Cloud computing, also known as on-demand computing, is a kind of internet-based computing, where shared resources and information are provided to computers and other devices on-demand. It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources. Cloud resources are usually not only shared by multiple users but are also dynamically reallocated per demand.
An apparatus may comprise or represent any apparatus used to communicate with other apparatuses over a wired and/or wireless communication network. Examples of apparatuses that may be used in certain embodiments of the invention, but are not limited to, are wired or wireless devices such as, by way of example only, server devices such as web servers, databases, servers, proxy servers, and other network devices, entities, or apparatuses such as base stations, gateways, routers, access points or other devices that are connected to a wired and/or wireless communication network and used for communication and interaction. An apparatus may provide cloud computing resources.
A target device in connection to this application is a device which may be target of an exploit. A target device may comprise or represent any device used to connect to or access wired or wireless communication networks. Examples of target devices that may be used in certain embodiments of the invention are wired or wireless devices such as computers, mobile telephones, terminals, smart phones, portable computing devices such as lap tops, handheld devices, tablets, net-books, personal digital assistants and other devices that can connect and communicate over a wired or wireless communication network. In some embodiments, a target device may comprise or represent an apparatus as disclosed above. For example, the target device may be a server device or a gateway device. In some embodiments, the target device is an apparatus, which has both client and server functionality, or which may not be clearly defined neither as a client or server. For example, the target device may be a gateway device which not clearly a client or a server, but it may be likewise exploited if it parses traffic traversing through itself. An example of such parsing is a gateway device which may run Flash files in its sandbox.
A software profile of a target device is a collection of data indicating what kind of software, such as operating system, kernel, firmware, applications and add-in modules, is used by said target device for example for accessing various selected types of content, receiving selected types of content or interacting with selected types of content or various types of communication counterparts. Such accessing or receiving of specific type of content may be referred to as being exposed to content. Likewise, interacting with a communication counterpart, which interaction includes receiving, sending or fetching bytes from said communication counterpart may be referred to as being exposed to content. The software profile further indicates versions of said software. Terms application and software may be used interchangeably as known by a person familiar with the art.
In computer security, an exploit is from victim point of view an object that causes software to behave in an unexpected and/or unwanted manner. The object is usually something that the software is unable to deal with. For example, a string of characters that does not fit an expected pattern, or a series of commands that the software is unable to correctly execute.
When an exploit forces the software to behave unexpectedly, an attacker can take advantage of the disruption to perform other, usually malicious, actions that would not normally be permitted. For example, an attacker might exploit one software on a computer in such a way that a second software is silently installed without authorization from the user or administrator of the target device.
When a software is unable to deal with an exploit because of an underlying flaw or loophole in its coding or implementation, the flaw is known as a vulnerability. Vulnerabilities can be found in any type of software, from simple macro scripts that run within a computer software, to the software itself, to the operating system that runs it and even on the ‘firmware’ that controls the physical components of a user's computer or mobile device.
For an exploit to be a danger however, an attacker must have some way to deliver it to the vulnerable software. For some vulnerabilities, this requires the attacker to have physical access to the targeted computer or mobile device. Far more dangerous is when an attacker can leverage a vulnerability from a distance, most commonly over the Internet.
An exploit kit is basically a utility program or toolkit that can deliver an exploit to its corresponding target software. If the exploit is successful, the kit can then deliver a malicious payload to the compromised target device.
In order to get targets to attack, exploit kit operators will typically host their kits on websites, which may be either maliciously crafted websites, or legitimate ones that have been compromised. The exploit kits can then silently probe target devices of any visitors to the site. In some cases, attackers may increase the flow of potential victims to the exploit kit by using some form of web traffic hijacking to redirect more visitors to the poisoned website. For example, websites might be hacked in order to quietly redirect target devices to the site hosting the exploit kit.
If a target device is found to be vulnerable to the exploit, the kit then downloads a payload onto the victim target device. The payload can be tailored according to the exploit kit operator's wishes, but typically include downloading such malware as ransomware, botnet-related components and banking-trojans.
Common exploit delivery mechanisms are for example hacked websites, benign websites with malicious advertisements and email. In email, an exploit may typically be delivered in attachments such as office document files or image files, but may also be placed in the email content, for example as a link. Further, exploits may be delivered through various communication enabling software such as USB protocol or IoT (Internet of Things) related software.
FIG. 1 shows a simplified, exemplary could computing system with a target device represented by a client device (100), which may be subject to an exploit serving. A website (101) has been compromised, thus capable of serving exploits. A user contacts the website (101) with his/her client device (100) in order to access some initial content. This exemplary website (101), although legitimate as such, has been infected with malware. If the client device (100) is found to use a version with a software which has a vulnerability that is used by an exploit, the client device (100) is redirected to receive content from a malicious website (102) which returns at least some additional content including an exploit towards the client device (100) instead of original content that was requested by the user of the client device (100).
Many benign websites use redirecting and provide access to content, such as advertisement, served by different websites without trying to serve exploits. Communication patterns caused by accessing content provided by a web site are often complicated, including for example accessing content linked to the accessed website from various sources also outside the website's own domain. Thus, it's difficult to recognize whether communication to and/or from various websites and download of content occurring due to a single target device contacting a web site actually serves an exploit, or represents just normal, intended and legitimate functionality of the website.
It's in the best interest of anyone programming exploits to first detect what version of a specific software of interest the target device is using. Different versions of the software have different vulnerabilities. Without knowing the version of the software, the attacker doesn't know which exploit to use. Using wrong exploit yields to an unsuccessful exploit attempt, which usually results in some kind of an error to be shown at the target device, thus exposing the exploitation attempt. This is highly unwanted by any exploit programmers, since in the case of hacked websites, there is a higher risk of someone reporting the incident and this may lead to detection of the exploit and cleaning up the infected website. Successful exploitation in many cases go unnoticed from the target device.
There is a desire for efficiently detecting and identifying initial content serving exploits or redirecting target devices to other domains serving exploits.