More Malware Toolkits Appearing

By Matthew Hines  |  Posted 2008-12-03 Print this article Print

Malware-building toolkits have seen a dramatic rise in popularity over the last few years, as some of the smartest bad guys have decided to distance themselves from the act of carrying out attacks on their own and moved into creating products that allow others to do so in an automated fashion.

As a result, legions of more amateurish hackers have subsequently tapped into the capability to create advanced threats with far less knowledge of all the technical legwork needed to do so from scratch.

In the case of some of the most mature toolkit operations, the creators have acted very much like legitimate software vendors by providing updates and patches to their customers to help them to continue to gain value from their malware even as security experts invent ways to thwart the attacks the toolkits can be used to launch.

Some of the more high-profile toolkits discovered by malware researchers have included those produced by the Rock Phish Gang and Neosploit, both of which emanated out of Russia over the last several years.

Over the last six months or so, researchers with PandaLabs have tracked the emergence of several other malware toolkits, specifically those aimed at helping users build Trojan attacks.

Yesterday, PandaLabs researcher Oscar Cavada reported one new such specimen, a toolkit that the company has dubbed as Constructor/BitTera.C.

Like the Constructor/Turkojan, Constructor/Wormer and Constructor/YfakeCreator toolkits that Panda has unearthed in 2008, Cavada claims that Constructor/BitTera.C makes it extremely simple for aspiring attackers to get into the game and begin distributing fairly complex malware threats with very little technical acumen.

"These types of tools are very easy to use, as they have an interface in which you can select the functions of the malware that is going to be created, which allows you to create the malware you want in just a few minutes," the researcher said in a blog post.

And while the toolkit is only just beginning to find its way to users, according to PandaLabs, it does allow for the generation of threats that do nasty things to hide themselves and harm end user devices.

Among the capabilities of attacks created using Constructor/BitTera.C are the ability:

-To disable the Task Manager or the Windows Registry Editor.

-To hide the icons of the Desktop or the Start button. -To prevent certain applications from being run such as the calculator or the Notepad.

Panda said that BitTera.C attacks are difficult to recognize, as they does not display any messages or warnings on affected machines. The company reported that BitTera.C-borne threats do not spread automatically, but rather need a toolkit user's intervention in order to reach end user computers.

So the endgame appears to be that larger numbers of less technical attackers are still getting into the business, or at least buying new tools to keep their existing efforts afloat.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel