Exploit Kits: The production line of the Cybercrime

Economy?
Michael Hopkins, Ali Dehghantanha
School of Computing, Science, and Engineering, University of Salford
Manchester, United Kingdom
[email protected], [email protected]

Abstract— The annual cost of Cybercrime to the global

economy is estimated to be around $400 billion, in support of II. LITERATURE AND DEVELOPMENT REVIEW
which Exploit Kits have been providing enabling technology In December of 2013 ENISA, the Cyber Security body of the
since 2006. This paper reviews the recent developments in European Union, published a report on the evolving threat
Exploit Kit capability and how these are being applied in landscape[36]. Occupying positions number 1 and number 4 in
practice. In doing so it paves the way for better understanding of
the list respectively were “Drive by Exploits (malicious code
the exploit kits economy that may better help in combatting them
injects to exploit web browser vulnerabilities)” and “Exploit
and considers industry’s preparedness to respond.
Kits (ready to use software packages to automate cybercrime)
Keywords— Exploit Kit, Driveby, Malware, Malvertising ”. Only two months prior, in October 2013 the alleged
developer of the market leading Blackhole exploit kit,
“Paunch”, was arrested in a move by Russian authorities [37].
I. INTRODUCTION At this time, the Blackhole exploit kit was reputed to have
around 50% market share, serving over one thousand
customers. The arrest was reported as a major blow to the
Intel have estimated the annual cost of Cybercrime to the cybercrime economy [32].
global economy to be around $400 billion[1]. Combating
cyber crime remains a major research topic in multiple fields Just over 12 months later, at the end of January 2015, the
of digital forensics[2],[3], including applications forensics impact of the Russian authorities action against the Blackhole
[4]–[8] mobile device forensics [9]–[11], cloud forensics [12]– providers seemed to be reflected in the declining threat of the
[18], and malware investigation [19]–[25] . Despite this, the exploit kit. ENISA reported that Exploit kits, with an
cybercrime rate continues to increase [26]! A growing observed trend of “decreasing”, occupied position 8 on the
contributor to this increase, since the introduction of one of the threat landscape [33]. Further consideration of observed
first examples “Mpack” around 2006[27], has been the Exploit activity during 2014 and 2015 does not however support the
Kit. same “decreasing” conclusion. Figure 1, provides a summary
of exploit kit prevalance in 2013, 2014 and 2015
Defined by McAfee as “an off the shelf software package
([1],[28],[38]).
containing easy to use packaged attacks on known and
unknown vulnerabilities”[28], the Exploit Kit serves an almost
infinitely flexible menu of malware ranging from ransomware
through banking and backdoor Trojans to rootkits. By
exploiting vulnerabilities, typically in web browsers and their
plugins (Adobe Reader, Flash Player and Java etc.)[30] the
aim is often to achieve undetected remote control of the target
device [31]. The arrest of the market leading providers in
2013[32], media reports of declining use and conflicting threat
landscape surveys[33] are likely to lead to confusion as to
their relative prevalence as a threat.
This paper aims to first provide an overview and contextualize
recent developments in Exploit Kit capability, illustrates how Figure 1: Major Exploit Kit Providers 2013-2015
these are being applied in practice, determine whether the
overall trend is one of market growth or decline and finally As can be seen from Figure1 out of the exploit kits observed
discuss industry’s preparedness to respond to exploit kits risks. in 2013, only a minority persisted into 2014, with four new
The rest of this paper is organized as a Literature and entrants (Angler, Flashpack, Magnitude, & Rig) accounting
Development Review followed by Discussion and some for around two thirds of market share in 2014. By 2015 the
suggestions for Future Work. Paunch shaped hole in the exploit kit supply chain had been
completely replaced by another dominant provider; the Angler

