• United States



Senior Editor, Network World

MPack, NeoSploit, Zeus top most notorious attack toolkit list

Jan 18, 20114 mins
AT&TCybercrimeData and Information Security

About two-thirds of malicious Web activity can be traced back to botnets and exploit code built using popular attack toolkits like MPack and Zeus sold in the underground economy, according to a new Symantec report.

About two-thirds of malicious Web activity can be traced back to botnets and exploit code built using popular attack toolkits sold in the underground economy, according to a new Symantec report.

The top three attack toolkits in terms of malicious Web activity are MPack (48%), NeoSploit (31%) and ZeuS (19%), the notorious software used in botnet form to steal financial data and execute fraudulent transactions, according to the  report, which covers June 2009 through July 2010.  

BOOK REVIEW: Decoy networks, separation tactics part of AT&T security chief’s infrastructure protection plans 

In analyzing the selling and software development tactics that could be deduced in this shadowy online world, Symantec notes the dog-eat-dog environment in the fight to oust rivals and gain criminally-minded customers willing to pay the price—from as low as $40 for some attack toolkits to as much as $8,000 and more for ZeuS—along with any specialized services for malware.

Symantec, like other IT security vendors, has no choice but to delve into  the world of attack toolkits since so many security countermeasures, such as anti-virus signatures to protected unpatched computers, have to be designed based on what the crime world’s software developers do. Kevin Haley, director of Symantec Security Response, says to his knowledge it’s not illegal to develop attack toolkits, just to use them in some form to commit an actual crime.

“We believe the tremendous growth of malware we’ve seen in the last two years is driven by these toolkits,” he says.

These attack toolkits make it fairly easy for anyone to get into rackets that include everything from running botnets for spam, financial crime and denial-of-service attacks to just the process of compromising PCs with malicious trojans through Web drive-by downloads, often from legitimate websites that have been compromised.

SECURITY UPDATE: Kama Sutra malware threatens to put Windows users in awkward position 

Known adult entertainment and video streaming websites, along with their misspelled-typo equivalents, are said to be the most likely types of sites searched for that attackers load up with malware. Games, music, software/technology and file-sharing are far less likely spots, according to the report. “The bad guys know what people are searching for,” says Haley.


Most often exploited by these attack toolkits were Microsoft Active Template Library Header Data Remote Code Execution Vulnerability at 41%; Adobe Flash Player Multimedia File Remote Bugger Overflow Vulnerability at 25%; and Microsoft Windows Media Player Plug-in Buffer Overflow Vulnerability at 9%, with various other Microsoft and Apple protocols also popular.

In general, Symantec’s research indicates that attack toolkit developers don’t particularly rush to get new vulnerabilities into their attack code, nor do they strive to incorporate zero-day attacks, despite their advertising to the contrary. “Thus, it appears that, in general, attack toolkit developers are not actively researching new vulnerabilities or developing original exploit code,” Symantec states.

Though making money is the name of the game, there now even seems to be an attack toolkit open-source project, the Hybrid Botnet System. But in general, Symantec depicts a world where attack toolkit developers worry about piracy and  install backdoors in their code to monitor their customers whom they don’t trust or even steal their customers’ stolen data.

The constantly-changing world of attack toolkits in the underground economy strangely mirrors that of the more public world of software sales where companies vie for dominance and mergers take place. The successful attack toolkits are activity updated and have been around for a few years. The attack software has also led to a thriving business in providing post-sales services, Symantec reports. Attack kits are now “prevalent enough to support a services-based economy whereby the kit developers and others provide a range of additional, post-purchase services to enhance the profitability of the kits.”

Symantec reports on what appear to be online announcements related to ZeuS and SpyEye, whose developer was pushing it as a cheaper alternative to ZeuS. The SpyEye code even had a “Kill ZeuS” feature when it discovered ZeuS malware.

“Curiously, in October 2010 the developer of SpyEye (a/k/a Harderman) announced that he had officially acquired the ZeuS source code from the original ZeuS developer (a/k/a Slavik), who is apparently no longer involved with the development, sale or support of ZeuS,” the report notes. “Harderman also announced that he would be providing existing ZeuS customers with support services. There were also indications that Harderman was working to merge aspects of the SpyEye and ZeuS source code to form a more capable kit for future releases.”

In the post-script to its report, Symantec emphasizes the need for computer users to keep their software patched and running security-protection software as means for protecting against the proliferating variants of malware spawned by the attack toolkits in the hands of cybercriminals.

Read more about wide area network in Network World’s Wide Area Network section.