Robert Hensing's Blog

Software Security . . . and stuff.

Web Attacker Toolkit - From Russia with Love

Web Attacker Toolkit - From Russia with Love

  • Comments 3
  • Likes

So here's a very interesting blog post I came across recently: 

http://www.websense.com/securitylabs/blog/blog.php?BlogID=94

 

It details the workings of an automated browser exploit toolkit that is sold by some Russians.

That's not surprising because Russians are uber 733t h4x0rs right?

 

Well the people who purchase this kit for the low price of $300 will be able to make use of known (and 0-day as evidenced by the statistics in the above blog) browser based exploits to install the malware of their choice in the context of the currently logged on user.  You will notice that they offer both IE and Firefox exploits in this kit . . . why limit yourself to only one segment of the market?!

 

Now a really astute reader may also notice that this kit is designed to be run from Linux / Apache servers and is PHP based.  A really really astute reader may note the effort the author has gone through to reduce the number of dependencies on external / infrequently used Perl modules . . . one might speculate that this is to ensure that it works on as many PHP based web sites as possible.  (After all - if you were using this to exploit browsers - you wouldn't want to run it from YOUR site would you?  It'd be much safer to hack some phpBB site and host it there!).

 

Now if only there was a way to direct people browsing random web sites to a URL hosting this exploit toolkit so that they could get owned . . . well it's a good thing that 85% of all web sites are hosted on Apache . . . that makes finding a web server to own pretty easy I guess.

 

Check out this link:

<http://search.live.com/results.aspx?q=%3D+http%3A%2F%2F%2577%2577%2577%252E%2574%2572%2575%2573%2574%2534%2566%2572%2565%2565%252E%2577%2573%3Fid%3Dindex12&src=IE-SearchBox>

 

What you're looking at is the Live search results of an actual obfuscated malware URL found in the wild (the Live search results are safe - but don't go to the exploit URL - it's still up and it will try to exploit at least a patched RDS vulnerability (IE7 blocks the control)).  The Live search results above give the addresses of sites (and forums discussing this malware URL) that have been compromised and have had an IFRAME inserted into the default document to redirect visitors of that site to an exploit page (like the one offered up by this toolkit).  There is definitely a common thread to the sites that have been compromised and had their home pages updated with the ole IFRAME pointing at an exploit page trick.

 

As we've seen in the past with other forms of malware - the days of hacking (or in this case defacing) for fun and fame are increasingly turning into hacking for profit.  Why mass-deface Apache servers for 'props' on Zone-H when you can use the same defacement techniques to modify the home page of thousands of sites to have visitors redirected to an exploit site so that you can make money off your mass-defacement talents?

 

Looking at this macroscopically - I find it very interesting that the web server of choice for hosting both the malware toolkit and the redirects to get you to it is the one that powers 85% of the Internet - Apache . . . which is being used to exploit the browser that 85% of the Internet use to browse - IE (and some Firefox).

 

In my mind - there is no clearer proof of the hypothesis that the most prevalent platform will also be the most targeted and hacked platform - no matter the vendor.

 

People love to beat up on IE . . . but that's only part of the problem here.  There's plenty of miscreant love and affection to go around between vendors and whoever has the most market share - will get pwnt in the name of making money.  It's nice to see the Russians are really embracing capitalism. :)

Comments
  • Welcome again, It's nice to see you again.  you should write more frequently.  I like very much your blog.  

  • I'll second that (even though I had to sign up for an account to say it)! Good to have you back.

    Please post more frequently on your own blog than I have been on mine. It's not easy finding the free time to blog. And to say anything meaningful. Your recent posts are great!

    - Drew

    (a.k.a. "He who is no longer dcoop at microsoft.com)

  • Eeep! It turns out that after I signed up for a TechNet account I was emailed my new user name and password. Yes - *password*.

    That can't be a good thing.

    Maybe you can get in touch with someone internally to change that.

    - Drew

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment