Evidence of a new "attack pack" has surfaced, reports Shaun Nichols, providing further proof of the organized complexity of exploit code. The web-based toolkit, called Tornado, is speculated to have been in operation for at least six months. This attack tool supposedly exploits up to 14 browser vulnerabilities, although I am not certain which ones, nor can I verify the true number at this time. While its php code was only recently released, it is believed to be responsible for numerous iframe injection attacks during the end of last year, according to Symantec.
Security researcher Liam O'Murchu offers some observations into Tornado's method of operation. Following initial purchase and installment on a server, accounts are leased to attackers, who employ webpage code injection to redirect victims to the Tornado server. The injection of malicious code into sites is made possible by harvesting html files, through credential theft from ftp accounts--a relatively simple task for an experienced Google hacker. Once achieved, malware installment begins, leveraging the browser vulnerabilities targeted by Tornado.
One of its most impressive aspects, in my opinion, is the updated presentation of statistical information and their potential use. Once logging into the administrative control panel, a user is presented with a myriad of exploit statistics. By generating feedback statistics on exploit success rates, the attacker can optimize their attack strategy. Furthermore, its identification of browser type and operating system for successful exploits, introduces a means of victim profiling. Symantec presents a good overview with screenshots here.
One of the truly unique characteristics of Tornado is its use of a business plan that helps keep it under the security radar. The Tornado creators, thought to be RBN affiliates, have limited its purchase availability to trusted entities, which in turn, sell or rent server accounts to end users. Reducing the presence of its malicious servers has made detection difficult and security analysis more challenging. As first demonstrated by Neosploit, the emerging SaaS model for crimeware, MaaS or HaaS has been frequently discussed, but this presents one of the most successful implementations to date.
Platforms for exploiting vulnerabilities are evolving rapidly and are starting to approach the professionalism of commercial products. Their economic adaptation of increasingly successful business models, illustrates a strengthening threat to the internet community.
What we will see next? Advanced graphic Dashboards for attack analysis? Balanced ThreatCards? Unified Attack Management? The use of predictive analysis in designing attack tools?
How many BI/threat mashup analogies does the future hold?
For Tornado coverage and other internet weather advisories, be sure to watch:
With 20+ years of industry experience, Noah Schiffman is a former black-hat hacker turned security consultant. Coding at an early age, he developed one of the early text/graphic editing applications and started his first software company in 1980 when he was 11 years old. With the advent of networking technologies, he soon mastered the art of manipulating telco switching systems, known as "Phone Phreaking". This soon led to his career as a computer hacker, performing penetration testing, reverse engineering, cryptographic attacks, corporate espionage, digital surveillance and other ethically questionable projects.
His clients have consisted of Fortune 500 companies and various government agencies.
He has authored a number of articles for SearchSecurity.com, on topics ranging from kernel mode and metamorphic viruses to corporate data loss prevention.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Post new comment