Authors of the Sundown exploit kit have proven themselves masters of copy and paste, stealing exploits from rivals and borking encryption when they opt for originality.
Exploit kits offer an arsenal of attacks to the unscrupulous and are popular because they offer many means to point malicious payloads at victim machines. Authors compete to build the most capable exploit kits by reverse-engineering patches to build in the latest exploits, by buying zero-day exploits on underground market or sometimes finding their own flaws.
The Sundown exploit kit is a small player a busy market where the most popular payload propagation tools can earn their writers tens of millions of dollars … and the attention of law enforcement authorities.
Sundown has persisted for more than a year, a period during which rivals have burned out. The kit’s persistence may be explained by its focus on cheap code ripping revealed by Trustwave’s SpiderLabs.
Re-using exploits is common, but original work is usually required for exploit kits to become significantly popular.
Spiderlabs researchers say Sundown’s developers have instead succeeded by been particularly lazy.
In analysis of a Sundown instance they find developers yanked an Internet Explorer exploit code (CVE-2015-2419) from the now dead Angler exploit kit and ripped a Silverlight exploit (CVE-2016-0034) from bigger rival kit RIG.
A third exploit (CVE-2015-5119) was taken from the public flaying of Italian spy cop shop Hacking Team, while a fourth Adobe Flash exploit (CVE-2016-4117) was ripped from the larger Magnitude kit.
“The lesson for today it seems is that there is no honour amongst thieves,” the team says in analysis titled SunDown EK – stealing its way to the top.
Sundown is cheaper than its accomplished rival kits including Neutrino which is at the top of the exploit kit ranks, followed by RIG.
Prices for the second-most popular exploit kits have a tendency to shoot up once rival kits disappear, often thanks to the arrest of authors.
Neutrino doubled its asking price from US$3500 to US$7000 after the fall of Angler, now known to be thanks to sweeping arrests of hackers in Russia, and the demise of Nuclear which followed shortly after.