Exploit Deployment Guidelines

Details

Exploits can be used by FAEs during demos and directly by customers who subscribed to our exploit service.

Every exploit comes in the form of a URL pointing to one of our servers which is generated by support and is valid for a single infection. Upon visiting the link with a vulnerable device and browser, the target is exploited.

Requirements/Conditions/Restraints

In order to protect our infrastructure servers, all kind of exploit content and payload (i.e., the agent that is to be installed), some security measures are implemented on the servers and some best practices must be followed by FAEs and customers. Security measures on the servers include:

• Server-side checks. When an exploit URL is visited, the server will perform checks to ensure that the browser and the device are indeed exploitable before serving the exploit code.
• Expiration date. One week after an URL is generated, the link will expire and will no longer serve the exploit.
• Single infection. Whenever the exploit code is actually served to a target, the URL will automatically be voided and will no longer serve the exploit. If the exploit works correctly, the target will also be infected.

Instructions

In addition, FAEs and customers who use exploits must adhere to the following guidelines whenever an exploit is used in a demo or is sent to a target:

1. the exploit URL (in the case of browser exploit) must never be posted publicly on a website, discussion board, mailing list or social network of any sort.
2. the exploit URL (in the case of browser exploit) must never be posted on Facebook or Twitter, even through private message. These social networking sites often scan the links submitted through them for malware and could detect our exploits and agents.
3. if needed, the exploit URL (in the case of browser exploit) may be shortened by using http://tinyurl.com as an URL shortening service. If, for any reason, there is a need to use another service please contact support in order to assess whether that service is suitable or not.  An exploit URL should never be shortened with bit.ly and goo.gl, since these services offer a publicly accessible statistics page that shows how many times and from which countries a given URL was visited and also automatically scan URLs looking for malware.

Failure to comply with the above guidelines might result in our servers being detected, agent samples leaked and/or customer and target identities compromised.