In the past year, we’ve noticed many changes in how toolkits and exploit kits are being used. For starters, the bad guys are spending more time securing their creations , as well as the servers where their malware will be installed. They do this to prevent leaks, as well as to make things harder for security researchers.
Here are some of the more well-known names, and what’s happened to them recently.
ZeuS
ZeuS has technically always been purchased and installed in a relatively secure way. Many of its users tended to be more technically capable; its author (Monstr/Slavik) was also selective about to whom he sold ZeuS to. ZeuS is secure, stable and able to manage thousands of bots. This is why it became famous in the underground, and why its use remains frequent to this day.
Citadel, IceIX
Citadel and IceIX are both malware toolkits that were created using the leaked ZeuS source code as a starting point. They took advantage of ZeuS’s popularity and leaked source code to create their own versions. Aquabox, the author and seller of Citadel, has made improvements to the original ZeuS source code and admin panel, making it attractive to other cybercriminals.
SpyEye
No update has been released for SpyEye in quite some time. The last version is 1.3.48 and was released in October 2011; no update has been made since then. Its author, Gribodemon/Hardeman has disappeared as effectively as Monstr did. Other bad guys have picked it up and now provide installation and hosting services for SpyEye servers. The only thing the “customer” would have to do is spread links to the provided server.
Blackhole Exploit Kit
The Blackhole Exploit Kit is a completely different story. The author, Paunch, will not provide you the kit but will instead install it on a server and use ioncube to encode PHP files to secure its creation. It is now rare to be able to buy a kit with a good infection rate, unless you want to use an older version.
The Latin American situation
Criminals in Latin America are being similarly careful. They aren’t using anymore hijacked servers to host C&C servers, spam tools, or other malicious activities. Now they are using their “own” servers in datacenters around the world. To stay under Google’s indexing radar, they don’t register any hostname/domain for these servers and instead use only IP addresses.
Recent take downs and hacks have taught everybody in the underground a lesson. They now have to be more secure and cautious, protecting their servers against researchers and other criminals. Usually, researchers look for open folders and servers. This is basically looking for accessible folders and/or configuration files and also login shells to gain access to the server and start investigating it.
The time where we could find an open server is essentially over. Compromised/hacked servers no longer host C&C servers either; instead they are only being used to host malware for limited times. Cybercriminals are increasingly providing “secure” webhosting to other cybercriminals, with better chances of their servers not being taken offline.
All this is a real game changer and new challenge for researchers. The Blackhole business model may become the common model, since it works pretty well for the sellers. Security researchers need to adapt and adjust to these new methods and try to find new solutions to track attackers and follow the evolution of their business and operation. Scanning servers and hoping to find open servers isn’t enough anymore. Neither is monitoring forums – these are now used mainly to chat and advertise, but private messages are no longer being used to carry out business. Instead, they are used to exchange instant messaging accounts where the actual transaction is done.
Among other potential steps, developing partnerships with ISP is crucial in order to take down/sinkhole malicious servers. Developing new ways to find information, and monitoring cybercriminals is also a must to be able to face these new challenges facing security researchers today.
