Exploit kits, such as WebAttacker, have been widely available on the Internet for about four years, but thanks to their relatively low prices and the ease with which hackers can use them to steal data and passwords, they have become the Web apps of choice for the Black Hat set.
This week, security software provider M86 Security unveiled its latest study (PDF format) of these so-called do-it-yourself exploit kits. To no one’s surprise, it’s a booming growth industry with more than a dozen new kits making their way onto the market in just the past six years.
“After acquiring an exploit kit, the chief goal of the cybercriminal is to make money, and there are numerous ways this may be achieved,” M86 researchers said in the report.
Exploit kits with names like Fiesta, Siberia and Fragus are really just Web applications developed with Web technologies, such as PHP and MySQL, that are designed to take advantage of known exploits in popular applications like Microsoft’s Internet Explorer or Adobe Systems’ Acrobat, Reader and Flash applications.
Those inclined to pay between a couple hundred bucks to as much as $1,000 then install the kits on a Web server, often based in Russia, Eastern Europe or China, that is connected to a database used for logging and reporting activity.
Because cheap and highly anonymous Web hosting services are so easily available, hackers have little trouble finding either an unsuspecting or unconcerned hosting partner that makes it possible for them to join an industry that’s ripping off millions of consumers and businesses each year.
M86 Security Labs found that the majority of the new exploit kits available online were written in Russian, including kits such as Adpack and Fragus, and that most of them used Adobe Flash, Java classes and PDF-based exploits.
In tandem with the hacks, exploit kit operators often install their own malware or third-party malware, such as scareware or bogus antivirus software alerts, designed to get users to instinctively offer up their credit card or banking information to simply make the problem go away.
In most cases, according to M86 Security Labs, the installed malware is a version of a bot client that enables them to control the infected host. The controlling hacker — sometimes called a bot herder — is then free to install keyloggers, which track and record every keystroke and which help them steal a user’s critical log-in information.
At other times, the malware kits just use the victim’s computer as a spam surrogate to send unsolicited messages, with the hacker earning money for each message distributed.
One of the most popular money-making schemes derived from these DIY kits comes from pay-per-install programs. The exploit kit operator distributes malware from a third-party provider — found amid a vast number of providers listed through various hacker chatrooms, underground blogs or just word of mouth. The exploit kit operator then gets paid from that malware provider every time the kit successfully installs their software.
“It’s important to understand that the operators of exploit kits are merely one part of an extensive underground economy where the participants are often specialized, offering tailored products and services to other players through shady forums and personal contacts,” M86 Security researchers wrote.
Security software vendors, such as McAfee (NYSE: MFE) and Symantec (NASDAQ: SYMC), have also identified Web exploit kits as one of the most dangerous and fast-growing threats to online security today.
“The aim of this paper was to explain the exploit kits, how they work and how easy they are to use,” M86 Security officials said. “It hopefully gives some insight into why we are seeing such a massive increase in the number of attacks targeting exploits and to what we are facing in today’s Internet threat landscape.”