This post is the first of a two-part report about how cybercrime kits such as exploit toolkits enable even the less technical of cybercriminals to build botnets and conduct malicious attacks.

Large-scale botnets that compromise hundreds of thousands of systems around the world receive plenty of attention and deservedly so. However, there are many smaller botnets that often escape such scrutiny. The tools and services required to create, maintain, and profit from a botnet are widely available in the cybercrime underground for a price. These do-it-yourself (DIY) cybercrime kits enable those with limited technical skills to create botnets of their own.

The tools available include exploit kits that attempt to deliver various exploits to a visitor’s system based on the availability of vulnerable software on the said system as well as on the traffic direction systems that divert visitors to other websites or that direct them to download additional malware.

Sophisticated Malware Distribution Schemes

These tools allow botnet operators to form partnerships or to participate in affiliate programs. These programs allow distributors to pay to have their own malware installed by the botnet operator. A single botnet may be used to distribute a wide variety of malware such as SpyEye, ZeuS, or fake antivirus software.

Cybercriminals need to generate traffic to their malicious websites so they can attempt to install malware onto the visitor’s computer. In order to generate traffic, botnet operators often purchase FTP credentials for legitimate websites in underground chat rooms and forums. In addition, once their botnets are operational, their operators can extract FTP credentials from the systems that they managed to compromise. These stolen credentials are then used to compromise legitimate websites, which are then modified to redirect users to servers under the control of the criminals themselves.

This post analyzes the operation of a single malicious server that is used to receive traffic from compromised websites. Visitors are then redirected to an exploit kit. If a visitor’s system is compromised, the visitor’s computer then connects to a loader, which pushes a wide variety of malware onto the visitor’s computer, depending on the visitor’s geographic origin. All of these tools and methods are available to prospective cybercriminals in the cybercrime underground.

Phoenix Exploit Kit

In this specific case, three malicious iframes were inserted into a legitimate website. These cause a visitor’s computer to load external websites that are under the control of botnet operators. One of the iframes silently connects visitors to a server that hosts instances of the Phoenix Exploit Kit.

The exploit kit attempts to determine the OS and browser version of the visitor and serves an appropriate exploit designed to execute malware on the visitor’s computer. It contains exploits for popular software packages such as Adobe Flash Player, Adobe Reader, and Java.

In total, this instance of the Phoenix Exploit Kit received 17,628 visitors and successfully exploited 850 (4.82 percent) of them. The exploit kit found the most success targeting vulnerable versions of Java . After successful exploitation, a malicious executable (detected as TROJ_RENOS.NRT) is dropped onto the visitor’s computer then connects to a completely different set of command-and-control (C&C) servers.

Connections to Other Toolkits

Nearly all of the visitors to this instance of the Phoenix Exploit Kit originated from the United Kingdom. This suggests that the botnet operators may have purchased UK-specific traffic from other cybercriminals or managed to compromise websites that are popular in Britain.

This same server also contained other instances of the Phoenix Exploit Kit. In all cases (in addition to the one discussed above), the kit dropped payloads that connected to instances of DLoader hosted on the same server. For example, other instances received 5,871 visitors. These were primarily from Germany and Russia. Of these, 360 (6.13 percent) were successfully exploited with Java exploits again proving the most successful.

The malicious payload forced the visitor’s computer to connect to instances of DLoader hosted on the same server. The payloads of these Phoenix Exploit Kit copies are detected by Trend Micro as TROJ_INJECT.XSI, TROJ_DLOADER.TEP, TROJ_BAMITAL.AJ, and TROJ_OBFUS.CJ.

For the second part of this report, which we will release in the near future, we will further discuss the DLoader toolkit, and how it is used for the pay-per-install botnet business model.

A recent blog post on Secure Home Networks reviewed a major new blackhat SEO malware campaign comprising literally thousands of sites using the .info TLD. There has been much concern raised about this attack, as certain vendors reportedly described the infections as “not disinfectable.”

Blackhat SEO is a highly popular style of attack used by cybercriminals who know that the majority of everyday users cannot identify malicious sites just from looking at the way a URL is built, and that users most often trust the search results presented to them by their chosen search engine. Rogue antivirus programs or FAKEAV variants are most often the type of malware seen distributed through blackhat SEO attacks, and such has been observed rampant for the past years. More information on blackhat SEO and its rampancy can also be read in the report we published late last year: How Blackhat SEO Became Big.

As prevalent as blackhat SEO attacks are, such and their related infections do not have to spell doom for users. There is another way.

Tools such as VirusTotal are somewhat useful as a basic indication of protection levels. However, they unfortunately do not reflect an accurate picture of how users are protected today. Many security organizations, including Trend Micro offer protection above and beyond the traditional file-based antivirus. Increasing numbers of vendors have begun to recognize the importance of cloud-based protection. With cloud-based protection, threats are blocked proactively before users can ever access the website on which they reside.

