Cyber Attack Toolkits Dominate the Internet Threat Landscape

Symantec report finds ease-of-use and profitability driving faster proliferation of attacks and expanded pool of attackers


MOUNTAIN VIEW, Calif. – – Symantec Corp. (Nasdaq: SYMC) today announced the findings of its report on Attack Toolkits and Malicious Websites. The study reveals that as attack kits become more accessible and relatively easier to use, they are being utilized much more widely. This has attracted traditional criminals who would otherwise lack the technical expertise into cybercrime, fueling a self-sustaining, profitable, and increasingly organized global economy.

Attack toolkits are software programs that can be used by novices and experts alike to facilitate the launch of widespread attacks on networked computers. These kits enable the attacker to easily launch numerous pre-written threats against computer systems. They also provide the ability to customize threats in order to evade detection, as well as automating the attack process.



Attack Kits Control the Landscape
The relative simplicity and effectiveness of attack kits has contributed to their increased use in cybercrime— these kits are now being used in the majority of malicious Internet attacks. For example, one major kit called Zeus poses a serious threat to small businesses. The main objective of Zeus is to steal bank account credentials; unfortunately, small businesses have fewer safeguards in place to guard their financial transactions, making them a prime target for Zeus.

The profitability of malicious code attacks using Zeus was recently illustrated by the September 2010 arrests of a ring of cybercriminals who allegedly used a Zeus botnet in the theft of more than $70 million from online banking and trading accounts over an 18-month period.

As cyberattacks have become more profitable, the popularity of attack kits has dramatically increased. This in turn has led to increasingly robust and sophisticated kits. These kits are now often sold on a subscription-based model with regular updates, components that extend capabilities, and support services. Cybercriminals routinely advertise installation services, rent limited access to kit consoles, and use commercial anti-piracy tools to prevent attackers from using the tools without paying.

Faster Proliferation of Attacks
The speed at which new vulnerabilities and their exploits spread around the globe has increased due to innovations that attack kit developers have integrated into their products. Attack kits are now fairly easy to update, which allows developers to quickly add exploit code for new vulnerabilities. The result is that some exploits are in the wild just days after the associated vulnerability becomes public. Attackers who can easily update their attack kits with recent exploits are able to target potential victims before they apply necessary patches.

A New Entry Into the Underground Economy
Because attack kits are becoming easier to use, cybercrime is no longer limited to those with advanced programming skills. Participants now include a mix of individuals with computer skills and those with expertise in traditional criminal activities such as money laundering. Symantec expects that this much larger pool of criminals entering the space will lead to an increase in the number of attacks.


Quotes:
“In the past, hackers had to create their own threats from scratch. This complex process limited the number of attackers to a small pool of highly skilled cybercriminals,” said Stephen Trilling, senior vice president, Symantec Security Technology and Response. “Today’s attack toolkits make it relatively easy for even a malicious novice to launch a cyberattack. As a result, we expect to see even more criminal activity in this area and a higher likelihood that the average user will be victimized.”

Additional Facts:

* Popularity and demand has driven up the cost of attack kits. In 2006, WebAttacker, a popular attack toolkit, sold for $15 on the underground economy. In 2010, ZeuS 2.0 was advertised for up to $8,000.
* Secondary services have emerged to direct unsuspecting users to malicious websites, where their computers can be compromised. Tactics used include spam campaigns, black hat search engine optimization (SEO), the injection of code into legitimate websites, and malicious advertisements.
* Symantec observed more than 310,000 unique domains that were found to be malicious. On average, this resulted in the detection of more than 4.4 million malicious Web pages per month.
* Of the Web-based threat activity detected by Symantec during the reporting period, 61 percent was attributable to attack kits.
* The most prevalent attack kits are MPack, Neosploit, ZeuS, Nukesploit P4ck, and Phoenix.
* The search terms that most commonly resulted in malicious website visits were for adult entertainment websites, making up 44 percent of the search terms.

Mitigating Attacks

* Organizations and end users should ensure that all software is up-to-date with vendor patches. Asset and patch management solutions may help to ensure systems are compliant and deploy patches to systems that are not up-to-date.
* Organizations should create policies to limit the use of browser software and browser plug-ins that are not required by the users of the organization. This is especially prudent for ActiveX controls, which may be installed without the knowledge of the user.
* Organizations can also benefit from using website reputation and IP black listing solutions to block outgoing access to sites that are known to host attack toolkits and associated threats.
* Antivirus and intrusion prevention systems can be deployed to detect and prevent exploitation of vulnerabilities and installation of malicious code.

About the Report
The Symantec Report on Attack Toolkits and Malicious Websites, developed by the company’s Security Technology and Response (STAR) organization, is an in-depth analysis of attack toolkits. The report includes an overview of these kits as well as attack methods, kit types, notable attacks, and attack kit evolution. It also includes a discussion of attack kit features, traffic generation, and attack kit activity.

About Security Technology and Response
The Security Technology and Response (STAR) organization, which includes Security Response, is a worldwide team of security engineers, threat analysts, and researchers that provides the underlying functionality, content, and support for all Symantec corporate and consumer security products. With Response centers located throughout the world, STAR monitors malicious code reports from more than 130 million systems across the Internet, receives data from 40,000 network sensors in more than 200 countries, and tracks more than 25,000 vulnerabilities affecting more than 55,000 technologies from more than 8,000 vendors. The team uses this vast intelligence to develop and deliver the world’s most comprehensive security protection.

About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.