Attackers Crib Exploit Code, But Net Benefit For Defenders

The crime packs used by criminals to create malware campaigns to compromise and control victims’ computers rarely use original attacks, instead relying on reusing techniques found in publicly released exploit code.

An analysis of 18 exploits used by the top-20 crime packs found that the crucial code used in each attack could be traced back to information released by a security researcher, a blog post posted by a security firm describing the exploit, or a sophisticated attack created for an espionage campaign. The analysis, presented by Trail of Bits’ CEO Dan Guido at last month’s BruCon security conference, highlights the dangers that exploit code can pose in a software ecosystem that is slow to patch known vulnerabilities.

“There are pros and cons: The APT groups get by fine totally on their own, they create their own exploits totally in house, and there is value from a defensive point of view to understanding how these exploits work and what their limitations are,” says Guido. “On the other hand, when you see all these security researchers beating up on Java, you know that code is going to slot right into a space waiting for it.”