June 19, 2021

The rise of the Sweet Orange exploit kit

(LiveHacking.Com) –  Since the main purpose of malware is to create money it is only to be expected that as many parts as possible of the process are streamlined and automated. This is why many bits of malware use command and control (C & C) servers to automated the infection, spreading and ultimately the fraudulent aspects of the malware. Another aspect which is the highly streamlined is the creation of the virus or trojan that infects and delivers the payload to a victim’s computer. To this end malware authors have developed things called exploits kits which allow the criminals to create new viruses with the desired payload in a very short amount of time. The most popular exploit kit is known as Black Hole, it accounts for some 40 percent of all toolkits detected.

Version 2.0 of Black Hole was recently released and it claimed to be harder for anti-virus programs to detect it. But Black Hole isn’t the only exploit kit in town. One of the competing exploit kits is known as “Sweet Orange.” According to Chris Larsen of Blue Coat, malware analysts are finding more and more examples of Sweet Orange based malware.

Sweet Orange is similar to other exploit kits in that it has a database backend to store information about successful infections and statistic gathering about exploits for Java, PDF, IE and Firefox. However it does claim something quite unique, according to the sales copy Sweet Orange is able to drive 150,000 unique visitors to a site every day.

Since the whole process is automated it means that the ferocity of Sweet Orange is high. With an infection rate of up to 15% and 150,000 unique visitors a day to the predefined malicious webpage that means that 10,000 new PCs are infected every day. That is 300,000 in one month, a huge pool of victim’s exposed to banking trojans or false AV malware etc.

Such a high rate of infection needs a substantial infrastructure, the problem is that this infrastructure remains hidden and only parts of it can be seen, rather like an iceberg.

“Thanks to WebPulse, and the amount of traffic that comes through each day, Blue Coat can see a lot more of the iceberg,” said Jeff Doty of Blue Coat. “In my research, I found 45 different IP addresses (and a total of 267 different domains) that are dedicated to Sweet Orange.”