ISBN: 978-1-4673-6988-6 ©2015 IEEE 23

exploit kit, which accounted for over 82% of observed attacks defences and re-assembled on the client using
and infections. Windows powershell[40].
Consideration of the exploit kit with reference to the Lockheed • a reduction in the average age of the
Martin Kill Chain[34][35], shown in Figure 2, helps to vulnerabilities being targeted, with many zero day
understand the continuing appeal of the exploit kit and to exploits being woven into kits in 2015 [42],[43].
provide some context to some of the most recent advances in NSS labs reported that the average time for a zero
exploit kit technology. By automating the majority of the first day vulnerability to become known to software
5 steps from Reconnaisance to Installation with industrial vendors and users is around 151 days [44] –
scalability, an exploit kit enables the cyber criminal to instead providing a significant opportunity for integration
focus attention on areas such as affiliate networking, and widespread exploitation within a kit. For these
monetization the and ongoing evasion of the command and vulnerabilities, which can be sold for up to $1m, the
control network. exploit kit is likely to be the fastest route achieving a
return on investment.
• DNS hijacking attacks directing users to exploit
kits[45]
• the use of TOR for communication between
infected hosts and the command and control
servers[46], [47]
Although the use of dummy functions, manipulating strings,
Figure 2: The Lockheed Martin Kill Chain
and obfuscating code with commercially available software
Exploit kits are usually licensed using the are now widely used, kits such as Angler, Nuclear and Rig
software/“crimeware” as a service model, with clients being have further developed their Installation capability.
granted access to pre-imaged servers on which to load their
To avoid deployment on unsuitable platforms or sandboxed
binaries. In 2013 the Blackhole kit could be rented from $500
environments which may attract the unwanted attention of
per month, its more sophisticated sister product “Cool” from
threat researchers, they seek first to identify the presence of
$10,000 per month. In 2015 the RIG exploit kit is available
virtual machines or anti-malware products which could
from around $300 per month or by the day for less than $50
frustrate payload delivery and/or expose operating practices.
[39]. Grier et al.[27] further identified that instead of having to
lure the victim and install their chosen malware themselves, Angler will look for the presence of security products (e.g.
the Traffic-PPI model, powered by the exploit kit, enabled Kapersky, Trend Micro) and virtual machines (e.g. VMWare,
clients to simply supply their binaries and pay per install. This Parallels). Within the Nuclear kit, this verification happens
business model is further supported by affiliates, whose even before the target is redirected to the exploit kit landing
referrals to the exploit landing sites are tracked and page [46].
remunerated on a model within which the exploit kit provider
typically pays per thousand visits. Developments have not been constrained only to
Weaponisation and Installation, but have also been observed
Mirroring the legitimate software as a service economy, the within Step 3 (Delivery). Although Phishing remains a
deployment model gives exploit kit developers a high degree successful vector for the Exploit kit, Malvertising delivers
of control over their source code, how it is developed and both targets and ongoing income for the cyber criminal in a
supported. This approach will have facilitated much of the perversely ingenious business model:
recent evolution whilst preserving the almost ethereal
capability of today’s kits to move between hosts, for the most • Malicious adverts deployed by the cyber criminal lure
part undetected. potential targets to the exploit site, sometimes these
“malverts” are procured and placed via third party
It is therefore within Steps 2 and 5 (Weaponization & networks, alternatively legitimate adverts are hacked
Installation) that the most significant changes have been
• Targets compromised by exploit kits are recruited as
observed in the last two years. A small selection of the
unsuspecting zombies to botnets
developments include;
• These zombies generate fake page impressions on
• file-less intrusions, where Windows directory advertisers sites, delivering a click fraud revenue
traversal vulnerabilities have been exploited, co- stream for the cyber criminal
opting Windows utilities to act for the exploit kit [40] • Click fraud proceeds fund Exploit Kit development
• XOR encrypted payloads being downloaded to the and the next campaign
target machine which are then decrypted prior to The US Association of National Advertisers projected that
execution[41] advertisers would lose $6.3 billion to bot related fraud in
2015[31]. Analysing 5.5 billion advertising impressions
• Just in time assembly of malware where a across 3 million domains over 60 days, almost one quarter of
disassembled payload is secreted through perimeter video advertising impressions were attributed to bot fraud.
When traffic was sourced via a third party, bot fraud rates rose

