• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   News from the Underground: Toolkit/Exploit Kit Developments

News from the Underground: Toolkit/Exploit Kit Developments

  • Posted on:November 30, 2012 at 9:13 pm
  • Posted in:Bad Sites
  • Author:
    Loucif Kharouni (Senior Threat Researcher)
0

In the past year, we’ve noticed many changes in how toolkits and exploit kits are being used.  For starters, the bad guys are spending more time securing their creations , as well as the servers where their malware will be installed. They do this to prevent leaks, as well as to make things harder for security researchers.

Here are some of the more well-known names, and what’s happened to them recently.

ZeuS

ZeuS has technically always been purchased and installed in a relatively secure way. Many of its users tended to be more technically capable; its author (Monstr/Slavik) was also selective about to whom he sold ZeuS to. ZeuS is secure, stable and able to manage thousands of bots. This is why it became famous in the underground, and why its use remains frequent to this day.

Citadel, IceIX

Citadel and IceIX are both malware toolkits that were created using the leaked ZeuS source code as a starting point. They took advantage of ZeuS’s popularity and leaked source code to create their own versions. Aquabox, the author and seller of Citadel, has made improvements to the original ZeuS source code and admin panel, making it attractive to other cybercriminals.

SpyEye

No update has been released for SpyEye in quite some time. The last version is 1.3.48 and was released in October 2011; no update has been made since then. Its author, Gribodemon/Hardeman has disappeared as effectively as Monstr did. Other bad guys have picked it up and now provide installation and hosting services for SpyEye servers. The only thing the “customer” would have to do is spread links to the provided server.

Blackhole Exploit Kit

The Blackhole Exploit Kit is a completely different story. The author, Paunch, will not provide you the kit but will instead install it on a server and use ioncube to encode PHP files to secure its creation. It is now rare to be able to buy a kit with a good infection rate, unless you want to use an older version.

The Latin American situation

Criminals in Latin America are being similarly careful. They aren’t using anymore hijacked servers to host C&C servers, spam tools, or other malicious activities. Now they are using their “own” servers in datacenters around the world. To stay under Google’s indexing radar, they don’t register any hostname/domain for these servers and instead use only IP addresses.

Recent take downs and hacks have taught everybody in the underground a lesson. They now have to be more secure and cautious, protecting their servers against researchers and other criminals. Usually, researchers look for open folders and servers. This is basically looking for accessible folders and/or configuration files and also login shells to gain access to the server and start investigating it.

The time where we could find an open server is essentially over. Compromised/hacked servers no longer host C&C servers either; instead they are only being used to host malware for limited times. Cybercriminals are increasingly providing “secure” webhosting to other cybercriminals, with better chances of their servers not being taken offline.

All this is a real game changer and new challenge for researchers. The Blackhole business model may become the common model, since it works pretty well for the sellers. Security researchers need to adapt and adjust to these new methods and try to find new solutions to track attackers and follow the evolution of their business and operation. Scanning servers and hoping to find open servers isn’t enough anymore. Neither is monitoring forums – these are now used mainly to chat and advertise, but private messages are no longer being used to carry out business. Instead, they are used to exchange instant messaging accounts where the actual transaction is done.

Among other potential steps, developing partnerships with ISP is crucial in order to take down/sinkhole malicious servers. Developing new ways to find information, and monitoring cybercriminals is also a must to be able to face these new challenges facing security researchers today.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: blackholecitadelexploit kitsSpyEyespywareZeuS

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.