How do exploit attacks work?
Software exploits couldn’t exist without a design flaw in the software the exploit is targeting. Once a hacker identifies this flaw — the vulnerability — they can write a computer exploit that, well, exploits it.
Many hackers use exploits to deliver malware. Here’s an example of how such an exploit attack might work: You’re browsing the internet and happen to land on a website with a malicious ad. This ad looks fine, but it’s actually loaded with an exploit kit (more on those in a bit) that’s scanning your computer for any known weaknesses.
If it finds one, the ad will use an exploit attack to access your computer through that software vulnerability or security flaw. Then, it’ll slide its malware directly into your system. When exploits are used to install malware, the malware is known as the payload.
On a technical level, cyber exploits aren’t considered malware, since there’s nothing inherently malicious about them. The danger of an exploit comes from what its user does after using it to infiltrate your system. It’s not ransomware, or a virus — there’s no such thing as an “exploit virus” or anything like that — but exploits are frequently used to deliver malware in a multi-stage attack.
What is the difference between an exploit and a vulnerability?
Vulnerabilities and exploits are closely linked. But while they’re related, they’re not exactly the same.
A vulnerability is any weakness in a software application. But not all vulnerabilities can be exploited to deliver malware payloads onto target computer systems. Some vulnerabilities might not be exploitable — for example, if other security systems prevent someone from doing anything with it. In 2019, a new vulnerability was discovered for Windows 7. Named Bluekeep, this vulnerability was deemed highly dangerous, so much so that the NSA issued a security warning.
An exploit is an attack that uses a software vulnerability to cause some sort of unintended effect in the targeted system — such as delivering malware or giving the hacker control or other access. Even if a certain vulnerability exists, there’s no immediate danger until someone figures out how to create an exploit for it. But, once a vulnerability is discovered, you can be sure that someone will try to develop an exploit.
Think of a software program as a house. The doors are locked up tight, but somewhere on the second floor, somebody left a window open. That’s a vulnerability. If a thief — a hacker — wants to use that vulnerability to get inside the house, they’ll need to exploit it with a ladder. By using a ladder to reach the second floor, the thief can exploit the open window and get inside.
In the illustration above, the window on the left is locked, so there’s no vulnerability. The window on the right is open and vulnerable, but too high up to exploit. The window in the middle is open, vulnerable, and close enough to the ground to exploit.
To be sure, not all vulnerabilities are exploitable — at least, not yet. A window in the third-floor attic might be open, but if a thief doesn’t have a ladder long enough to reach it — that is, if no one has created an exploit to leverage that vulnerability — then there’s no way to use (exploit) it.
Common types of computer exploits
There are as many software exploits as there are software vulnerabilities, and new exploits are discovered almost every day. Exploits can be divided into two types, based on whether or not anyone’s fixed the targeted vulnerability yet.
When someone discovers a software vulnerability, they’ll often alert the software’s developer, who can then fix the vulnerability immediately with a security patch. They may also spread the word about the vulnerability on the internet to warn others. Either way, the developer will (hopefully) be able to respond and repair the vulnerability before an exploit can take advantage of it.
These security patches are then pushed out to users via software updates, which is why you should always install updates as soon as you find out about them. Any exploit that targets an already-patched vulnerability is referred to as a known exploit, since everyone already knows about its corresponding security flaw.
But rather than monitor all your installed programs for updates yourself, let AVG TuneUp handle it for you. Its fully automated Software Updater feature will monitor your favorite programs and update them automatically as soon as patches are released — keeping your “house” safe from hackers trying to exploit their way in.
WannaCry and NotPetya are two notorious strains of ransomware that use a known Windows 7 exploit called EternalBlue. Both attacks happened after Microsoft had already patched the vulnerability. But because many people don’t bother to update their software, WannaCry and NotPetya were both able to cause billions of dollars in damage.
Zero-day exploits (unknown exploits)
Sometimes, exploits catch everyone by surprise. When a hacker discovers a vulnerability and immediately creates an exploit for it, it’s called a zero-day exploit — because the exploit attack happens on the same day the vulnerability is found. At that point, the developer has known about the vulnerability for “zero days.”
Zero-day exploit attacks are highly dangerous, because there’s no obvious or immediate solution to the vulnerability. Only the attacker has discovered the vulnerability, and only they know how to exploit it. To respond to the attack, a software developer has to create a patch, but they won’t be able to protect those who’ve already been targeted.
While software exploits get most of the media attention, they’re not the only types of exploits out there. Sometimes, hackers can exploit flaws in the physical hardware (and its firmware) in your device.
Meltdown and Spectre are two hardware vulnerabilities that received serious attention due to how potentially dangerous they are. While Meltdown’s threat range is limited to any device with an Intel processor — so, millions of devices — the Spectre vulnerability is present in any processor.
Fortunately, there haven’t yet been any exploits created to leverage these vulnerabilities, and Intel as well as other chip manufacturers have introduced patches to mitigate the risks.
What is an exploit kit?