ISBN: 978-1-4673-6988-6 ©2015 IEEE 24

to over 50%. Prevention of these attacks presents serious The kits are more sophisticated than their predecessors with
challenges: significant innovations in Weaponisation, Exploitation and
Installation. Their automated delivery capability is ideally
• The Malvert behaves in many ways identically to a suited to mass market vectors such as Malvertising and has
legitimate advert – offering up embedded content and clearly powered the growth in click fraud and ransomware.
performing frequent, often nested and seamless
redirects to content served by third party advertising Those at the heart of this business have achieved Actions on
networks Objectives on a scale which can only be described as
• As traffic is channelled through legitimate websites, industrial, generating revenues which eclipse most legitimate
businesses[50]. It is also apparent that, surrounding the
web proxies blacklisting known bad sites provide little
exploit kit provider, is an opaque yet complex ecosystem of
protection [40]. actors which includes exploit providers, malvertising agents,
• The content delivered by third party networks is affiliates and crime gangs. Whilst there are some excellent
dynamic and constantly changing, so even forensic academic works, most current intelligence is emerging from
examination post infection is unlikely to reveal the the security industry, as attacks are discovered and analysed.
same content as was delivered when the infection This same industry however appears to be offering numerous,
occurred disparate solutions and is far from consensus on the most
In the beginning of 2015, a threat actor, dubbed Fessleak by appropriate strategies for prevention and cure.
security firm Invincea [48], used a Malvertising vector
alongside the Hanjuan exploit kit. The attack involved the Advice includes selecting internet service providers with
Huffington post and an article relating to the Charlie Hebdo strong phishing and spam defenses, not opening unexpected
terrorist attack. Payloads included remote desktop capability attachments and using browser plugins to prevent the
and an ad-fraud bot. Fessleak was using both file-less flash execution of scripts and iframes. As some security insiders
and Adobe 0 day exploits to deliver his malware. have elected to completely remove programs such as Flash
[51], other vendors believe the perimeter focused, signature
Finally considering Actions on Objectives, whilst the Exploit based detection approach is already flawed and we must
kit is becoming increasingly more sophisticated, McAfee instead turn our capability towards isolation, containment and
report [1] the cyber criminal now needs fewer skills to take observation[40].
part in the industry. The Angler exploit kit does not require
technical proficiency to launch an attack[28] and the cyber Reiterating the continued requirement for proactivity towards
criminal is supported by initiatives including form based areas such as configuration management, patching and
attack creation programs and affiliate schemes. Sophos further password security in order to reduce the attack surface, they
suggest the dominance by Angler may be related to a better also report that both business and consumers remain
return on investment for those criminals funding the kit surprisingly inattentive[1]. In the midst of this apparent
developers (more traffic, better infection rates etc)[38]. confusion and apathy, ENISA further identified exploit kits as
emerging threat number 8 in the mobile computing
In April 2015, it was observed that over 50% of the malware environment and position 9 in the list of emerging threats to
families installed by Angler were ransomware, including the “Trust Infrastructure” [33]. The latter is the code and data
Teslacrypt, Kovter and Torrentlocker [38]. Attacks are not we use to ensure trusted connections when we communicate
constrained to ransomware alone, in June 2015 a further (encryption, digital signatures, challenge/response, SSL…).
malvertising attack was observed [49], this time using
interstitial advertising (web pages displayed before or after an An accurate appreciation of the threat posed by the exploit kit
expected content page). The malvertising led to the Hanjuan and the ways in which this could be addressed will require
exploit kit which was exploiting vulnerabilities in IE and flash further clarity on their prevalance, their capability and
to deliver a banking Trojan payload – the aim being to steal surrounding ecosystem(s). What is certainly clear is that the
passwords and credentials via a man in the middle attack. The exploit kit is bringing increasing sophistication to a
payload was itself encrypted and the kit used encryption cybercrime battle being waged on many fronts, together with
between the command and control server. the potential to extend the range and reach of the cyber
criminal on an industrial scale.
In early October 2015, following a successful intervention,
CISCO Talos attributed around 50% of the Angler Exploit Kit References
activity to one primary threat actor, reportedly generating
more than $30m per annum by targeting up to 90,000 victims
[1] “McAfee Labs Threat Report - August 2015.” [Online]. Available:
per day[50]. http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-
aug-2015.pdf. [Accessed: 19-Oct-2015].
III. DISCUSSION AND FUTURE WORK [2] F. Daryabar, A. Dehghantanha, N. I. Udzir, N. F. Mohd Sani, S.
Shamsuddin, and F. Norouzizadeh, “A survey on privacy impacts of
It is clear that far from being in decline, the Exploit kits have digital investigation,” J. Gener. Inf. Technol., vol. 4, no. 8, pp. 57–
been on an accelerated evolutionary path. The last two years 68, 2013.
[3] A. Dehghantanha and K. Franke, “Privacy-respecting digital
have seen the replacement of most Exploit Kits on the market investigation,” in Privacy, Security and Trust (PST), 2014 Twelfth
and the emergence of an even more dominant player than was Annual International Conference on, 2014, pp. 129–138.
apparent in 2013 with the rise of the Angler kit [50]. [4] M. N. Yusoff, R. Mahmod, M. T. Abdullah, and A. Dehghantanha,
“Performance Measurement for Mobile Forensic Data Acquisition in

