Microsoft boffins have crafted what they say is the world's first platform specifically designed to kill exploit kits.
The tool goes by the name "Kizzle" and is a fast signature compiler that targeted the common practise of code-reuse by malware authors, and could generate identifying signatures weeks ahead of current anti-virus techniques.
More Reading'Domain shadowing' hijacks registrar accounts to spawn attack sitesBiter bitten as hacker leaks source code for popular exploit kitBad romance: Ransomware, exploit kits in criminal cuddleHalf a billion wearables... and guess whose kit has to support all that data, asks CiscoAttackers sling recent Flash 0day through 1800 domains
Exploit kits are an effort to package attacks so that bad guys can stop making number plates and instead move to higher-value work in their chosen specialist fields. Ransomware fiends, for example, have most recently moved to this model leaving the process of breaking into systems to the exploit kits.
A trio of Bens, surname Stock, Livshits, and Zorn from the University of Erlangen-Nuremberg and Microsoft say in the paper Kizzle: A Signature Compiler for Exploit Kits (PDF) that the bundles looked wildly different until it unpacked on machines.
Here the similarities in the underlying fingerprinting and exploitation code are revealed to be consistent between versions, a fact that is detected and exploited by Kizzle.
“The approach taken by Kizzle is based in our observation that, while exploit kits change the malware they deliver frequently, kit authors generally reuse much of their code from version to version.
“Ironically, this well-regarded software engineering practice allows us to build a scalable and precise detector that is able to quickly respond to superficial but frequent changes in exploit kits.”
False positives and negatives came in at fewer than than .03 and five percent respectively using cloud bots over a month-long test, a vast improvement to that of commercial anti-virus.
The team uses the example of the popular Nuclear exploit kit which underwent more than a dozen changes between January and August last year, almost all of which were superficial alterations to the packer only.
Others among the most popular exploit kits in active use changed on average only a few percent, even registering less than a percent of difference over a month.
Kizzle will fizzle if exploit kits become polymorphic and change its unpacked forms, a feat that other research indicates is feasible.
The authors say the detection would best occur in the browser, adding that Kizzle fits “seamlessly” into existing anti-virus systems.®