SophosLabs’ Gabor Szappanos awarded for AKBuilder research

Szapi

Our own Gabor “Szapi” Szappanos was recognized for his research on the AKBuilder crowdsourced exploit kit at this week’s VirusBulletin conference.

Szapi received the Annual Péter Szőr Award for Technical Security Research. Virus Bulletin created the award in Szőr’s honor after the researcher and Virus Bulletin advisory board member died in November 2013.

Virus Bulletin says the award:

Aims to recognize the best piece of technical security research published each year. Nominations for the award are sought from the security community at large, and a final shortlist voted on by the VB advisory board. The award is presented each year at the annual VB conference.

Szapi was nominated for his groundbreaking research on AKBuilder, an exploit kit that generates malicious Word documents that use exploits rather than macros to do their dirty work. Malicious actors use the exploit kit to create booby-trapped documents they can send out in spam emails.

AKBuilder was one of three exploit kits widely available for purchase by those interested in launching attacks with little need for technical know-how (the other two exploit kits were Microsoft Word Intruder and Ancalog Builder).

The kit is advertised in YouTube videos and sold in underground forums. The kit usually costs around $550 (payable in electronic currencies like Bitcoin and Perfect Money). Here’s an example:

AKBuilder for sale

The work exemplifies the dogged research Szőr is remembered for, said Virus Bulletin editor Martijn Grooten:

Exploit builders form an important part of the cybercriminal’s attack chain and make it a lot easier to conduct attacks. The subject isn’t researched as widely though, making Gabor’s work very important for the security community. In his AKBuilder paper, he shows the excellent research skills he is well known and well respected for within the community. He’s a very deserving winner of the fourth Péter Szőr Award.

Szapi has spent the conference talking about AKBuilder and the other kits. This morning, he delivered a talk called “When worlds collide – the story of Office exploit builders” — focusing specifically on the dramatic rise of Microsoft Word IntruderAncalog and AKBuilder.

Other research from Szapi that’s well worth reading include a paper on exploits targeting the CVE-2017-0199 vulnerability and Operation Pony Express.