All Hail the New King? (A Look at the Cool Exploit Kit)
[Following up on his look at the Sweet Orange exploit kit, Jeff returns with a look at the Cool exkit. I've been seeing this show up in large numbers in the daily submissions from our analyst team, so I knew they were finding a lot, but Jeff's numbers were eye-opening. Good stuff! -- C.L.]
Here at Blue Coat, we take a lot of effort to track and analyze exploit kits on the internet. Exploit kits are a cheap [well, they used to be...] and effective platform to distribute malware to thousands of computers a day. For the last few years, the “king” of exploit kits has been the Blackhole Exploit Kit (BHEK), created by a group led by “Paunch” in Russia. The success of BHEK has spurred the market for more exploit kits, but BHEK has always been the most popular. For the last few months, we've been tracking an exploit kit called Cool Exploit Kit. From my analysis (and others'), the Cool kit is very similar to other exploit kits, but particularly similar to BHEK. This has led to speculation that Cool was developed by the same group.
Yesterday, Brian Krebs confirmed that Cool does indeed come from Paunch and his group -- his research led to posts on underground hacker forums where Paunch takes credit for Cool and gives some details on the project.
So what makes Cool different from BHEK and other exploit kits? For one, the Cool kit comes with a price tag of $10,000 a month. That is significantly higher than BHEK and other exploit kits, that can run anywhere from $500 - $1,500 a month. The reason for the price hike apparently comes from a $100,000 investment into new exploits the developers announced, that will be used exclusively by Cool and not made public. This could give Cool a significant leg up on the competition with other exploit kits.
Recently, I have seen a sharp increase in the amount of servers that are hosting the Cool kit. I wanted to do a comparison to see how the Cool traffic compares to the traffic we are seeing from Blackhole, so I went back and looked at the number of new servers my team submitted to Blue Coat's Malnet Tracker each month:
- For simplicity, I'm using the number of unique IP addresses as a proxy for the number of servers.
- All the numbers represent new servers, not a cumulative total. (There would be a lot more BHEK servers in a cumulative model.)
- I use a starting value of zero in October; we hadn't decided that we were seeing a new exploit kit yet.
As you can see in the graph above, Cool began steadily gaining ground on Blackhole when it was released. Then in December, the number of new IP addresses skyrocketed -- Cool outgrew BHEK by 6 to 1.
We have also seen a couple of large IP subnets that are hosting a mix of Blackhole and Cool exploit kit sites. One network in particular that Adnan found is monstrous, and I incorporated it into the next chart:
As you can see, the servers in the mixed-kit network greatly outnumber the servers that are hosting solely one type of exploit kit. I haven't looked at all of them, but from a high level perspective, it looks like most of them are hosting the Cool kit. (Which would make Cool's rise to power even more impressive.)
In conclusion, the Cool exploit kit is still relatively new, and doesn’t have the history that BHEK has, but if these trends continue -- and with the advantages that Cool is supposed to contain -- it isn’t a long stretch to say that Cool may be the new king in the exploit kit market. So we'll continue to make hunting its new servers a high priority.