Skip Links

MPack, NeoSploit and Zeus top most notorious Web attack toolkit list

Symantec report finds porn sites, plus Microsoft and Adobe vulnerabilities, most often exploited

By , Network World
January 18, 2011 12:00 AM ET

Network World - About two-thirds of malicious Web activity can be traced back to botnets and exploit code built using popular attack toolkits sold in the underground economy, according to a new Symantec report.

The top three attack toolkits in terms of malicious Web activity are MPack (48%), NeoSploit (31%) and ZeuS (19%), the notorious software used in botnet form to steal financial data and execute fraudulent transactions, according to the  report, which covers June 2009 through July 2010.  

BOOK REVIEW: Decoy networks, separation tactics part of AT&T security chief's infrastructure protection plans 

In analyzing the selling and software development tactics that could be deduced in this shadowy online world, Symantec notes the dog-eat-dog environment in the fight to oust rivals and gain criminally-minded customers willing to pay the price—from as low as $40 for some attack toolkits to as much as $8,000 and more for ZeuS—along with any specialized services for malware.

Symantec, like other IT security vendors, has no choice but to delve into  the world of attack toolkits since so many security countermeasures, such as anti-virus signatures to protected unpatched computers, have to be designed based on what the crime world's software developers do. Kevin Haley, director of Symantec Security Response, says to his knowledge it's not illegal to develop attack toolkits, just to use them in some form to commit an actual crime.

"We believe the tremendous growth of malware we've seen in the last two years is driven by these toolkits," he says.

These attack toolkits make it fairly easy for anyone to get into rackets that include everything from running botnets for spam, financial crime and denial-of-service attacks to just the process of compromising PCs with malicious trojans through Web drive-by downloads, often from legitimate websites that have been compromised.

SECURITY UPDATE: Kama Sutra malware threatens to put Windows users in awkward position 

Known adult entertainment and video streaming websites, along with their misspelled-typo equivalents, are said to be the most likely types of sites searched for that attackers load up with malware. Games, music, software/technology and file-sharing are far less likely spots, according to the report. "The bad guys know what people are searching for," says Haley.


Most often exploited by these attack toolkits were Microsoft Active Template Library Header Data Remote Code Execution Vulnerability at 41%; Adobe Flash Player Multimedia File Remote Bugger Overflow Vulnerability at 25%; and Microsoft Windows Media Player Plug-in Buffer Overflow Vulnerability at 9%, with various other Microsoft and Apple protocols also popular.

In general, Symantec's research indicates that attack toolkit developers don't particularly rush to get new vulnerabilities into their attack code, nor do they strive to incorporate zero-day attacks, despite their advertising to the contrary. "Thus, it appears that, in general, attack toolkit developers are not actively researching new vulnerabilities or developing original exploit code," Symantec states.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News