Hacker Kit Use Surges, Means More Malicious Sites
"About 15 percent of malicious sites designed to steal information have kit code or a derivation of kit code," said Dan Hubbard, the vice president of security research at San Diego-based Websense.
Although Websense only began counting sites that use code from a toolkit late last year, the ratio is a major uptick, added Hubbard. Near the end of 2005, only 5 percent of the sites in a smaller sampling were using kit code.
"They also don't appear to be selling just kits," he said. "They also sell services. They'll infect Web sites for you, collect data for you. I call it a 'managed insecurity service.'"
The most popular hacker toolkits are made and sold by Russian entrepreneurs, and include the well-known "WebAttacker" and the less-familiar "Nuclear Grabber" (aka "Haxdoor"). They range in price from $25 to over $2,500.
"The prices are all over the place," said Hubbard. "What's interesting is a poll we found where the WebAttacker makers were asking potential buyers how much they'd spend on a kit." Over a third said that they'd pay $100 to $300, and 14 percent said they'd pony up as much as $1,000.
The creators of these kits openly boast how well their code evades anti-virus scanners, and advertise exploits of both long-patched and unpatched vulnerabilities in browsers, particularly Microsoft's Internet Explorer.
"These guys are all over the zero-day exploits," Hubbard said. One group, for instance, was the first to exploit the late-2005 WMF (Windows Metafile) bug, while the WebAttacker makers jumped on the VML (Vector Markup Language) vulnerability last month.
Kits vary in their sophistication and how they're used. WebAttacker, for example, is a collection of multiple exploits, and comes with instructions for the hacking-challenged on how to insert the code into sites. Nuclear Grabber, on the other hand, is often paired with WebAttacker -- the latter is used to install a rootkit of browser helper object on a vulnerable PC -- and then sends any information typed into a Web form to not only the real (and legitimate) destination, but also to the criminal.
There's even a kit for phishing thugs, dubbed "Rock Phish Kit," that targets cyber-crooks who don't know how to craft a fake Web site. The kit, which Websense first spotted in November 2005, only offered 2 or three bogus branded sites when it started to sell, but now packages as many as 15 or 20, all of which can be hosted on a single server.
The result of kit selling has been to boost the volume of malicious sites and the speed with which unpatched, or "zero-day" vulnerabilities, are put to work by a large number of cyber-criminals, said Hubbard.
Even more distressing are signs that these same kits are used to not only infect individual users' PCs, but also servers hosting sites. A stunning 40 percent of malicious sites out to steal information and identities are hosted on compromised machines, some of them running legitimate sites. "It's really a two-headed problem," said Hubbard. "There are tons of client-side exploits, but they're also attacking server-side vulnerabilities."
That's when things get really dicey. Advice to steer clear of "bad" Web neighborhoods -- porn, free software and screensaver sites, and the like -- doesn't do users any good if legitimate URLs are being used to distribute exploits.
"The bad guys are getting more professional," said Hubbard, "and that makes them more difficult to stop."
Websense's security report on the first half of 2006 can be downloaded from the company's Web site as a PDF file.