2013-01-08
Abstract
Recently, there has been a change in the toolkit/exploit kit landscape, with bad guys dedicating more time and resources to securing their creations and the servers on which their software will be installed. Loucif Kharouni explains why we need to adapt and adjust our ways of working to keep up with these changes.
Copyright © 2013 Virus Bulletin
Recently, we have noticed a change in the toolkit/exploit kit landscape. This has been going on for more than a year. Bad guys are dedicating more time and resources to securing their creations and securing the servers on which their software will be installed, both to prevent leaks and to prevent security researchers from accessing them.
The following is a brief description of a few such kits.
Zeus itself has always been secure and installed in a secure way. Its users are mainly relatively skilled, due to the fact that Slavik (the author of Zeus) was selective about those to whom he sold his software. Figure 1 shows the Zeus control panel.
(Click here to view a larger version of Figure 1.)
Citadel and IceIX are both based on the Zeus source code. Their authors took advantage of the popularity of Zeus and the availability of its code and created their own versions. Aquabox, the author and seller of Citadel, made some significant changes to the Zeus code, improved the control panel and made it very attractive to bad guys. Figure 2 and Figure 3 show the control panels for Citadel and IceIX.
(Click here to view a larger version of Figure 2.)
SpyEye has not officially been updated for over a year now (the latest version is 1.3.48). Like the Zeus author, SpyEye’s author (Gribodemon, a.k.a Hardeman) has disappeared from the malware scene. However, others have picked up SpyEye and started to provide installation services. These people offer both to install and provide a server for SpyEye. The only thing the purchaser has to do is to spread the malware. Figure 4 shows the SpyEye control panel.
Blackhole is an exploit pack, which serves to spread any malware using different exploits. Paunch, its author, will not provide the kit directly to purchasers, but instead will install it for them on a server and encode the PHP files with ionCube – securing both the exploit kit and the server. The latest version has recently been released, featuring new exploits and additional security. Figure 5 shows the Blackhole control panel.
(Click here to view a larger version of Figure 5.)
In general, we are seeing fewer cases of bad guys using hijacked servers to host C&C, spam tools or other malicious creations. Instead, they are using their ‘own’ servers based in datacentres around the world, for which they don’t register any hostnames/domains – instead being careful to use IP addresses that are not indexed in Google.
We have seen that the authors or sellers of these kits are keen to maintain control of them by providing installation services on their own servers rather than giving direct access to their customers. Following recent takedowns and hacking, even the bad guys have become more security-aware and cautious, seeking to protect their own servers against both researchers and competitors who want to hack them.
Usually researchers are on the lookout for accessible folders and/or configuration files as well as shells to gain access to a server and investigate it. However, the days when it was easy to find an open server are over. Likewise, it is now rare to find compromised/hacked servers hosting C&Cs. There has been an increase in the number of hosting services provided with a security layer on top – giving better assurance that the servers won’t be taken down, or at least not for a while.
We have also noticed a change in the channels of communication used by the creators/sellers of these kits. Internet forums are now mainly used to chat, advertise sales or make purchases, but business discussions have moved to IM platforms (Jabber/ICQ/Skype).
The points mentioned above are real game-changers for researchers and represent a new challenge. The Blackhole business model is likely to become a common one, or even the norm for future toolkit/exploit kits. (Remember that using Blackhole you never directly get the kit itself, everything is done on your behalf.)
We need to adapt and adjust our research methods to the new way of operating and try to find new solutions to track the bad guys. Scanning and hoping to find open servers is no longer enough. Developing or redeveloping our partnership with ISPs has become crucial in order to take down/sinkhole servers, and developing new ways to find information and to monitor bad guys is essential – the old methods simply don’t work any more.
In summary, we have observed that the bad guys have become more cautious – they have found new ways to work and new ways of providing their kits to customers. They have begun to secure their servers in new ways and are using different channels of communication to conduct their business. We need to adapt and adjust our way of working to keep up with these changes.
