“Hackers aren’t looking for fame anymore,” says Yuval Ben-Itzhak, CTO of Israeli security firm Finjan. Unlike in earlier years, their fondest hope is no longer that their PC-crashing code prompts headlines and TV news coverage around the globe.

Instead, “Now they go and sell their vulnerabilities and spyware apps for money,” Ben-Itzhak tells eSecurity Planet. He says hackers often solicit bids from various buyers of known vulnerabilities; security holes that reveal users’ financial information can command top dollar.

“They’re now making money getting our credit card and bank account [numbers] – that’s what drives this marketplace now.”


In fact, hackers now prefer to compromise a machine and allow it to remain functioning normally. “They try to install software silently on machines, so that you won’t remove it or reformat your disk – just continue work,” he says. “A connected machine has a lot of value [to hackers] versus the one that doesn’t work anymore.”
Additional Security Resources
Security Product Companies

Intrusion Detection Vendors

PKI-related Product and Service Providers

Enterprise Security Products

The Finjan report notes that the common element to many of these threats is that they're driven by Active Content (Java Script, VB Script, ActiveX, Java Applets). In other words, the same technologies that enable users to browse sites and run common business applications.

As Internet scammers grow more sophisticated in using malware for economic gain, hackers are now openly selling “make your own” toolkits to assist in the creation of malicious code. The most notorious instance of this is the Web Attacker Toolkit, sold by a Russian Web site. (Reports of the toolkit’s price vary from the $15-20 range up to $300.)

The Attacker Toolkit helps a site owner to implant code on his site that uses a Trojan horse to install spyware on the machine of any visitor with Internet Explorer or Firefox. The Toolkit checks for one of seven unpatched security holes in these two browsers. Since the spyware self-installs, visitors may not even know their system has been compromised. But the Trojan records user password and can open backdoors.

The Toolkit comes complete with support and update services, “just like any legitimate software product,” Finjan reports.

Coming to a Caching Server Near You

As the spread of malware is being commoditized – turned into a commercial product that’s bought like any other – Finjan reports a new trend in the spread of malicious code.

The content of Web sites distributing malicious code is being duplicated on storage and caching servers used by ISPs, search engines and large companies, Finjan reports. This allows malware to stay available and be distributed even if the Web site that originally distributed it has been taken down.

Worse still, this malicious code on caching servers can be referenced – that is, linked to unwittingly – by trusted sites. And since these caching servers are usually run by well-established businesses, URL filtering systems are often not set up to block them.

For example, “If this code is stored on a caching server operated by a large ISP or a search engine, [the hacker] can still infect the user, and the URL filtering companies will not block it,” Ben-Itzhak says.

“The giant caching servers of the world basically have a replica of the Internet, both the legitimate sites and the illegitimate sites,” he says. “And they’re becoming the storage place for this type of [malicious] code for a very long time.”

A trusted site can inadvertently reference malicious code by including a HTML frame in its page layout that accepts an automatic feed from a source the trusted site doesn’t always monitor. (For example, an advertising feed.) If that feed is compromised, suddenly the trusted site is unwittingly spreading destructive code.

Next page: Querying the Hidden Web