Exploits and exploit kits
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.
How exploits and exploit kits work
Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations.
Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting various software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java.
The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.
The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage.
Figure 1. Example of how to exploit kits work
Notable threats use exploit kits to spread ransomware, including JSSLoader. The threat actor tracked by Microsoft as Storm-0324 (DEV-0324) uses this malware to facilitate access for the ransomware-as-a-service (RaaS) actor [Sangria Tempest](https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#ELBRUS] (ELBRUS, Carbon Spider, FIN7).
Examples of exploit kits:
To learn more about exploits, read this blog post on taking apart a double zero-day sample discovered in joint hunt with ESET.
How we name exploits
We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.
A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778. The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.
You can read more on the CVE website.
How to protect against exploits
The best prevention for exploits is to keep your organization's software up to date. Software vendors provide updates for many known vulnerabilities, so make sure these updates are applied to all devices.
For more general tips, see prevent malware infection.