Sophos Report on Angler Exploit Kit

Update: 7th September 2015:
A recent report from Cisco discussed further in this article describes the increasing prevalence and success of the Angler exploit kit due to it quickly integrating newly disclosed security vulnerabilities, it’s use of domain shadowing and a delay in Adobe Flash users installing security updates.
Original Post:

With the recent disclosure of several Adobe Flash zero day (zero day, defined) security vulnerabilities which were quickly taken advantage of by attackers using malware exploit kits, it is becoming more important to know how to defend against these attacks.

This Sophos report provides a detailed analysis of how the exploit kits operate with a specific emphasis on the most prevalent exploit kit, the Angler exploit kit. At the end of the report, in the comments section Sophos describes the recommended actions to take to prevent such attacks occurring either by your website becoming compromised or the exploit kit attacking one of your computing devices. I have also highlighted these recommendations below (my thanks to Sophos for providing them):

  • Uninstall browser plugins such as Adobe Flash and/or Microsoft Silverlight if you don’t use them. However if you do make use of them, consider having more control over their usage (e.g. Click to Play, supported by all browsers except Internet Explorer).
  • Keep your operating system e.g. Linux, Apple Mac OS X or Windows and your most used programs up to date and install all security updates made available for them. I discuss updating/patching within the “Protecting Your PC” page.
  • Install anti-malware software. Both paid for and free versions are available (e.g. Malwarebytes, Avast, Microsoft Security Essentials etc.). Apple Mac OS X and Linux versions are also available (the provided links are examples of the many products available). Please choose a package that meets your needs in terms of functionality and price. Products which include heuristics (heuristics, defined) should have more success in preventing these attacks from infecting your devices.

Since the exploits delivered by these exploit kits seek to evade detection using obfuscation (further information on obfuscation techniques) and building unique exploits for each request received to access the exploit website makes the detection of these threats using anti-malware increasingly difficult. Anti-sandbox techniques (e.g. detecting virtual machines and tools such as Fiddler) are also used to make analysis of the exploit samples more difficult by malware researchers seeking to build detections against them.

In addition to the recommendation of using anti-malware software; for corporate environments the use of next-generation IPS (NGIPS) (Intrusion Prevention Systems, defined) can be used to detect these exploits as they attempt to attack your devices.

Within the Sophos report a technique is mentioned that was employed by the attackers using exploit kits to bring traffic to websites of their choice, this technique is known as DNS shadowing. This is a technique where a legitimate websites domain name ( is used to create subdomains (e.g. or that can then be used by the attackers. These subdomains have a very short life time (e.g. a matter of minutes) which makes them difficult to predict and block using blacklists (a list of IP addresses or domain names e.g. that are blocked due to those addresses or domain sending spam or hosting malware (that is delivered to the visitors to such websites).

These subdomains can be created since the login credentials for the domain registration e.g. from companies such as GoDaddy have been compromised by the attackers. Since many website owners infrequently check these accounts it makes them more susceptible to being compromised without being noticed. These accounts initially become compromised by a phishing attack. As well as using the advice within the phishing article linked to above, as per Sophos’ advice the following would be recommendations to detect and prevent such occurrences of your domain registration account becoming compromised:

  1. Send email notifications after DNS changes: This will allow to take action to re-secure your account e.g. changing your password and/or enabling two-factor authentication.
  2. Implement two-factor authentication: This article explains how to enable this feature for GoDaddy accounts.

The above 3 suggestions from Sophos (in addition to the use of NGIPS for corporate environments) along with the advice concerning the protection of your domain registration accounts should you keep safe from this prevalent and sophisticated exploit kit.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.