Where do hackers buy their tools?
Software that facilitates online attack by novice fraudsters and would-be anarchists is big business, writes KARLIN LILLINGTON
THE NEW software suites come with all the trappings of today’s modern software offering: cloud computing hosting options, software as a service (SaaS) features, outsourcing, digital certificates, licences to prevent piracy, software modules, and bundled service and support packages.
But the difference between these software programs – which are listed in ephemeral internet relay chat (IRC) discussion areas and private online forums – and what you might buy from mainstream vendors, is that they supply increasingly sophisticated hacking software to the unsophisticated – to fledgling hackers with little ability to write their own computer code.
“Lessons learned from large, legitimate software companies – such as development practices, anti-piracy techniques, and support and pricing practices – are routinely duplicated in the underground economy in order to increase efficiency and profits,” reports security company Symantec in a report out this week on the growth in the underground market for so-called “attack toolkits”.
According to Orla Cox, security operations manager at Symantec’s security response centre in Dublin, a maturing market for hacking software and the dismay of previous creators of such packages at seeing them – ironically – widely pirated and available from hacker discussion sites has produced a hacking software landscape that is increasingly indistinguishable from legitimate businesses.
“They’re trying to differentiate themselves from competitors,” she says. Thus, vendors of such software suites, which tend to cost anywhere from a few hundred to a few thousand euro, readily supply a range of services to cater to the novice hacker.
As with security companies like Symantec itself, these suite producers can provide regular updates, except that these enable their rogue software to take advantage of newly discovered vulnerabilities in browsers, applications and infrastructure.
Or, perhaps the hacker would like the seller of the software to provide a hosting service for them from which to run the malicious code? That’s on offer too.
And if a large package is too expensive, buyers can instead purchase modules enabling them to do certain types of hacking.
As with mainstream commercial software, many of the packages also require buyers to activate licences or use digital certificates to ensure the packages won’t suddenly appear for free on filesharing sites or IRC chat rooms.
The new sophistication of the software indicates the more limited abilities of the buyers, says Cox. “These are less-educated hackers, if you like,” she says. “They take more of a hobbyist approach rather than the old-school hacker who learns to code. The buyers will have computer skills, but maybe not coding skills.”
Novice hackers can even bundle in a service and support package to get help when they find a new module a little too confusing or can’t figure out how to get their software settings quite right.
“It would all be quite underground though,” Cox says. “They wouldn’t exactly have a hotline that you can call. But they will use instant messaging or IRC.”
The main type of suite being sold is called an “exploit kit”, and the most common way of staging an attack is for users to place malicious code on a victim’s computer.
“It allows you to set up your own malicious site with everything on it. This may be passing on malware or redirecting to a malicious site when the visitor comes across this site,” says Cox.
“It allows you to build up your botnet to stage attacks, or to send out spam.”
The hackers try to lure visitors to their websites using search engine optimisation techniques and productive search terms.
The most popular – at 44 per cent – are terms associated with adult entertainment websites, while the second most common are terms associated with video streaming, says the report. Toolkit users also use “typo-squatting” – they register a domain name a letter or two off that of a popular website in the hope of capturing clumsy keyboardists.
In some cases, the users of such kits work for professional cybercrime gangs, who will pay novice hackers for every computer they can compromise, helping the gangs to build vast botnets for staging attacks, Cox says.
A number of high-profile exploits using the kits has drawn greater attention to the problem over the past year. Topping the list, at least for the humiliation factor, was a successful breach of three US treasury department websites using a toolkit called Eleanore in May.
The website redirected visitors to a malicious site which infected the visitors with malicious code and rogue security software, according to the report.
Another effective scam used a popular toolkit called Zeus to harvest data from 55,000 vulnerable computers last August. The group behind the attack, called Avalanche, used a botnet to steal bank account information and credit card details from victims.
Symantec says “the relative simplicity and effectiveness of using attack toolkits” has led to novice hackers with few coding skills increasingly hacking for financial gain, rather than to deface websites or cause general mischief. The report says the toolkits are being used in the majority of malicious attacks online – indicating that relative novices are probably now behind the majority of hacking attacks – with Zeus alone responsible for over 90,000 examples of malicious code in just one month of 2009.
“It is very likely that attack toolkits such as Zeus have been responsible for infecting millions of computers,” the report says.
Symantec is now watching this underground market for signs of consolidation, says Cox. Just as in the mainstream software world, some toolkit producers seem ready to go to work together with a merged product rather than to continue to compete.
The market for merged products could be very lucrative. Zeus sells for up to $4,000, but there are rumours that a new toolkit comprising Zeus consolidated with another toolkit is now available for about $8,000.
“The kits are starting to be more expensive – and more effective,” says Cox.