We’re all human and as such will sometimes make mistakes. This includes software developers who sometimes make mistakes writing software, which is referred to as a “bug” in the software. Gaining access to a device is the first challenge for any malware because it cannot perform further actions until it has access. While a Trojan relies on tricking a user to gain this access, an exploit instead utilizes software bugs. Attackers can use exploits to gain initial access to a device or network, gain more favorable access to these, or simply deny access to other users.
Exploits are by no means confined to malware, but they are often used by malware to gain access to systems that would otherwise be protected. As an infection method, exploits don’t require tricking a user because the mistake being utilized already exists in the software rather than needing to be created through social engineering.
However, malware can use exploits for more than gaining initial access and thus can co-occur with Trojans. For example, a Trojan might utilize an exploit to escalate privileges or perhaps even gain the initial foothold itself, especially given the shift to document-based Trojans over the years, which inherently isolate aspects of the host systems for security reasons. Exploits can help Trojans break through this layer of security. Exploits are also commonly coupled with reinfection methods, specifically with worms to assist in spreading to new systems without user interaction.
How exploits are revealed and how they avoid detection
Because exploits rely on software bugs, these bugs can be fixed through security updates to the software. Sometimes these fixes happen before the exploit is even used for malicious reasons, such as when discovered by security professionals. However, sometimes exploits are revealed and/or used before they are patched, and this is referred to as a zero-day exploit. Since no fix exists yet, these exploits can be very damaging, especially when they grant remote code execution, which allows an attacker to run their own code using the exploit as though it were a legitimate part of the software that contains the bug.
Wide use of a zero-day does immediately put the bug on the radar of those responsible for maintaining the software, prompting them to provide a security patch as quickly as possible, as well as security vendors whose software is capable of detecting exploits being used. It becomes somewhat of a race between the attackers and defenders, one side trying to utilize the exploit as much as possible before it is patched or detectable and the other trying to patch or detect the exploit itself.
Zero-day exploits can be quite powerful until patched, and patching becomes a high priority once they are known to the authors of the software containing the bug, which usually results from either use in the wild or discovery by a security professional who looks for exploits in software. While the latter is out of the scope of an attacker’s control, the former is not necessarily out of reach as well.
More sophisticated attackers such as nation-state groups — commonly referred to as advanced persistent threats (APTs) — can discover and use exploits sparingly so as to prevent their discovery by the software authors. In 2016 a group called The Shadow Brokers leaked a number of zero-day exploits they claimed to have obtained from Equation Group (believed to be a division within the U.S. National Security Agency). While this leak led to extensive usage and then patching of the exploits, until the leak the exploits were being kept secret for small-scale usage to prevent discovery and patching.
Other ways attackers use exploits
While somewhat outside of the scope of this series, it is worth mentioning that exploits are also commonly used by attackers manually rather than being included in malware. Moving through a victim network often requires exploits to either gain better access (privilege escalation) or move to different machines (lateral movement). These same techniques can be used by malware but sometimes are too complex to account for within the malware given each network is different, and thus specific techniques may need to be tailored to it. Malware can also be implanted later in the attack once an attacker has gained the level of access that best suits their goals.
Another common malware-related usage of exploits, exploit kits combine multiple known browser exploits in the hopes of infecting unpatched systems that visit a particular web page with malware. While this does often involve the aspect of tricking a user to visit the site in the first place, this differs from Trojans because the social engineering aspect is removed from the malware itself and rather would take the form of phishing or malicious advertisements that trick the ad network to host the exploit kit.
The power of patching
Exploits are highly versatile attack techniques that may or may not involve malware. Their main limitation is that because they rely on software bugs, once those bugs are patched the exploit will no longer work. Unfortunately, for many users and organizations, keeping up to date on security patches and software updates is not taken care of in a timely manner. Thus, many exploits remain viable attack methods long after they should.
This is the reason why the vast majority of articles explaining remediation steps or general security practices will mention making sure to apply updates and security patches in a timely manner. The fewer systems there are out there that are still vulnerable to an exploit, the less effective the exploits are. In turn, this means it’s less likely an attacker will include an exploit in malware because malware tactics and techniques tend to rely on what will be the most effective.