Blue Coat Labs

Labs Blog

Forbidden Fruit: The Sweet Orange Exploit Kit

Share this: 

Forbidden Fruit: The Sweet Orange Exploit Kit

Chris Larsen, Jeff Doty

[I've been seeing quite a few submissions from our malware-hunting analysts lately with notes that here was another "Sweet Orange" host, so I was glad to see Jeff take time to write up a post about this exploit kit. --C.L.]


Exploit Kits

Malware is a business; people make their living writing and distributing it. Exploit kits are an effective and streamlined methodology of distributing malware; they allow the Bad Guys to distribute payloads at a higher level than we have seen in the past. For this reason we've seen exploit kits grow in popularity over the last few years.

In simple terms, exploit kits are prepackaged web application software, designed to exploit visitors' computers with an array of attacks. If a vulnerability is found on the visiting computer, any desired payload can be installed. These payloads can be any flavor of malware: from fake AVs and ransomware, to banking Trojans, and anything in-between. For a sometimes hefty price, one may obtain a subscription to one of these kits, host it on a webserver, and watch as innocent visitors are exploited and infected with malware. 

Typically, the exploit kit that gets the most attention is the infamous Blackhole exkit. This kit has been a leader in the industry for a long time, but with the rapid growth of the malware industry, several other exploit kits are competing for Blackhole’s customers. One of these is the "Sweet Orange" kit.


Forbidden Fruit

Sweet Orange comes to the market with many of the key features we have seen in other exploit kits: a database backend that records successful infections, statistics about exploits for Java, PDF, IE and Firefox, and of course regular updates. It does add a few unique selling points: a small footprint, a higher infection rate, and the claim that they will drive 150,000 unique visitors to your site daily.

screenshot of sweet orange statistics page

150,000 unique visitors daily... Let’s look at what that means...

Let’s say that I want to create a botnet with a piece of malware that I write. Sweet Orange claims to get a successful infection rate of 10% to 25% of the visitors who land on the malicious webpage. (Many hacker forums claim it to be more like 10% to 15%.) If we go with the lower percentage, and I get my promised 150,000 unique visitors a day, that gives me around 10,000 infections a day. That’s 10,000 new computers a day that will be joining my botnet.

And it's all completely automated.


Tracking Icebergs

So what do you do when there's a new exploit kit wreaking havoc? You investigate it...

There are some great resources to learn about Sweet Orange, and some will even tell you domains and IP addresses that are hosting it. One such resource is the Malware Domain List.

As of this writing, has seven IP addresses, and eight domains, that are known to be hosting Sweet Orange. (Hmm... That seems like a small number to be driving 150,000 unique visitors to your malware site a day.)

[Jeff's internal blog post was a few days ago, so I just re-checked, and got the same list. --C.L.]


So that's a good start, but it doesn't let us see the whole picture -- only the tip of the iceberg.

image of an iceberg (most of it is underwater)

Thanks to WebPulse, and the amount of traffic that comes through each day, Blue Coat can see a lot more of the iceberg. In my research, I found 45 different IP addresses (and a total of 267 different domains) that are dedicated to Sweet Orange. (This sounds a lot more in line with the claim of 150,000 unique daily visitors.)


I wondered if anyone else was seeing these... To find out, I took a sample of 20 domains and 20 IP addresses (that were completely dedicated to Sweet Orange) and ran them through a couple of different public virus scanners.

Only 7 of the 20 domains were caught by any of the vendors on Virustotal: three by one vendor, and four by another, or an average of 0.35 hits per domain.

(It got worse when I checked the IP addresses. There were zero hits on any of the 20.)

I did the same test on with the 20 domains. The tools there did a little better, averaging 1.25 hits for each domain. This is definitely an improvement, but it is still only the tip of the iceberg.


If that weren't enough to worry about, malicious sites move a lot faster than icebergs, changing IP address and domains to avoid detection. But with WebPulse’s malnet tracker we can follow the Sweet Orange hosts wherever they go, protecting our customers along the way -- we don't want them to be part of the "150,000".