Hacking Toolkit Compromises Thousands Of Web Servers - InformationWeek
Software // Information Management
07:27 PM
Connect Directly

Hacking Toolkit Compromises Thousands Of Web Servers

The kit generates one-time use random URLs to prevent malicious Web pages from being blacklisted or analyzed by security researchers, according to researchers with Finjan.

A hacking toolkit that enables allow cyber criminals to subvert computers and more effectively evade detection is responsible for compromising thousands of machines last month, according to Yuval Ben-Itzhak, CTO of security company Finjan.

In December 2007, Finjan identified more than 10,000 Web servers infected with a malicious hacking kit called "random js toolkit." In June, the company found an average of 30,000 newly infected malicious Web pages every day -- the result of "random js tookit" -- and the company claims the situation is much worse today.

Ben-Itzhak said the hacking kit is particularly difficult to deal with because it has been designed to hide from computer security researchers and security software.

The malicious software stores the IP addresses of Web crawlers -- used by search engines and security companies to analyze Web pages -- so it can identify them and serve them clean content. Visitors determined to be real people get malware.

The kit generates one-time use random URLs to prevent malicious Web pages from being blacklisted or analyzed by security researchers. And its infectious scripts are also dynamic, appearing to a new visitor and then never again.

"This malicious code will be served for users visiting the first time, but not the second time," said Ben-Itzhak. "The reason hackers are doing this is it's an anti-forensic technique." Finjan claims its real-time code analysis technology can detect the malware more effectively than signature-based techniques.

A single "random js toolkit" attack serves over 13 different exploits that attempt to infect the victim's computer, according to a report issued by Finjan. The exploits too are dynamic, and are changed to reflect vulnerabilities and patches on the victim's machine. This maximizes the chance of infection.

Unlike the technique of embedding hidden IFRAME elements in Web pages to fetch malware from a server other than the one being visited, "random js toolkit" exploits often come from trusted domains. This is because cyber criminals have been targeting the servers of legitimate organizations to deliver their malicious software. Of the 30,000 Web pages being infected daily as of last summer, Finjan said that 80% of them were located on legitimate hacked sites. If such attacks continue and prove effective, trusted brands will be trusted a lot less.

In its report on the "random js toolkit," Finjan said that it found infected Web sites in domains administered by U.C. Berkeley and Teagames Limited. The company said that it notified both organizations and that the hacked pages are no longer active.

According to a company spokesperson, other organizations with compromised Web servers -- recall that Finjan claims to have found 10,000 -- have been notified and their names are being withheld until they can address their security issues.

There are a handful of other hacking toolkits available besides "random js toolkit," including Dycrypt, IcePack, Makemelaugh, MPack, Multi Exploit Pack, Neosploit and Vipcrypt.

Finjan provided a screen shot of another hacking application, Web Attacker Toolkit, being sold online at a Russian e-commerce site in a "Light Edition" for $50, an "Econom Edition" for $100, and a "Professional Edition" for $150. Customer support and updates were available for $10 to $20 extra.

Hacking toolkits like MPack and Web Attacker ToolKit include online statistical reporting to help cyber criminals keep track of the number of systems they're infecting and other relevant data. That suggests there are a lot of hacked systems to manage.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll