November 24th, 2008
Cybercriminals release Christmas themed web malware exploitation kit
“Committing cybercrime around the Christmas tree” has always been a tradition for malicious attackers introducing new ways to scam the millions of online shoppers during the holidays. This Christmas isn’t going to be an exception, but what has changed compared last couple of years is the tone of the Xmas promotions already circulating across various cybercrime communities. Do cybercriminals exchange gifts during the Christmas holidays? A recently released web malware exploitation kit coming with three different types of licenses and 9 modified exploits, aims to become “the pefect Christmas gift for all of your friends”.
Not surprisingly, the exploitation kit itself is released purely for commercial gains which when combined with the fact that it appears to be using a large percentage of the source code from a competing exploitation kit — appreciate the irony here — the already patched vulnerabilities it attempts to exploit can be easily taken care of. However, going through the infection rate statistics which were temporarily left available as a promotion tool, thousands of people have already became victim of their lack of decent situational awareness on how important patching of their third-party applications really is.
A translated description of the kit’s marketing pitch :
“Feeling bored? Miss the Christmas spirit? Want to make a lot of money before the holidays but you lack the right tools? We have the solution to your problems - our web malware exploitation kit which will bring back the Christmas attitude and also become the perfect gift for your friends. Available are Professional, Standard and Basic licenses, with each of these including or lacking some unique features based on your budget. Professional package comes with support.”
Modified exploits included within with their associated descriptions :
- modified MDAC - “the notorious exploit that continues to provide high infection rates of IE6 users”
- IE Snapshot - “unique exploit offering high infection rates for both IE6 and IE7 users”
- FF Embed - “still relevant for exploiting all Firefox versions”
- Opera Old+new - “capable of infecting all versions of Opera up to the latest one”
- Old PDF - “targeting Adobe Reader v8.1.1 it’s still relevant, also it checks whether the exact version is installed before launching the exploit”
- New PDF - “targeting Adobe Reader 8.1.2, a perfect combination with Old PDF
- XLS - “unique exploit targeting Microsoft Excel”
- SWF- “modification of the infamous exploit, works quietly and targets all browsers”
The malware obtained in one of the currently active campaigns has a low detection rate (6 out of 37 AVs detect it - 16.22%) and continues phoning back home to findzproportal1 .com (64.69.33.138; 72.233.114.126) from where it attempts to drop a rootkit (TDSSserv.sys). Among the main ways of ensuring that you’re going to ruin their holidays is to make sure they’re not exploiting you with last year’s client-side vulnerabilities, which is the main vehicle for continuing growth of web malware exploitation kits in general.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
| 11/26/08
