Thursday, October 02, 2008

Copycat Web Malware Exploitation Kit Comes with Disclaimer

Such disclaimers make you wonder what's the point of including a notice forwarding the responsibility for the upcoming cybercrime activities to the buyer, when the seller himself is offering daily updates with undetected bots, and is promising to include new exploits within the kit.

For the time being, this recently released copycat web exploitation malware kit, includes two PDF exploits, IE snapshot, and naturally MDAC, with a DIY builder for the binary. Here's the disclaimer, greatly reminding us of Zeus's copyright notice :

"Purchasing this product, you hold the full responsibility for its usage and for consequences which may have been caused by incorrect usage or the usage with some evil intent or violation of the usage rules. The author excludes the placement of the scripts somewhere on the Internet, you can only place them on localhost, virtual machine or on a test botnet (minibotnet). WARNING! The usage of this product with evil intent leads to the criminal responsibility!"

What happens when the buyer tries to resell the kit? - "If you try to resell, decode, remove the boundaries, you will lose all the support, updates and guarantees." which is surreal considering that the kit is open source one, and just like we've seen with a recent modification of Zeus if it were to include unique features -- which it doesn't -- others would build upon its foundations.

Going through the exploitation statistics of a sample campaign, you can clearly see that out of the 859 unique visits 250 got exploited with outdated and already patched vulnerabilities. Therefore, diversifying the exploits set would have increased the number of exploited hosts.

With IE6 visitors exploited at 46% as a whole, it would be hard not to notice that just like Stormy Wormy's historical persistence of using outdated vulnerabilities, a great majority of today's botnets have been aggregated using old exploits.

Trying to enforce the intellectual property of a malware kit means you're claiming ownership, and therefore the disclaimer becomes irrelevant.

No comments:

Post a Comment