Recently, operators behind exploit kit-as-a-service offerings have put more effort into hiding their operational infrastructure while providing better service to their customers. Namely, almost all popular exploit kits nowadays are operated using sophisticated networks of several servers such as proxies or gates, VDS (Virtual Dedicated Server), rotators, uploaders, panel servers, APIs and more. This complex setup makes it very hard for researchers to analyze the inner workings of these networks, thus limiting the information security community's ability to respond to such threats. However, this customer facing approach also exposes the operators to direct attacks from researches.
Over the past year, we have replicated several exploit kit infrastructures from leaked sources. This allowed us to gain a deeper understanding of their inner workings, choke points, and weaknesses. We discovered several attacks with the potential to take down an exploit kit that may be performed with nothing but regular customer privileges. We also found that code and design-pattern re-use among different exploit kits is frequent, thus allowing us to use the same attacks against several networks and even discover new malicious servers. It is likely that the same approaches will work for the detection and takedown of future exploit kits as well. In this presentation, we will share our findings, analytical approaches and recommendations for future engagement with similar offerings. We will also share insights into the customers of these services.