Researchers from the University of Leiden (Netherlands) studied The issue of placing fictitious prototypes of exploites containing malicious code for attacks on users who tried to use the exploit to check the presence of vulnerability. In total, 47313 repositories with exploits were analyzed, covering the well -known vulnerabilities, identified from 2017 to 2021. An analysis of exploites showed that in 4893 (10.3%) of them there is a code that performs harmful actions. It is recommended that users who have decided to use the published exploites first study them for suspicious inserts and launch only in isolated virtual machines.
Two main categories of malicious exploites were identified – exploites containing malicious code, for example, to leave a backdor in the system, loading a trojan or connecting a machine to a botnet, and exploites collecting and sending confidential information about the user. In addition, a separate class of harmless fictitious exploites has also been revealed that do not perform harmful actions, but also do not contain the expected functionality, for example, created to mislead users or in order to warn users who launch unverified code from the network.
several types of verification were used to identify malicious exploites:
- Explitude code was analyzed for the presence of sewn public IP addresses, after which the identified addresses were additionally checked by bases with black lists of hosts used to control the botnets and the distribution of malicious files.
- supplied in compiled form exploites were checked in antiviral software.
- In the range, the presence of atypical hexadecimal dumps or inserts in the format of Base64 was revealed, after which these inserts were decoded and studied.