anti-malware or managed anti-malware security controls that are designed to detect and block malware in real time, or forget all that and
• Hire a managed security services firm to do all this for you.

Amusingly, (and even more ironically) we have observed that RIG 3.0's main administration servers have been experiencing distributed denial-of-service (DDoS) attacks from rival criminal gangs recently, so RIG's authors have decided to protect their services by deploying them behind CloudFlare – a highly legitimate anti-DDOS service used by more than 2 million customer websites world-wide. This is sort of like the New Generation drug cartel asking the DEA for protection against the Sinaloa drug cartel.

It would appear that these exploit kits are like hydra, the mythological serpent-like water monster with reptilian traits and poisonous breath and blood so virulent that even its scent was deadly. Or maybe like drug cartels. You know, the monster who when you cut off one of its heads, immediately grew two more new ones to replace it? In our case, these modern-day non-mythological hydras are growing not just more heads but increasingly accurate, more sophisticated, and worst of all, more viral replacements.

And try as we might, there is thus far, very little we can do to stop them.