By Thomas Claburn
January 14, 2008
A hacking toolkit that enables allow cyber criminals to subvert
computers and more effectively evade detection is responsible for
compromising thousands of machines last month, according to Yuval
Ben-Itzhak, CTO of security company Finjan.
In December 2007, Finjan identified more than 10,000 Web servers
infected with a malicious hacking kit called "random js toolkit." In
June, the company found an average of 30,000 newly infected malicious
Web pages every day -- the result of "random js tookit" -- and the
company claims the situation is much worse today.
Ben-Itzhak said the hacking kit is particularly difficult to deal with
because it has been designed to hide from computer security researchers
and security software.
The malicious software stores the IP addresses of Web crawlers -- used
by search engines and security companies to analyze Web pages -- so it
can identify them and serve them clean content. Visitors determined to
be real people get malware.
The kit generates one-time use random URLs to prevent malicious Web
pages from being blacklisted or analyzed by security researchers. And
its infectious scripts are also dynamic, appearing to a new visitor and
then never again.
"This malicious code will be served for users visiting the first time,
but not the second time," said Ben-Itzhak. "The reason hackers are doing
this is it's an anti-forensic technique." Finjan claims its real-time
code analysis technology can detect the malware more effectively than
A single "random js toolkit" attack serves over 13 different exploits
that attempt to infect the victim's computer, according to a report
issued by Finjan. The exploits too are dynamic, and are changed to
reflect vulnerabilities and patches on the victim's machine. This
maximizes the chance of infection.
Unlike the technique of embedding hidden IFRAME elements in Web pages to
fetch malware from a server other than the one being visited, "random js
toolkit" exploits often come from trusted domains. This is because cyber
criminals have been targeting the servers of legitimate organizations to
deliver their malicious software. Of the 30,000 Web pages being infected
daily as of last summer, Finjan said that 80% of them were located on
legitimate hacked sites. If such attacks continue and prove effective,
trusted brands will be trusted a lot less.
In its report on the "random js toolkit," Finjan said that it found
infected Web sites in domains administered by U.C. Berkeley and Teagames
Limited. The company said that it notified both organizations and that
the hacked pages are no longer active.
According to a company spokesperson, other organizations with
compromised Web servers -- recall that Finjan claims to have found
10,000 -- have been notified and their names are being withheld until
they can address their security issues.
There are a handful of other hacking toolkits available besides "random
js toolkit," including Dycrypt, IcePack, Makemelaugh, MPack, Multi
Exploit Pack, Neosploit and Vipcrypt.
Finjan provided a screen shot of another hacking application, Web
Attacker Toolkit, being sold online at a Russian e-commerce site in a
"Light Edition" for $50, an "Econom Edition" for $100, and a
"Professional Edition" for $150. Customer support and updates were
available for $10 to $20 extra.
Hacking toolkits like MPack and Web Attacker ToolKit include online
statistical reporting to help cyber criminals keep track of the number
of systems they're infecting and other relevant data. That suggests
there are a lot of hacked systems to manage.
Visit InfoSec News