ISBN: 978-1-4673-6988-6 ©2015 IEEE 25

 Firefox OS,” Int. J. Cyber-Secur. Digit. Forensics IJCSDF, vol. 3, no. [26] M. Ganji, A. Dehghantanha, N. IzuraUdzir, and M. Damshenas,
3, pp. 130–140, 2014. “Cyber Warfare Trends and Future,” Adv. Inf. Sci. Serv. Sci., vol. 5,
[5] M. Ibrahim and A. Dehghantanha, “Modelling based approach for no. 13, p. 1, 2013.
reconstructing evidence of VoIP malicious attacks,” Int. J. Cyber- [27] C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K.
Secur. Digit. Forensics IJCSDF, vol. 3, no. 4, pp. 183–199, 2014. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N.
[6] M. N. Yusoff, R. Mahmod, A. Dehghantanha, and M. T. Abdullah, Provos, M. Z. Rafique, M. A. Rajab, C. Rossow, K. Thomas, V.
“Advances of mobile forensic procedures in Firefox OS,” Int. J. Paxson, S. Savage, and G. M. Voelker, “Manufacturing Compromise:
Cyber-Secur. Digit. Forensics IJCSDF, vol. 3, no. 4, pp. 183–199, The Emergence of Exploit-as-a-service,” in Proceedings of the 2012
2014. ACM Conference on Computer and Communications Security, New
[7] J. Talebi, A. Dehghantanha, and R. Mahmoud, “Introducing and York, NY, USA, 2012, pp. 821–832.
analysis of the Windows 8 event log for forensic purposes,” in [28] “McAfee Labs Threat Report - February 2015.” [Online]. Available:
Computational Forensics, Springer International Publishing, 2015, http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q4-
pp. 145–162. 2014.pdf. [Accessed: 18-Oct-2015].
[8] F. Norouzizadeh Dezfouli, A. Dehghantanha, B. Eterovic-Soric, and [30] J. Chen and L. Brooks, “Evolution of Exploit Kits,” Trend Micro.
K.-K. R. Choo, “Investigating Social Networking applications on [Online]. Available: https://www.trendmicro.com/cloud-
smartphones detecting Facebook, Twitter, LinkedIn and Google+ content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-
artefacts on Android and iOS platforms,” Aust. J. Forensic Sci., pp. exploit-kits.pdf.
1–20, 2015. [31] “ANA/White Ops Study Reveals Extent of Advertising Bot Fraud |
[9] S. Mohtasebi, A. Dehghantanha, and H. G. Broujerdi, “Smartphone About the ANA | ANA.” [Online]. Available:
Forensics: A Case Study with Nokia E5-00 Mobile Phone,” Int. J. https://www.ana.net/content/show/id/32948. [Accessed: 18-Oct-
Digit. Inf. Wirel. Commun. IJDIWC, vol. 1, no. 3, pp. 651–655, 2015].
2011. [32] “Meet Paunch: The Accused Author of the BlackHole Exploit Kit —
[10] S. H. Mohtasebi and A. Dehghantanha, “Towards a Unified Forensic Krebs on Security.” [Online]. Available:
Investigation Framework of Smartphones,” Int. J. Comput. Theory http://krebsonsecurity.com/2013/12/meet-paunch-the-accused-
Eng., vol. 5, no. 2, p. 351, 2013. author-of-the-blackhole-exploit-kit/. [Accessed: 19-Oct-2015].
[11] M. N. Yusoff, R. Mahmod, M. T. Abdullah, and A. Dehghantanha, [33] “ENISA Threat Landscape 2014 — ENISA.” [Online]. Available:
“Mobile forensic data acquisition in Firefox OS,” in Cyber Security, https://www.enisa.europa.eu/activities/risk-management/evolving-
Cyber Warfare and Digital Forensic (CyberSec), 2014 Third threat-environment/enisa-threat-landscape/enisa-threat-landscape-
International Conference on, 2014, pp. 27–31. 2014. [Accessed: 15-Oct-2015].
[12] M. Damshenas, A. Dehghantanha, R. Mahmoud, and S. bin [34] E. Hutchins, M. Cloppert, and R. Amin, “Intelligence-Driven
Shamsuddin, “Cloud Computing and Conflicts with Digital Forensic Computer Network Defense Informed by Analysis of Adversary
Investigation,” Int. J. Digit. Content Technol. Its Appl., vol. 7, no. 9, Campaigns and Intrusion Kill Chains.” [Online]. Available:
p. 543, 2013. http://www.lockheedmartin.co.uk/content/dam/lockheed/data/corpora
[13] M. Shariati, A. Dehghantanha, B. Martini, and K. R. Choo, “Ubuntu te/documents/LM-White-Paper-Intel-Driven-Defense.pdf.
One investigation: Detecting evidences on client machines,” 2015. [35] “LM-White-Paper-Intel-Driven-Defense.pdf.” .
[14] M. Shariati, A. Dehghantanha, and K.-K. R. Choo, “SugarSync [36] “ENISA Threat Landscape 2013 - Overview of current and emerging
