Monday, April 28, 2008

DIY Exploit Embedding Tool - A Proprietary Release

Remember the reprospective on DIY exploit embedding tools, those cybercrime 1.0 point'n'click exploits serving generators? Despite that the cybercrime 2.0 has to do with malicious economies of scale, that is the use of web malware exploitation kits compared to their 1.0 alternative, the DIY tools, such tools continue to be developed, like this proprietary one including sixteen exploits for the buyer to take advantage of, if she's willing to invest £100 (GBP) of course. Exploits listed :

- D-Link MPEG4 VAPGDecoder ActiveX
- Macrovision Installshield ActiveX
- MySpace Uploader ActiveX
- Symantec BackupExec ActiveX
- Yahoo! JukeBox ActiveX
- Microsoft Works ActiveX (0day)
- Microsoft Internet Explorer MS06-014 (MDAC)
- Microsoft Internet Explorer MS07-009
- Facebook Uploader ActiveX
- Microsoft DirectSpeechSynthesis ActiveX
- Realplayer ActiveX
- WinZip FileView ActiveX
- Yahoo Messenger Webcam ActiveX
- Microsoft Internet Explorer MS06-013
- Microsoft Internet Explorer MS07-004
- Microsoft Internet Explorer MS07-055

With the now commodity web malware exploitation kits and their modularity streamlining "innovation" in the field, such DIY tools are only a fad compared to malicious parties' interest in exploiting as many people as possible, without putting extra efforts in the process (malicious economies of scale). And with the overall proliferation of client-side vulnerabilities, and the surprisingly high success rate of exploiting outdated and already patched vulnerabilities on a large scale (Stormy Wormy), ensuring your client-side applications are vulnerable to zero days only is highly recommended.