Good Software Hygiene – New Tool in QualysGuard

Wolfgang Kandek

Last updated on: September 6, 2020

Good Software Hygiene mandates fast patching, but most organizations prioritize the roll-out of patches and take into account severity and applicability.

To help organizations tune their prioritization process we added last week a knowledgebase enhancement that extends our severity rating with an “ExploitKit” mapping. The new mapping groups all QIDs that are used in the so called ExploitKits that are available for purchase on the black markets. ExploitKits, such as Crimepack, IcePack and Phoenix offer the attacker a suite of exploits that can be used to attack common OS, browser and application vulnerabilities and automate the setup of malicious webservers necessary in the malware infection cycle and focus (for the moment) on the Windows OS.

exploitkits_mapping

ExploitKits are behind many of the mass malware infections (Zeus, SpyEye, etc) that group the affected machines into botnets that are remotely controlled to send SPAM, participate in DDoS attacks and intercept banking credentials by monitoring browser usage. Affected machines can also be used as beachheads for further incursions into the enterprise networks they participate in, which are widely spread. Gartner estimates that between 4-8% of all workstations in enterprise environments are infected.

Organizations can protect themselves from infection by hardening their installation and patching all of their workstations against the vulnerabilities abused by the ExploitKits. The “ExploitKit” mapping can be used in targeted scans or in reporting to aid in the hardening process.

References:

  • Francois Paget at AvertLabs – Initial overview
  • Mila Parkour at Contagiodump.blogspot.com – Mapping data
  • ExploitKit WhitePaper from Team Cymru – for some history on ExploitKits – see attached PDF

Attachments

A Criminal Perspective on Exploit Packs 5.0 M

Show Comments (2)

Comments

Your email address will not be published. Required fields are marked *

    1. Sean,

      Metasploit has it own mapping. So if you wanted to check for vulnerabilities that are be used in ExploitKits and also for vulnerabilities that are supporeted by Metasploit you would check both mappings – Metasploit and ExploitKits.

      BTW, we also support mappings for Core Security’s Impact and Immunity’s Canvas, plus the a mapping for the Exploit Database at http://www.exploit-db.com.