forensic analysis,” Aust. J. Forensic Sci., no. ahead-of-print, pp. 1– cyber-threats — ENISA.” [Online]. Available:
23, 2015. https://www.enisa.europa.eu/activities/risk-management/evolving-
[15] F. Daryabar and A. Dehghantanha, “A review on impacts of cloud threat-environment/enisa-threat-landscape/enisa-threat-landscape-
computing and digital forensics,” Int. J. Cyber-Secur. Digit. 2013-overview-of-current-and-emerging-cyber-threats. [Accessed:
Forensics IJCSDF, vol. 3, no. 4, pp. 183–199, 2014. 15-Oct-2015].
[16] F. Daryabar, A. Dehghantanha, N. I. Udzir, and others, “A Review [37] “Blackhole exploit kit author arrested in Russia.” [Online].
on Impacts of Cloud Computing on Digital Forensics,” Int. J. Cyber- Available: http://www.pcworld.com/article/2053180/blackhole-
Secur. Digit. Forensics IJCSDF, vol. 2, no. 2, pp. 77–94, 2013. exploit-kit-author-arrested-in-russia.html. [Accessed: 15-Oct-2015].
[17] M. Damshenas, A. Dehghantanha, R. Mahmoud, and S. Bin [38] “A closer look at the Angler exploit kit | Sophos Blog.” [Online].
Shamsuddin, “Forensics investigation challenges in cloud computing Available: https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-
environments,” in Cyber Security, Cyber Warfare and Digital angler-exploit-kit/. [Accessed: 22-Oct-2015].
Forensic (CyberSec), 2012 International Conference on, 2012, pp. [39] MalwareTech, “RIG Exploit Kit - Source Code Leak |
190–194. MalwareTech.” [Online]. Available:
[18] A. Aminnezhad, A. Dehghantanha, M. T. Abdullah, and M. http://www.malwaretech.com/2015/02/rig-exploit-kit-possible-
Damshenas, “Cloud Forensics Issues and Opportunities,” Int J Inf source-code.html. [Accessed: 22-Oct-2015].
Process Manag, vol. 4, no. 4, 2013. [40] “The First Law of Intrusion Detection: You Can’t Detect What You
[19] S. bin Shamsuddin and F. Norouzizadeh, “Analysis of Known and Can’t See,” Invincea. [Online]. Available:
Unknown Malware Bypassing Techniques,” 2013. https://www.invincea.com/2015/09/the-first-law-of-intrusion-
[20] M. Damshenas, A. Dehghantanha, K.-K. R. Choo, and R. Mahmud, detection-you-cant-detect-what-you-cant-see/. [Accessed: 19-Oct-
“M0droid: An android behavioral-based malware detection model,” 2015].
J. Inf. Priv. Secur., vol. 11, no. 3, pp. 141–157, 2015. [41] “Malware Injected Directly Into Processes in Angler Exploit Kit
[21] F. N. Dezfouli, A. Dehghantanha, R. Mahmod, N. F. B. M. Sani, S. Attack | SecurityWeek.Com.” [Online]. Available:
B. Shamsuddin, and F. Daryabar, “A Survey on Malware Analysis http://www.securityweek.com/malware-injected-directly-processes-
and Detection Techniques,” Int. J. Adv. Comput. Technol., vol. 5, no. angler-exploit-kit-attack. [Accessed: 02-Nov-2015].
14, p. 42, 2013. [42] “HanJuan EK fires third Flash Player 0day,” Malwarebytes
[22] M. Damshenas, A. Dehghantanha, and R. Mahmoud, “A survey on Unpacked. [Online]. Available:
malware propagation, analysis, and detection,” Int. J. Cyber-Secur. https://blog.malwarebytes.org/exploits-2/2015/02/hanjuan-ek-fires-
Digit. Forensics IJCSDF, vol. 2, no. 4, pp. 10–29, 2013. third-flash-player-0day/. [Accessed: 17-Oct-2015].
[23] F. Daryabar, A. Dehghantanha, and H. G. Broujerdi, “Investigation [43] “New Ransomware, FessLeak, Taps Adobe Flash Flaws,” The
of malware defence and detection techniques,” Int. J. Digit. Inf. Security Ledger. [Online]. Available:
Wirel. Commun. IJDIWC, vol. 1, no. 3, pp. 645–650, 2011. https://securityledger.com/2015/02/new-ransomware-fessleak-taps-
[24] S. Mohtasebi and A. Dehghantanha, “A Mitigation Approach to the adobe-flash-flaws/. [Accessed: 02-Nov-2015].
Malwares Threats of Social Network Services,” Muktimedia Inf. [44] “Hacking The Zero-Day Vulnerability Market,” Dark Reading.
Netw. Secur., pp. 448–459, 2009. [Online]. Available:
[25] K. Shaerpour and A. Dehghantanha, “Trends in android malware http://www.darkreading.com/vulnerability/hacking-the-zero-day-
detection,” J. Digit. Forensics Secur. Law, vol. 8, no. 3, p. 21, 2013. vulnerability-marke/240164591. [Accessed: 19-Oct-2015].
[45] “Attackers Use Exploit Kit to Hijack Routers: Researcher |
SecurityWeek.Com.” [Online]. Available:

