Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to attack. For example, payloads downloaded while browsing the Internet may exploit these vulnerabilities by allowing a third-party to gain access to one or more areas within the network not typically accessible. For example, a third-party may exploit a software vulnerability to gain unauthorized access to email accounts and/or data files.
For instance, content (e.g., payloads within network traffic) received by a network device while loading an Internet web page may include an exploit kit, which may be understood as a self-contained framework designed to exploit known vulnerabilities and/or download and install additional malicious, anomalous or unwanted objects. Exploit kits, as well as the additional objects that may be downloaded, may attempt to acquire sensitive information, adversely influence, or attack normal operations of the network device or the entire enterprise network by taking advantage of a vulnerability in computer software.
For example, the user of a network device, e.g., a laptop, may activate (e.g., click on) a link while browsing the Internet. The link may open up a new window, or tab within the web browsing application, and redirect the user to an unwanted web page instead of loading the web page expected by the user. The redirect may perform additional actions that may include downloading and installing malicious, anomalous and unwanted payloads.
In current malware detection systems, exploit kit detection is based on a correlation of signatures of known exploit kits. However, in order to generate a signature for an exploit kit, the exploit kit necessarily must have been activated such that malicious, anomalous or unwanted behavior affected one or more network devices or the operation of the network itself. Therefore, current malware detection systems are unable to proactively detect exploit kits and prevent the download and activation thereof.
In some situations, a redirect, a hidden link on a web page or content that automatically downloads upon activation of a link, may enable a third-party to access one or more storage areas of the network device (e.g., contact list or password storage). As another example, through a redirect, a hidden link or automatically downloaded content, a third-party may gain access to the network to which the network device is connected (e.g., an enterprise network) through the network device without proper permissions. Stated generally, exploit kits and additional payloads downloaded in association with an exploit kit may affect the network device, an enterprise network to which the network device is connected, and/or other network devices connected to the enterprise network in a negative or anomalous manner.
Based on the shortcomings set forth above, current signature-based malware detection systems do not proactively detect exploit kits effectively in order to prevent the download thereof and/or the download of additional malicious, anomalous or unwanted payloads.