As was the case in the attack reported by Secure Home Networks.  Trend Micro blocked all malicious URLs related to this attack on 25th January, protecting users of the Smart Protection Network by proactively preventing access to the malicious files – however we didn’t stop there – we blocked all the malicious files (TROJ_AGENT.SMVC, TROJ_AGENT.QMB, and TROJ_AGENT.SMDT) too.

As is described in a recent post on our Cloud Security Blog, cloud-based protection, such as that pioneered by Trend Micro, can greatly improve user and corporate security, as attacks are blocked before a malicious file can ever reach your computer, or your network.

A recent article on Network World entitled “Is Retaliation the Answer to Cyber Attacks” presented an interesting concept from French-based firm TEHTRI-Security—that of businesses and other organizations actively responding to criminal attacks by exploiting vulnerabilities in criminal networks and possibly deploying those same tools that criminals use to illegally acquire information, disrupt business, and steal money.

We appreciate that, of course—everybody wants to strike back—this is a very natural emotion. Simply compare how you might behave should somebody attack you or your family on the street. Meanwhile, the security industry delivers clean, legitimate solutions that help mitigate and prevent—but cannot guarantee 100 percent to eradicate—every emerging threat but this does not address this emotional need.

We do understand why some organizations may consider such a response to criminal attacks, in our view, to deploy attack tools on attackers presents the same moral consideration whether it is used in a physical or digital response. If everyone were to attack their attackers, we would likely find ourselves in an all-out digital conflict.

There are further issues that need to be presented and considered before anyone takes a decision such as this.

Reacting to such an incident in this way can potentially worsen the situation. Frequently, such attacks are carried out by criminal organizations with greater resources and money than even the largest enterprise.

When you strike back, are you ready to accept the blackhat revenge?

You may be confronted by a massive distributed denial-of-service (DDoS) attack that can take you out of business for weeks. You may be confronted by a hacking attack or other cyber activities that you do not want to be exposed to.

And do you really know who your attacker is—they may well be a powerful Mafia organization. Criminals have long demonstrated that they lack moral fiber. Is there any reason to believe they will not use other illegal tactics in their counter response?

Then there is a legal consideration, not for the criminal who does not care about law and order, but for you… the use of hacking tools in a revenge attack is not legal. That you are a victim does not justify the violation of law and such a violation can place you at risk of legal action as well as can seriously damage your organization’s and your own reputation.

In short, a pure counterstrike does not do its job and may increases the security, professional, and personal risks for the one who retaliates.

While there is no easy answer to the cybercriminal onslaught, at Trend Micro, we actively collaborate with Internet organizations, security industry partners, and law enforcement agencies around the world to stop these criminal activities.

And by working together with our customers to expand the global network of sensors that feed information to the Trend Micro™ Smart Protection Network™, we are committed to offering the best protection whenever, wherever, and however our customers connect.

Facebook Security is the official Facebook page that the site uses to provide user-friendly security information that is particularly relevant to its users. However, it is now being used in phishing attacks.

Spammed messages purportedly from Facebook Security are being sent to Facebook users. According to the message, the user’s account has been found to be suspicious and has been blocked. Facebook Security’s account was either accessed from an unknown location or was abused.  The message then asks the user to verify and unblock the account by going to a site that turned out to be a phishing page:

Another way users are targeted are via fake Facebook Security profiles. Many profiles seemed to have been registered by Facebook Security with diacritic marks inserted.

As is in this case, be careful about opening messages and websites, even if they supposedly come from official sources such as Facebook Security. One can see that the messages and websites contained several glaring errors in grammar and punctuation–a common issue for phishing attacks in general, and something that should warn users that the site they’re visiting is not legitimate.

In line with Data Privacy Day this Friday, Facebook announced its rollout of Secure Sockets Layer (SSL) capability for all of its services. Facebook has taken some heat for its lack of SSL support, especially with the release of FireSheep, which we covered here. Facebook does warn that encrypted pages will take slightly longer to load, which is a small price to pay for the added security.

According to the official Facebook post, there should soon be a check box titled Secure Browsing (https) under the Account Security section of Account Settings. This setting specifies that all future connections be redirected to HTTPS. It should be noted that this rollout has just begun and that this option is not yet available to everyone. It may take some time before this option is made available to everyone.

In the absence of the Secure Browsing setting, manually changing the URL to https:// seems to work but with mixed results. The main profile page will successfully load with no problems. Unfortunately, things start to get sketchy from there. Many links are relative and will keep the user in the secure browsing environment. Other links, however, are absolute and remove the protection of SSL. Hopefully, Facebook will fix these issues soon or at least makes it more clear when SSL support is not available.

Facebook also warned that some third-party applications and their own chat functionality currently don’t work if SSL is enabled. Users should be aware of this and take appropriate precautions if they can’t use SSL for those reasons.