ISBN: 978-1-4673-6988-6 ©2015 IEEE 26

 http://www.securityweek.com/attackers-use-exploit-kit-hijack- [49] “Elusive HanJuan EK Drops New Tinba Version (updated),”
routers-researcher. [Accessed: 02-Nov-2015]. Malwarebytes Unpacked. [Online]. Available:
[46] “Exploit Kits Improve Evasion Techniques,” McAfee. [Online]. https://blog.malwarebytes.org/intelligence/2015/06/elusive-hanjuan-
Available: https://blogs.mcafee.com/mcafee-labs/new-exploit-kits- ek-caught-in-new-malvertising-campaign/. [Accessed: 17-Oct-2015].
improve-evasion-techniques/. [Accessed: 18-Oct-2015]. [50] “Talos Intel - Threat Spotlight: Angler Exposed Generating Millions
[47] “Shade among top three encryptors in Russia delivered via spam, in Revenue.” [Online]. Available: http://talosintel.com/angler-
exploit kits,” SC Magazine. [Online]. Available: exposed/. [Accessed: 22-Oct-2015].
http://www.scmagazine.com/news/shade-encryptor-threat-in-russia- [51] “Angler Exploit Kit — Krebs on Security.” [Online]. Available:
ukraine-germany/article/438463/. [Accessed: 02-Nov-2015]. http://krebsonsecurity.com/tag/angler-exploit-kit/. [Accessed: 19-
[48] “Fessleak: The Zero-Day Driven Advanced RansomWare Oct-2015].
Malvertising Campaign,” Invincea. [Online]. Available:
https://www.invincea.com/2015/02/fessleak-the-zero-day-driven-
advanced-ransomware-malvertising-campaign/. [Accessed: 17-Oct-
2015].

ISBN: 978-1-4673-6988-6 ©2015 IEEE 27