Hacking Toolkit Compromises Thousands Of Web Servers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management
07:27 PM
Connect Directly

Hacking Toolkit Compromises Thousands Of Web Servers

The kit generates one-time use random URLs to prevent malicious Web pages from being blacklisted or analyzed by security researchers, according to researchers with Finjan.

A hacking toolkit that enables allow cyber criminals to subvert computers and more effectively evade detection is responsible for compromising thousands of machines last month, according to Yuval Ben-Itzhak, CTO of security company Finjan.

In December 2007, Finjan identified more than 10,000 Web servers infected with a malicious hacking kit called "random js toolkit." In June, the company found an average of 30,000 newly infected malicious Web pages every day -- the result of "random js tookit" -- and the company claims the situation is much worse today.

Ben-Itzhak said the hacking kit is particularly difficult to deal with because it has been designed to hide from computer security researchers and security software.

The malicious software stores the IP addresses of Web crawlers -- used by search engines and security companies to analyze Web pages -- so it can identify them and serve them clean content. Visitors determined to be real people get malware.

The kit generates one-time use random URLs to prevent malicious Web pages from being blacklisted or analyzed by security researchers. And its infectious scripts are also dynamic, appearing to a new visitor and then never again.

"This malicious code will be served for users visiting the first time, but not the second time," said Ben-Itzhak. "The reason hackers are doing this is it's an anti-forensic technique." Finjan claims its real-time code analysis technology can detect the malware more effectively than signature-based techniques.

A single "random js toolkit" attack serves over 13 different exploits that attempt to infect the victim's computer, according to a report issued by Finjan. The exploits too are dynamic, and are changed to reflect vulnerabilities and patches on the victim's machine. This maximizes the chance of infection.

Unlike the technique of embedding hidden IFRAME elements in Web pages to fetch malware from a server other than the one being visited, "random js toolkit" exploits often come from trusted domains. This is because cyber criminals have been targeting the servers of legitimate organizations to deliver their malicious software. Of the 30,000 Web pages being infected daily as of last summer, Finjan said that 80% of them were located on legitimate hacked sites. If such attacks continue and prove effective, trusted brands will be trusted a lot less.

In its report on the "random js toolkit," Finjan said that it found infected Web sites in domains administered by U.C. Berkeley and Teagames Limited. The company said that it notified both organizations and that the hacked pages are no longer active.

According to a company spokesperson, other organizations with compromised Web servers -- recall that Finjan claims to have found 10,000 -- have been notified and their names are being withheld until they can address their security issues.

There are a handful of other hacking toolkits available besides "random js toolkit," including Dycrypt, IcePack, Makemelaugh, MPack, Multi Exploit Pack, Neosploit and Vipcrypt.

Finjan provided a screen shot of another hacking application, Web Attacker Toolkit, being sold online at a Russian e-commerce site in a "Light Edition" for $50, an "Econom Edition" for $100, and a "Professional Edition" for $150. Customer support and updates were available for $10 to $20 extra.

Hacking toolkits like MPack and Web Attacker ToolKit include online statistical reporting to help cyber criminals keep track of the number of systems they're infecting and other relevant data. That suggests there are a lot of hacked systems to manage.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll