Attack Toolkits Dominating the Threat Landscape

wiredmikey writes "The ease-of-use and ability to amass great profits through the use of easily accessible 'attack toolkits' are driving faster proliferation of cyber attacks and expanding the pool of attackers, opening the doors to more criminals who would likely otherwise lack the required technical expertise to succeed in the cybercrime underground. The relative simplicity and effectiveness of attack kits has contributed to their increased use in cybercrime — these kits are now being used in the majority of malicious Internet attacks."

Need better tools

[BadAnalogyGuy]

May I suggest [youtube.com]?

Re:

[Opportunist]

No, that's what happens when you teach countries with a less than stable infrastructure the laws of free market. If there's a demand for malware tools, someone will supply it.

But does it run on Linux??!

[mspohr]

I think that Linux is left out again.

Re:

[ferongr]

Security through obscurity doesn't work in practice. Most of these "toolkits", as TFA likes to call them, come in various flavors from x86 Windows to Siemens networked PLC controllers. Unless there are sound security practices on-site and air-gaps where required, no system is secure.

Re:

[Anonymous Coward]

Security through obscurity doesn't work in practice. Most of these "toolkits", as TFA likes to call them, come in various flavors from x86 Windows to Siemens networked PLC controllers. Unless there are sound security practices on-site and air-gaps where required, no system is secure.

I know everybody loves to pull out the "security through obscurity" phrase as if that's an instant slam-dunk victory but that's NOT what the previous post was talking about.

The point, my slow-witted eager-to-score-a-point friend, is this: Windows guarantees that a single vulnerability is going to work unaltered on many millions of systems. That makes it profitable for black-hats to sell these kits. Look up the word "monoculture" if you still think this is a matter of obscurity vs. disclosure. It's the

Re:

[WrongSizeGlass]

It's the same thing you find in nature: genetic diversity is a good thing, that's why higher organisms tend to use sexual reproduction. It "shuffles the deck" so that a single disease isn't going to wipe out an entire population.

We need something like that with our computer systems. We could have that.

Frankly, I'm not thrilled with your proposal to change the meaning of "cyber sex" to include computers having sex. I don't think it's a good idea that my computer would be getting more out of being on the internet than I am.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[4phun]

Oh please! Linux has had 15 years and you STILL can't give away enough of the thing even at a cost of $0 to get beyond 1% You think MSFT pays guys like me hidden checks to sell Windows boxes? Nope to paraphrase an old campaign slogan its the apps and ease of use stupid which thanks to some bad design choices royally suck in Linux.

Do you realize you are expressing the same problem with Android [Linux] which is going to experience an explosive collapse in spite of the United States biggest Internet advertising agency's desperate efforts to get cellular to use it?

http://video.nytimes.com/video/2010/06/23/technology/personaltech/1247468111534/the-iphone-4.html [nytimes.com]

HTC has already reported cellular carriers are telling them they have too much Android. Android isn't making them many happy customers so deadly churn is increasing.

You have to l

Re:

[amplex]

Linux is not an operating system for morons. 80% of PC users out there are morons, kids, & grandpas, who could care less about the stability, flexibility, and efficiency of a solid, written from the ground up network-driven os. You know what will change in the next 15 years? Big business (retail stores everywhere, I am seeing this first hand at the moment, and actively participating in the implementation) is going to switch all their development and all their production servers and workstations to lin

Re:

[Lanteran]

Modded troll, but I'm undoing that to address your points.

1% is a factoid. No matter how many times you windows fans repeat it it won't continue to be true. Most estimates by major companies (MS, Apple, etc.) place it at around 3-7%. As for apps and ease of use- you might not have the big windows apps (but wine's getting better all the time), but you've got plenty of professional grade software- linux is widely used in the content creation market. As for ease of use, (though I personally dislike it due to b

Re:

[Lanteran]

d'oh! last paragraph should be used linux.

Re:

[KenSeymour]

Even if you had anti-virus, Stuxnet was in the wild for a year before the av vendors knew about it.

PLCs are often programmed from laptops. How are you going to air-gap a laptop from a virus the AV vendors don't know about and that can infect via thumb drives.

I have yet to see a PLC programming environment that wasn't Windows. Some anti-virus even interferes with PLC environments (Norton for example) and good luck getting an AV vendor to fix those problems given the small number of PLC users in proportion

Re:

[aztracker1]

Umn, well I would suspect than many of these attacks target websites running Linux with PHP and/or mySQL...

1337 hax0r

[korgitser]

The new wave of scriptkiddie ftw!

"malicious" Internet attacks

[Anonymous Coward]

....as opposed to those bothersome benevolent ones... Low orbit ion cannons at the ready!

Oh great...

[Haedrian]

And now cracking has turned into a business. If I buy a toolkit will I get a receipt for it? I need it for my tax benefits.

Re:

[Opportunist]

Now?

Malware has been a business for at the very least a decade. Those toolkits have been available for at least 3-5 years.

How the fuck is this news? Or did only now the general population learn of RBN [wikipedia.org] and similar "services"?

Re:

[nog_lorp]

Rofl! I recall reading about the RBN 2 years ago, when it had 'been shutdown' apparently.

Re:

[nog_lorp]

(According the the WP page at the time, that is)

Re:

[Opportunist]

Such pages are a bit like carpet stores. Constantly on end of business sale, only to move next door.

Seriously, for a while we tried to shut down those drop boxes. Soon we realized that it's not worth the hassle. Modern malware comes with the ability to be redirected to other servers. And, before anyone gets the idea of using that against them, of course these functions are protected by keys.

This has been happening forever

[TheSpoom]

Script kiddies aren't smart enough to code their own exploits. They rely on other people to release their code and then use / abuse it.

It's like PHP; the fact that it's very easy to use leads to a lot of crappy code, even though there are real programmers using it who know what they're doing.

Re:

[timholman]

Script kiddies aren't smart enough to code their own exploits. They rely on other people to release their code and then use / abuse it.

The feds should take a page from the RIAA playbook and release their own trojan versions of exploit kits, permitting them to track these little snots, or at least wipe their drives. It won't stop the hardcore professionals, but at least this tactic would weed out many of the braindead wannabes.

Re:

[Opportunist]

Oh, great plan. Ok, lemme clue you in if you don't mind, so you know what you're standing against. I'll try to dance around a few NDAs, but it should work.

Some people with less ethics than greed develop a toolkit that consists of a malware that infects people's computers, a dropoff server where that malware sends its collected information and a service to deliver the malware (let's say, for simplicity's sake, spam. There are other, more sophisticated ways available, but this ain't Malware Business 101).

Know

Re:

[Opportunist]

Sorry, forgot the important step two: This package gets sold to people with similar ethics and greed, but less computer skill.

Please insert between paragraph 2 and 3.

Re:

[Securityemo]

Yeah. And they advertise openly, and the buyers discuss their experiences with the software and "bulletproof hosts" on public forums. It's hilarious. I didn't believe this until I saw it. I expected something invite-only or using only personal contacts between hardened criminals or something. Not gauchy banner ads.

Re:

[Opportunist]

Why bother?

Writing malware is not illegal. Writing malware kits also isn't (at least in the relevant countries). USING them may be. But if you buy them for "research only" (interestingly, don't try to buy one "legally" for a malware research institute, they will refuse to deliver... odd, ain't it? :)), it's all fine and nice.

Of course, this being a novelty, nobody ever wants to actually use them for nefarious reasons, of course!

Re:

[Lord Ender]

There's no such thing as a hacker who writes all his own tools. To imply that people using tools written by others aren't "hackers" but are instead "kiddies" is absurd because it implies that no hackers exist.

Re:

[Jeremy Erwin]

This would be a good time to contemplate the difference between a hacker and a cracker.

Re:

[Lord Ender]

A cracker is someone who breaks DRM. A hacker is a person who circumvents computer security.

Re:

[Jeremy Erwin]

Er no.

hacker: A person who enjoys exploring the details of programmable systems and stretching their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.

Jargon File [catb.org]

cracker: One who breaks security on a system.

JargonFile [catb.org]

Re:

[Lord Ender]

In English, words have multiple definitions. A dictionary that fails to recognize this uncontested fact is useless as a citation.

Re:

[TheSpoom]

To imply that people using tools written by others aren't "hackers" but are instead "kiddies" is absurd because it implies that no hackers exist.

Script kiddies are not hackers. Usually they're people with just enough knowledge to be dangerous who think that attacking someone or some entity would be fun. Alternatively, they could be doing it for the money. Nonetheless, in my experience such people don't really understand what they're doing and are forced to use full software packages from others, exclusively.

If you can't understand the difference between that and using a library or open source application, then I really don't know how to explain i

Re:

[Lord Ender]

The reason you can't explain it is because you don't understand it yourself. There is no line between "hacker" and "kiddie." It's just hackers (people who circumvent computer security) of different skill levels. Call a low-skill hacker any name you like, but he's still a hacker.

Didn't You Get the Memo?

[eldavojohn]

The real hackers write the toolkits and then distribute them to kids like this [youtube.com] who then get in trouble and get caught. Once caught, they occupy all the "cyber law enforcement" people's time they have to "protect" us and then the real hackers go about their way unnoticed and never caught. The internet is awash with people calling themselves 'hackers' while a very low percentage 1) actually investigate ways to hack systems and 2) never let their identities and preferably actions known for obvious reasons [slashdot.org]. It's obvious that they offer up a toolkit to let idiots run around painting targets on themselves so they can mess around unhindered.

Re:

[Haedrian]

That video killed me.

Norton Internet Security 2004
Username: "HP User"
"You need an internet connection" and having a "Really Solid One"
"Run 'c m d'"
"Http semicolon" ???

Wait.. is that guy using traceroute to see other people's "Ip addresses"

I may cry a little.

Re:

[drolli]

> Wait.. is that guy using traceroute to see other people's "Ip addresses"

Have you never looked inside a router? Little Gnomes in every router, all watching in the same direction when a packet comes along. Thats why they are looking at the same website....

Re:

[Opportunist]

And this is what clogs my days and lets my boss claim huge "victories" while at the same time nothing gets accomplished.

It's a bit like fighting the drug business by busting street dealers. Wow, we cashed in 5 kilos of coke that won't hit the streets. Never mind that 5 tons that got distributed while we spent the last year on this 5 kilo sting op.

Re:

[countertrolling]

A better analogy would be to consider it as trash collection. Just something that's gotta be done.

Re:

[Opportunist]

Nope. Usually all my trash gets collected, I just create more, but that doesn't mean that parts of it pile up in my backyard.

It's like stepping on the ants that run from their hive to your bread box. Instead of digging out the hive or sealing the bread box, we keep stepping on the ants, hoping that we'll at least hit some of them.

Re:

[countertrolling]

Well, let me ask you this. Is your boss actually empowered to do any more than "step on the ants"?

I contested your drug analogy because it is often mistaken that the authorities are trying to stop drugs when the truth is they want to control them. That's why only the small timers and freelancers get shaken down.

Re:

[Opportunist]

We're not even close to controlling it. We're going for the low hanging fruit. Unfortunately, this seems to keep the machine rolling and the projects come in.

It's like the goose that lays golden eggs, even if those eggs are poisonous. Decapitating the whole criminal structure would possibly endanger this rather comfortable business model. So... low hanging fruits are easier to get, very juicy and they keep growing back.

I don't question that this is profitable. I question that this is sensible.

Re:

[Securityemo]

"Methods" and "exploits" are not the same thing, of course. The methods are fairly well-known and/or obvious, the exploits found using them (tedious work) are not. The power lies in creating systematized implementations of existing ideas - look at the storm botnet, or the stuxnet worm. Or a particularly monstrous flash exploit. I think that releasing tools to use as a smoke screen would be a counterproductive strategy, because the more visible trouble they'd cause the more "eyes" would be on to the security

This is news?

[girlintraining]

News Flash: The proliferation of manufactured weapons is credited with a rise in use amongst those with limited training in the use of weapons. Also, technology is making things previously difficult to do easy, says spokesperson for Captain Obvious.

LOIC et al

[ME-tan]

Well LOIC is technically an "attack toolkit" and has been getting a lot of press lately...

nmap

[vlm]

This is a dupe from the mid 90s when nmap was released.

If you outlaw exploits...