Enterprising cybercriminals may choose to invest in a Swiss Army Knife–like exploit kit. It’s a software toolbox that contains a variety of known exploits that people can use to break into vulnerable systems. Exploit kits make it easy for people without much programming experience to use exploits, since they don’t need to create their own. And they’re often customizable, so users can add new exploits to them.
An exploit kit is like a software toolbox with a variety of tools (exploits) that can be used to break into vulnerable computer systems.
When used, exploit kits analyze a potential target system to see whether it has any of the vulnerabilities for which the kit has a relevant exploit. If a suitable vulnerability is identified, the kit will leverage the appropriate exploit to grant its user access to the target system.
In the past, many exploit kits focused on browser plugins like Adobe Flash, since you’d have to update it separately from updating your browser. Now that modern browsers support automatic updates, and since Flash is no longer popular, exploit kits on the whole are in decline.
But despite their waning popularity, some exploit kits still persist as viable cybercrime tools.
RIG, Magnitude, and Neutrino
RIG, Magnitude, and Neutrino are three of the most historically popular exploit kits. Here’s how each of them gets the job done.
RIG has been used to deliver a staggering range of payloads, from ransomware and Trojans to cryptocurrency mining malware, which leverages a victim’s computer to mine cryptocurrency. Made available on a SaaS (software as a service) model, RIG can be yours for the low, low price of $150 per week.
RIG customers will typically seed legitimate websites with malicious advertisements. These ads will redirect that site’s visitors to RIG’s landing page (sometimes directly, sometimes via multiple stages). Once a victim reaches RIG’s landing page, the exploit kit delivers the cybercriminal’s chosen payload onto their computers.
Magnitude has been around since 2013, making it one of the oldest exploit kits still on the scene. Like RIG, Magnitude’s infection strategy revolves around malvertising, but it currently targets victims largely in South Korea and other East Asian countries. And while RIG is a flexible exploit kit that’s been paired with a variety of payloads, Magnitude works with its own strain of ransomware.
The exploit kit market is highly competitive. In 2016, Neutrino was one of the most in-demand kits around. But in September of that year, Neutrino’s developers stopped renting their exploit kit to new clients. These days, it’s functionally deceased, having lost ground to other kits like Magnitude and RIG.
Who's most vulnerable to an exploit attack?
The people most vulnerable to an exploit attack are those who never update their software. Think about it — the longer any given piece of software has been on the market, the more time people have to find its vulnerabilities and create exploits for them.
The exploit kits we talked about just above — RIG, Magnitude, and Neutrino — rely on outdated software like Internet Explorer and Adobe Flash. And when WannaCry and NotPetya leveraged the EternalBlue exploit, its corresponding vulnerability had already been patched — victims simply hadn’t updated their software yet.
Zero-day exploits are the exception to this rule. In these cases, there’s no warning — no opportunity to install a security patch or a software update — so everyone running the targeted software is vulnerable. Developers will rush to issue emergency patches when zero-day exploits are discovered, but people still need to update their software if it doesn’t do so automatically.
For that reason, performance tools like AVG TuneUp are great ways to keep your computer protected against known exploits like EternalBlue. AVG TuneUp’s built-in Software Updater feature automatically monitors your installed software and favorite programs, then seamlessly updates them so that you’re always running the most current versions.
How can you protect against exploits?
The good news is that, in many cases, you can protect yourself against exploits. By practicing smart computer safety habits, you can go a long way toward insulating yourself from exploit attacks. Here’s a short list of your best anti-exploit tactics and techniques:
Always update your software. Any cybersecurity expert — us included — will tell you that one of the best ways to protect against exploits is to only use current software. If your device allows for automatic software updates, as most do, enable that process, or use an automatic software updater like AVG TuneUp. If you need to manually install an update, do it as soon as you receive a notification.
Back up your files. While updated software will protect you against known exploit attacks, there’s not much to be done when a hacker discovers a zero-day vulnerability. But with a fresh backup of all your most important files, you’ll be covered in the event that a cybercriminal uses an exploit to hit your computer with ransomware, or another type of file-damaging malware.
When backing up to an external drive, disconnect the drive when you’re not using it, and store it separately from your computer. This will prevent any malware from affecting the contents of your drive.
Use software from trusted providers. This advice goes for standalone applications as well as browser extensions and plugins. Reliable software developers ensure that their products are as exploit-proof as possible. And if a zero-day exploit emerges, they’ll respond ASAP with a security patch.
Prevent the use of exploits and other threats for free
With real-time threat scanning and detection, a robust antivirus is your strongest ally in the fight against exploits. AVG AntiVirus FREE is a powerful and reliable cybersecurity tool that can protect you even against zero-day exploits.
Constant innovation allows us to stay ahead of exploit attackers. AVG AntiVirus FREE is equipped with an updated Web Shield that blocks dangerous downloads and malicious websites. Combine that with round-the-clock software monitoring that detects any suspicious activity on your computer, and you’ll be well protected in the event that any underhanded exploit attack emerges.