Easy to use ‘hacking kits’ will lower the barrier to entry into the cyber criminal underground and, in turn, fuel a growing cyber crime pandemic.
TRC staff have previously commented on the evolution and expansion of the malware marketplace , which acts as an underground bazaar where spyware, trojans, viruses, rootkits, and other types of malicious code are traded and sold.
WebAttacker: Training Wheels for Hackers
One part of the evolution of the malware marketplace can be observed in the increased availability of ‘hacking kits’ that enable unskilled cyber criminals to carry out on-line identity theft. One these ‘hacking kits’, known as WebAttacker, is available for purchase on a web site hosted in Russia . Sophos, a security software vendor, originally spotted WebAttacker in March 2006.
WebAttacker automates the lifecycle of cyber crime. It facilitates the process of sending out spam designed to lure victims to a malicious web site. The malicious web site is configured by WebAttacker to detect vulnerabilities in the victim’s browser and will then deliver the appropriate exploit. Once the exploit has been installed on the victim’s computer, the attacker can use the compromised machine to send more spam, install spyware, carry out denial of service (DOS) attacks, and steal personal information.
Not Sophisticated but Still Dangerous
According to its developers, WebAttacker can attack six known vulnerabilities in Microsoft Internet Explorer and one known vulnerability in Mozilla Firefox. Of the seven exploits, four are designed to attack vulnerabilities published within the last 12 months. While all of these vulnerabilities have patches, not every computer user applies patches in a timely fashion, and there are plenty of vulnerable computers connected to the Internet.
Vulnerability Release Date
Microsoft – MS03-11 4/09/2003
Microsoft – MS04-013 4/13/2004
Microsoft – MS05-002 1/11/2005
Microsoft – MS05-054 12/13/2005
Mozilla – MFSA 2005-50 12/14/2005
Microsoft – MS06-006 2/14/2006
Microsoft – Security Advisory 917077 4/11/2006
It should be noted that according to Exploit Prevention Labs, a security software vendor, the developers of WebAttacker have discarded older exploits and replaced them with newer ones. These updates suggest that the developers of WebAttacker are keenly interested in keeping their ‘hacking kit’ up to date so that aspiring cyber criminals will purchase the software package. That WebAttacker’s developers upgrade the kit with newer exploits highlights the criminal underworld’s demand for malware is growing.
The danger of WebAttacker is that it is not a sophisticated approach to hacking. Rather, the danger of this software is that it lowers the barrier of entry into cyber crime. Previously, an attacker needed to possess some degree of technical skill to carry out a successful cyber attack. However, WebAttacker eliminates the need for much of this skill and allows the ‘script-kiddie,’ an unsophisticated hacker, to participate in the lucrative underground cyber economy. According to Carole Theriault, senior security consultant at Sophos, WebAttacker simplifies cyber crime and “will attract opportunists who aren’t necessarily very skilled and turn them into cyber-criminals.”
Connections to Organized Crime?
Conventional wisdom dictates that Russia and many former Eastern bloc countries are home to a large number of cyber criminals. While there is no definitive evidence that links WebAttacker to the Russian Mafia, a number of facts point to that conclusion. First, the site that sells WebAttacker is hosted in Russia. Second, the administrative contact of the site that sells WebAttacker is also the administrative contact of another apparent Russian cyber crime web site that sells stolen identities. Third, the server that hosts the site that sells WebAttacker is also home to a site that sells medication and other pharmaceutical products. TRC has previously noted instances where cyber criminals worked in tandem with on-line Russian pharmacies. In one case, a Trojan horse hijacked and ransomed a victim’s files. The cyber criminals demanded the victim purchase pharmaceuticals from a Russian web site for $75 a bottle in exchange for access to the his hijacked data. Therefore, these facts indicate a possible connection between the developers of WebAttacker and the Russian Mafia.