Every day, millions of web sites and emails contain links to malware known as “exploit kits.” Malicious programmers (or programming teams) create exploit kits and then use them or sell them. An exploit kit usually contains everything a wannabe hacker can need in the exploit cycle, including 24∞7 technical support and auto‐updating to avoid getting caught by antivirus scanners. A good exploit kit will even find and maliciously modify otherwise innocent web sites to ensure it gets executed whenever visitors browse to the infected web site. All the attacker has to do is buy the kit, execute it, and send it along its way to find victim web sites.

Exploit kits almost always contains client‐side (programs that run on end‐user desktops versus code meant to exploit servers) exploitation routines that check for multiple missing patches. They can check for anywhere from a handful of vulnerabilities to several dozen. Any unpatched, unlucky visitor gets silently exploited (by what is also known as a “drive‐by download” attack), whereas fully patched web surfers usually get prompted by a social engineering trick to install a Trojan horse program. Exploit kit bad guys would rather exploit unpatched devices than use social engineering because not all end‐users will automatically agree to install any program they are prompted to install. The involved vulnerabilities are routinely updated so that the exploit kit can be as successful as possible. Most exploit kits even contain centralized ...