Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 04/28/08

Monday, April 28, 2008

DIY Exploit Embedding Tool - A Proprietary Release

Remember the reprospective on DIY exploit embedding tools, those cybercrime 1.0 point'n'click exploits serving generators? Despite that the cybercrime 2.0 has to do with malicious economies of scale, that is the use of web malware exploitation kits compared to their 1.0 alternative, the DIY tools, such tools continue to be developed, like this proprietary one including sixteen exploits for the buyer to take advantage of, if she's willing to invest £100 (GBP) of course. Exploits listed :

- D-Link MPEG4 VAPGDecoder ActiveX
- Macrovision Installshield ActiveX
- MySpace Uploader ActiveX
- Symantec BackupExec ActiveX
- Yahoo! JukeBox ActiveX
- Microsoft Works ActiveX (0day)
- Microsoft Internet Explorer MS06-014 (MDAC)
- Microsoft Internet Explorer MS07-009
- Facebook Uploader ActiveX
- Microsoft DirectSpeechSynthesis ActiveX
- Realplayer ActiveX
- WinZip FileView ActiveX
- Yahoo Messenger Webcam ActiveX
- Microsoft Internet Explorer MS06-013
- Microsoft Internet Explorer MS07-004
- Microsoft Internet Explorer MS07-055

With the now commodity web malware exploitation kits and their modularity streamlining "innovation" in the field, such DIY tools are only a fad compared to malicious parties' interest in exploiting as many people as possible, without putting extra efforts in the process (malicious economies of scale). And with the overall proliferation of client-side vulnerabilities, and the surprisingly high success rate of exploiting outdated and already patched vulnerabilities on a large scale (Stormy Wormy), ensuring your client-side applications are vulnerable to zero days only is highly recommended.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Web Site Defacement Groups Going Phishing

Following a recent post commenting on changing phishing tactics, more evidence of web site defacement groups' vertical integration in the underground market in respect to hosting phishing pages on the defaced hosts, is starting to emerge. Take for instance yet another currently live phishing page - bamaangels.net/photogallery/content/Models/Brigitte/boa. The site is known to has been defaced in the past, and it looks like it's been re-defaced again, this time hosting a single phishing page within, compared to the examples I provided in a previous post. The current defacement located at - bamaangels.net/photogallery/content/Models/Brigitte/deface.htm - reads :

"Defaced by Zeus ;) contacto: z3us @ live.com Saludos: Juan Pablo :D"

The fact that web site defacements groups are going into phishing, and as we've already seen numerous times, abusing the access to the host to serve malware, with their malicious economies of scale type of automated defacement approaches and web application vulnerabilities exploitation, this is only going to get worse. One thing's for sure - phishers, spammers, malwaware authors, and now web site defacements groups are consolidating, or even if there are exceptions, those exceptions are figuring out how to vertically integrate and build the capability to participate in multiple malicious activities simultaneously.

Dancho Danchev