[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Hacking Toolkit Compromises Thousands Of Web Servers


By Thomas Claburn 
January 14, 2008

A hacking toolkit that enables allow cyber criminals to subvert 
computers and more effectively evade detection is responsible for 
compromising thousands of machines last month, according to Yuval 
Ben-Itzhak, CTO of security company Finjan.

In December 2007, Finjan identified more than 10,000 Web servers 
infected with a malicious hacking kit called "random js toolkit." In 
June, the company found an average of 30,000 newly infected malicious 
Web pages every day -- the result of "random js tookit" -- and the 
company claims the situation is much worse today.

Ben-Itzhak said the hacking kit is particularly difficult to deal with 
because it has been designed to hide from computer security researchers 
and security software.

The malicious software stores the IP addresses of Web crawlers -- used 
by search engines and security companies to analyze Web pages -- so it 
can identify them and serve them clean content. Visitors determined to 
be real people get malware.

The kit generates one-time use random URLs to prevent malicious Web 
pages from being blacklisted or analyzed by security researchers. And 
its infectious scripts are also dynamic, appearing to a new visitor and 
then never again.

"This malicious code will be served for users visiting the first time, 
but not the second time," said Ben-Itzhak. "The reason hackers are doing 
this is it's an anti-forensic technique." Finjan claims its real-time 
code analysis technology can detect the malware more effectively than 
signature-based techniques.

A single "random js toolkit" attack serves over 13 different exploits 
that attempt to infect the victim's computer, according to a report 
issued by Finjan. The exploits too are dynamic, and are changed to 
reflect vulnerabilities and patches on the victim's machine. This 
maximizes the chance of infection.

Unlike the technique of embedding hidden IFRAME elements in Web pages to 
fetch malware from a server other than the one being visited, "random js 
toolkit" exploits often come from trusted domains. This is because cyber 
criminals have been targeting the servers of legitimate organizations to 
deliver their malicious software. Of the 30,000 Web pages being infected 
daily as of last summer, Finjan said that 80% of them were located on 
legitimate hacked sites. If such attacks continue and prove effective, 
trusted brands will be trusted a lot less.

In its report on the "random js toolkit," Finjan said that it found 
infected Web sites in domains administered by U.C. Berkeley and Teagames 
Limited. The company said that it notified both organizations and that 
the hacked pages are no longer active.

According to a company spokesperson, other organizations with 
compromised Web servers -- recall that Finjan claims to have found 
10,000 -- have been notified and their names are being withheld until 
they can address their security issues.

There are a handful of other hacking toolkits available besides "random 
js toolkit," including Dycrypt, IcePack, Makemelaugh, MPack, Multi 
Exploit Pack, Neosploit and Vipcrypt.

Finjan provided a screen shot of another hacking application, Web 
Attacker Toolkit, being sold online at a Russian e-commerce site in a 
"Light Edition" for $50, an "Econom Edition" for $100, and a 
"Professional Edition" for $150. Customer support and updates were 
available for $10 to $20 extra.

Hacking toolkits like MPack and Web Attacker ToolKit include online 
statistical reporting to help cyber criminals keep track of the number 
of systems they're infecting and other relevant data. That suggests 
there are a lot of hacked systems to manage.

Visit InfoSec News