IT Security & Network Security News & Reviews: Exploit Toolkits: Software That Makes Cyber-Crime Easier
Exploit Toolkits: Software That Makes Cyber-Crime Easier
by Brian Prince
The first identified attack kit was the Virus Creation Lab, or VCL, according to Symantec. It appeared in 1992 and only allowed users to create viruses or Trojans. The best known malware born from one of these early kits was the Anna Kournikova worm that was created using the Visual Basic Script Worm Generator-a simple kit that enabled the creation of mass-mailing worms written in VBS.
Contents of a Kit
Zero-days get a lot of press, but most vulnerabilities leveraged by these kits are known. According to Symantec, the most attacked vulnerabilities between July 2009 and June 2010 were: a Microsoft Active Template Library Header data remote code execution bug (48 percent), an Adobe Flash Player multimedia file remote buffer overflow vulnerability (25 percent), and a Microsoft Windows Media Player plug-in buffer overflow vulnerability (9 percent). The data in the chart is from July 2009 and June 2010.
Strike Toolkit Hits Windows
The Strike toolkit was released in 2010 and targets newer operating systems such as Windows Vista and Windows 7. Its bot client runs as a regular user to avoid initiating functions that would trigger the User Account Control feature in newer versions of Windows. It propagates by copying itself into all the compressed ZIP and RAR files it finds, and can reportedly bypass the Windows host firewall and gain network access as well as perform DDoS attacks over TCP connections. It is designed to steal serial numbers from Windows and as many as 200 other applications.
Zeus-King of Malware
The merger of the Zeus and SpyEye toolkits has produced an improved kit that researchers at McAfee say are being sold in two underground forums. The toolkit, known as SpyEye/ZS Builder 1.4.1, includes such new features as brute-force password-guessing, a virtual network computing module, Jabber notification, auto-spreading, auto-update, a new screenshot system and a unique stub generator. According to McAfee, the full-featured version of the kit sells for $800.
Neosploit was first detected in 2007. It includes exploits for at least 10 vulnerabilities affecting Microsoft IE and plug-ins, mainly ActiveX, from various vendors. According to Symantec, the toolkit was updated frequently until development and support ceased in mid-2008, but the authors released a tool that allowed the kit to be easily transferred to new servers without the need for support. In the chart, the data is from July 2009 and June 2010 and is the percentage of toolkit-specific activity detected on malicious sites.
MPack Stays Busy
MPack was responsible for 48 percent of attack kit activity on malicious sites between July 2009 and June 2010, Symantec reported. MPack was first spotted by the security community in 2006. Its notoriety and widespread availability continue to make this one of the busiest toolkits Symantec found.
Eleonore vs. the U.S. Treasury
Eleonore stepped onto the scene with a flourish in May 2010, when attackers compromised three U.S. Treasury Websites and redirected users to sites hosting the Eleonore kit. Since its launch, its authors have released new versions roughly once a month. Version 1.1 had 10 exploits, which increased to 13 in version 1.3.2. Its price varied between $599 and $1,000 between July 2009 and June 2010. Users can reportedly rent an Eleonore botnet for $40 per day.
Phoenix installs malicious code and includes exploits for 16 vulnerabilities, including a vulnerability in Microsoft DirectX DirectShow, Symantec said. The kit uses a simple interface to provide a variety of attack statistics and includes exploits for vulnerabilities in a variety of browsers and browser plug-ins. The graph shows the percentage of threat activity on malicious sites by toolkit specificity.