Recently we managed to get an unusual peek into the content that is used on the servers of the prevalent exploit kit, Magnitude. In this blog post we’ll review its most up-to-date administration panel and capabilities, as well as review some infection statistics provided by Magnitude over the course of several weeks. (Check out a second article in this blog series here.)
These days, after the arrest of Paunch, Blackhole exploit kit creator, exploit kit developers and sellers have learned their lesson regarding doing business in the underground. Unlike the “last generation” exploit kits – today’s leading exploit kits cost customers much more than before due to an “additional risk fee”, plus exploit kit vendors don’t tend to advertise in the underground forums like they used to in the past. If one wishes to rent an exploit kit instance, they must know a guy who knows guy who knows someone (etc.) that can connect the buyer with the actual seller. It’s all based on trust among these forums.
The Magnitude exploit kit is one of the most prevalent exploit kits these days and holds 31% of the exploit kit market share as described in Trustwave's 2014 Global Security Report. Magnitude is notorious for being used in infections of several high profile websites such as Yahoo Ad Network and the php.net site, both of which were exploited to redirect users to instances of that exploit kit. Several researchers had some great write-ups about Magnitude, yet due to these exploit kits becoming so sneaky, it’s hard to find more information about the inner workings of the exploit kit itself.