Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/4/2010
04:55 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

M86 Security Labs Report Details Web Exploit Kits

"Web Exploits - There's an App for That" details the rise of distributed, monetized "exploit" kits

Orange, Calif. and London, UK - APRIL 28, 2010 - M86 Security, the global expert in Web and email threat protection, today announced the release of the latest security report from M86 Security Labs, "Web Exploits - There's an App for That," which details the rise of distributed, monetized "exploit" kits, with M86 Security Labs counting more than a dozen new attack kits being launched in just the last six months. M86 Security Labs also has noted that most of the exploit kits were in Russian, such as Adpack and Fragus, perhaps indicating the location of buyers, and the majority using Adobe Flash, Java classes, and PDF-based exploits.

Code used in the exploit kits observed, particularly for malicious Javascript code, is often obfuscated, greatly reducing the ability of many security products to even 'read' the code. All kits observed pose a serious threat to Web and email with applications that allow less technical individuals to easily and inexpensively run cyber attacks. These kits have quickly become a major driver of Internet exploits in the "wild."

Report Underscores Global Impact of the Attack Kit Business

Altogether M86 Security Labs investigated more than 25 attack kits, many of them in Russian, such as Crimepack, WebAttacker, MyPolySploit, XCore, UniquePack, LuckySploit, Yes Toolkit, Liberty, Fiesta, Eleonore and more. One of the most expensive attack kits found was LuckySploit at over $1000 USD, with most in the $400-$1000 USD range, and some selling for as little as $100 USD.

"Exploit kits have changed the cybercrime industry in a very short period of time," said Bradley Anstis, vice president of technology strategy, M86 Security. "People can launch attacks without even knowing a line of code, and the infrastructure now exists to pay the attacker per exploit achieved. With an attack kit there is literally 'an app for that' and it is driving the explosive growth in Internet-borne threats such as spam and zero-day attacks with new kits popping up every day. This latest research report details the anatomy of these kits, providing insight into the evolution and the skyrocketing increase in the number of attacks."

Creators of exploit kits can make money by offering various services, such as: ? The sale of exploit kits for a flat fee ? The purchase of an obfuscator replacement for additional fee (to prevent anti-virus software from recognizing malicious code) ? Extra cost to cover any new hosting domain installations (in the event the current domain is discovered and becomes blacklisted by Security Vendors) ? Simply adding new exploits to increase the successful exploitation rate

Users of exploit kits have many ways of making money as well. Pay-Per-Install (PPI) programs are one example where the criminals are paid for installing third-party malware. In this case, the exploit kit operator finds a suitable PPI program and becomes an affiliate earning money for each successful install.

Most kits provide a different set of exploits for different browsers - from the antiquated MDAC exploit for Internet Explorer 6 to the infamous PDF exploits printf, collectEmailInfo and getIcon, which affect the vast user base of Adobe Acrobat/Reader users, and an increasing number of Flash and Java class vulnerabilities. The most successful exploitations are zero-day exploits. Most often, the exploit kit creators continually update the set of exploits included in their product to maintain a high exploitation rate.

In the latest M86 Report, an FS Pack Admin Console shows 5,032 successful installs for the day. Assuming a PPI model where the affiliate is earning a modest $100.00 USD per 1,000 installs, this would result in revenue of about $500.00 USD for the day.

Organizations and individuals seeking to protect their computers and information from cybercriminals should incorporate solutions that detect zero-day exploits, as well as remedy Flash, Adobe and Java class vulnerabilities to protect against the growing "exploit" market. Exploit kits designed to attack many of these vulnerabilities, particularly Javascript, employ obfuscation, further reducing the effectiveness of traditional signature-based security products. Real-time code analysis tools, however, are able to close to this growing threat window.

The "Web Exploits - There's an App for That" report is available from M86 Security Labs at: http://www.m86security.com/documents/pdfs/security_labs/m86_web_exploits_report.pdf.

About M86 Security M86 Security is the global expert in real-time threat protection and the industry's leading Secure Web Gateway provider. The company's appliance, software, and Software as a Service (SaaS) solutions for Web and email security protect more than 24,000 customers and over 17 million users worldwide. M86 products use patented real-time code analysis and behavior-based malware detection technologies as well as threat intelligence from M86 Security Labs to protect networks against new and advanced threats, secure confidential information, and ensure regulatory compliance. The company is based in Orange, California with international headquarters in London and development centers in California, Israel, and New Zealand. For more information about M86 Security, please visit http://www.m86security.com/.

Follow M86 Security on Twitter at: http://twitter.com/M86Security Facebook at: http://www.facebook.com/M86Sec M86 Security Labs Blog at: http://www.m86security.com/trace/traceblog.asp

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.