Internet hit by Tornado

Evidence of a new "attack pack" has surfaced, reports Shaun Nichols, providing further proof of the organized complexity of exploit code.  The web-based toolkit, called Tornado, is speculated to have been in operation for at least six months.  This attack tool supposedly exploits up to 14 browser vulnerabilities, although I am not certain which ones, nor can I verify the true number at this time.   While its php code was only recently released, it is believed to be responsible for numerous iframe injection attacks during the end of last year, according to Symantec.

Security researcher Liam O'Murchu offers some observations into Tornado's method of operation.  Following initial purchase and installment on a server, accounts are leased to attackers, who employ webpage code injection to redirect victims to the Tornado server.  The injection of malicious code into sites is made possible by harvesting html files, through credential theft from ftp accounts--a relatively simple task for an experienced Google hacker.  Once achieved, malware installment begins, leveraging the browser vulnerabilities targeted by Tornado. 

One of its most impressive aspects, in my opinion, is the updated presentation of statistical information and their potential use.  Once logging into the administrative control panel, a user is presented with a myriad of exploit statistics.  By generating feedback statistics on exploit success rates, the attacker can optimize their attack strategy.  Furthermore, its identification of browser type and operating system for successful exploits, introduces a means of victim profiling.  Symantec presents a good overview with screenshots here.

One of the truly unique characteristics of Tornado is its use of a business plan that helps keep it under the security radar.  The Tornado creators, thought to be RBN affiliates, have limited its purchase availability to trusted entities, which in turn, sell or rent server accounts to end users. Reducing the presence of its malicious servers has made detection difficult and security analysis more challenging.  As first demonstrated by Neosploit, the emerging SaaS model for crimeware, MaaS or HaaS has been frequently discussed, but this presents one of the most successful implementations to date.

Platforms for exploiting vulnerabilities are evolving rapidly and are starting to approach the professionalism of commercial products.  Their economic adaptation of increasingly successful business models, illustrates a strengthening threat to the internet community. 

What we will see next?  Advanced graphic Dashboards for attack analysis?  Balanced ThreatCards?  Unified Attack Management?  The use of predictive analysis in designing attack tools?   

How many BI/threat mashup analogies does the future hold?

For Tornado coverage and other internet weather advisories, be sure to watch: greyhat@computer.org

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)