January 2012: Attacks originating from home internet routers, internet-connected televisions, cable set-top boxes, DVRs, VoIP devices, IP cameras, and media centers. This botnet targets ARM-based devices running Linux.
September 2014: Also known as Lizkebab, Torlus, and Gafgyt, discovered after the ShellShock vulnerability found in the Bash command shell was publicized. A detailed analysis of Bashlite can be found on Flashpoint’s website.
October 2016: A worm currently targeting IoT devices such as routers, DVRs, and CCTV systems. Hajime spreads by scanning for devices running Telnet servers using default credentials. A more detailed analysis of the Hajime botnet can be found as a downloadable PDF on Rapidity Networks website, here.
October 2016: Is an Internet Relay Chat (IRC) botnet that was created using ELF (Executable and Linkable Format) binaries, a common file format for Linux and UNIX-based systems. This format is used in the firmware of many IoT devices including routers, DVRs, and IP cameras.
2015: Linux/Moose is a family of malware that primarily targets Linux-based consumer routers, including those issued to consumers by ISPs, as well as other devices running on the MIPS and ARM architectures. It gains access by brute-forcing weak Telnet credentials.
August 2016: Evolved from a previously-created Trojan, known as Gafgyt, Lizkebab, Bashlite, Bash0day, Bashdoor, and Torlus. Affects same systems as Bashlite.
Discovered in 2014 and still alive and growing: Infects Linksys and Asus Routers currently. Linksys also provides step-by-step instructions on how to protect routers from TheMoon here. ASUS suggests disabling all UPnP services and disabling remote access.
2013: Angler is one of the most sophisticated EKs used by cybercriminals today and was first observed in 2013. Angler uses malvertising to direct users to its servers, and is known to exploit Adobe Flash Player, Internet Explorer, Microsoft Silverlight, Java, and ActiveX. Angler infects users with ransomware and point-of-sale (PoS) malware.
2010-2013: Exploiting Java and PDF vulnerabilities. On the decline since alleged creator, Paunch, was arrested in Russia.
2008: Fiesta was developed to deliver crypto-ransomware and fake antivirus malware payloads to its victims and exploits vulnerabilities in Flash, Internet Explorer, Adobe Acrobat Reader, and Microsoft Silverlight, and has the capability of terminating running processes and disabling common system tools to make detection and removal more difficult. Two-thirds of Fiesta-related traffic occurred in three countries: United States, Japan, and Australia.
September 2016: Was designed to be multipurpose and bypass antivirus protection. To accomplish this, it decompresses its payload and is injected via NtReadVirtualMemory, eventually becoming a part of a system parent process. Additional modifications include using another network protocol to conceal itself from Deep Packet Inspection. Read more about Floki Bot here.
2012: Remains active, exploiting vulnerabilities in all Java versions at least up to Java 7 Update 11. Neutrino downloads a ransomware variant on the victim’s machine when it successfully finds a vulnerable target. Leased to attackers, Neutrino EK is now equipped with Cryptolocker 2 and CryptoWall 4.0 ransomware and variants of the Kovter malware – click-fraud malware that resides in registry, evading detection.
2009: Most widely used EKs. It exploits vulnerabilities in Active X, Flash, Internet Explorer, Java, PDF, and Silverlight, and disseminates malware and ransomware. Nuclear can detect if antivirus software is running and, if found, it terminates the associated process as well as antivirus driver files.
Discovered in 2014 and still alive and growing: 1.3 million worldwide infections and growing. RIG 3.0 targets vulnerabilities in Java, Internet Explorer, Flash, and Silverlight, and spreads through malvertisements on web pages.
2016: Sundown exploit kit (EK), also known as Beta, is not as sophisticated as other EKs. Typically infects users through malvertising. By exploiting this vulnerability, attackers were able to inject an iframe into a legitimate website, redirecting users to an obfuscated landing page with the Sundown EK.
2012: Created to fill the void left behind by the Blackhole EK after its author was arrested and it quickly rose in popularity among cybercriminals. Sweet Orange contains many of the same features as other variants, including a database that records a list of successful infections, statistics about various current exploits, and regular malware updating. It is also capable of evading and disabling sandboxes.