[VortexCortex]

If you outlaw exploits, only outlaws will have exploits.

Seriously folks, It's illegal for me to craft a website that exploits the "attack toolkit" to disable the attack.
I'm forbidden from fighting back...

If someone breaks into my house and threatens me with a shotgun, it's perfectly legal for me to use my pistol on them; The same is not true for software. If my machine is infected by a botnet it's illegal for me to exploit the botnet to disable the threat.

Take heed folks:
Without the right to bear arms we h

Re:If you outlaw exploits...

[Securityemo]

Yes, but when you fire a shotgun at a burglar you can be pretty sure that he hasn't had his brain hijacked to believe he's planting bugs to find out if his wife is cheating on him (when in reality, he's been living alone for the past few years in a run-down one-room apartment). The malware is "served up" from hacked sites and botnets, so you risk disabling a critical system. Reliable "counter malware" that isn't custom-tailored to the specific version of a specific bot would require you to kill the networking of the whole host.

If you don't believe me on that, just think about why/how antivirus doesn't just "remove the malware from the system" simply. Not to mention that it's unfeasible to expect this to work long, because malware are small pieces of software that can be hardened against exploits easily, and "stealing" them by spoofing their communications protocol also relies on the protocol being insecure.

Re:

[sabt-pestnu]

> you risk disabling a critical system.

The system is already compromised. Mission-critical, or "someone could die"-critical, it makes no difference. Once compromised, you have no guarantee that it will remain stable, or prevent that death. There's a reason that some systems (medical, avionics, etc) require government approval for use, and incredible scrutiny for approval, and often have limited-or-no network access.

Re:

[Securityemo]

Yeah, I didn't mean "critical critical" systems obviously. But given that it was the counterattackers direct action that disabled the system, it seems logical that you'd have to pay damages if the owner decides to sue you, even if it was just an excel spreadsheet that didn't arrive on time that day (IANAL). And making that legal just doesn't seem right. It would be saner to force companies or private citizens to cooperate with a search warrant, taking the hosts down on-site. And again, counter-attack malwar

Re:

[ColdWetDog]

No, when you shotgun the burglar, your pellets don't go beyond your property line. If they do, or if you chase the burglar down the street, you're in trouble.

That's the problem with going on 'the attack' - you go outside your own property. (That's one reason shotguns are great personal defense weapons - they require little skill to point and the pellets, while very effective at close range, don't have the penetrating ability that a pistol bullet has. Even a 9mm 50 grain bullet can waltz through sheetroc

Re:If you outlaw exploits...

[0123456]

Very glad to live in a society where people don't have or want that 'right', but leave it to law enforcement, and having murder by firearm and accedential death by firearm at a fraction of US rate (you have a few alternatives to pick from here: http://en.wikipedia.org/wiki/List_of_countries_by_firearm-related_death_rate [wikipedia.org])

Most first-world countries have lower 'knife-related death rates' than America too.

Americans just kill each other far more often than most other first world countries, and most of those murders are fights between drug dealers. Guns are pretty much irrelevant to the murder rate, and someone who's determined to murder someone doesn't much care about gun laws anyway.

Plus I notice you picked 'death rate' rather than 'murder rate', which presumably includes sucides. Obviously people are more more likely to use a gun to kill themselves in countries where guns are readily available; hence, for example, the oft-repeated claim that American cops are far more likely to be killed with their own gun than use it to kill a criminal.

Programming toolkits dominating the landscape

[urdak]

In other news from 1980, programming toolkits are dominating the programming landscape.

Programmers have discovered that they can amass great profits by using easily accessible "programming toolkits", which are now used in the majority of the software in the wild. These toolkits include compilers (no longer does the programmer need to remember all these geeky hex codes!), libraries (and idiot can now use the quicksort algorithm without reading Knuth!), and kernels (you don't need to know anything about IO or

Symantec - your source for breaking security news

[flappinbooger]

It's great that the boys over at Symantec have found out that there are malware toolkits on the interwebs.

Maybe next they will develop a program that will remove viruses and other malware without breaking computers or, as I've seen, forcing customers to call India tech support who charg $90 to remove those extra special tough ones.

Then the next step will be to do that without bringing the computers to a crawl.