Salted Hash: Live from Black Hat USA (Day 1)

Earlier this morning, CSO published new information on the Magnitude Exploit Kit, a criminal project known for its ties to attacks on Yahoo and PHP.net, as well as several other websites. The story was made possible thanks to help from researchers at Trustwave.

Today’s update will examine some highlights from that research, with commentary from a few experts.

Magnitude isn’t an exploit kit you can just purchase; you have to know someone to gain access to it in order to manage a campaign. The friend-of-a-friend approach is useful, as it can protect the person responsible for the kit’s development, believed to be a single person located somewhere in Russia.

In exchange for access, Magnitude’s operator requires a percentage of the campaign’s traffic, usually 5 to 20 percent.

“This type of business plan is typical for now. Prior kits and campaigns allowed campaigners to pick and choose where their traffic went… The only difference here is that a percentage of the traffic is automatically funneled to a specific landing page of the kit’s authors,” said Pat Belcher, the Director of Security Analytics for Invincea.

By examining campaign logs from a recently finished run, and tracking the Bitcoin transactions referenced within them, Magnitude’s operator was generating a weekly income of $60,000 to $100,000 USD with the commissioned traffic.

Clearly, this business model is working. By taking the commissioned traffic and infecting it with CryptoDefense (a CryptoLocker variant), victims were forced to pay between $300 – $500 USD in order to get their files back. As long as this trend continues, that’s a yearly payday of nearly $3 million, simply by acting as a clearinghouse.

“It’s going to be an incredibly effective business model for a number of reasons,” explained Ryan Smith, VP and chief scientist at Accuvant.

By following this model, Magnitude’s controller has opened up the market and commanded the ability to reach customers that don’t have upfront cash to invest in similar kits. All it requires is some of their time.

Moreover, Magnitude has essentially solved the product IP problem, Smith added. Customers gain access to the features of the code and the administrative functions, but have no way to access the source.

“This type of innovation and those that will follow will create incrementally growing waves of exploitation as the adoption rate increases for more sophisticated tools. Also, I’d imagine we’ll see segmentation where people can focus on a single portion of exploitation: lure crafting, e-mail campaigns, malware creation, artifact monetization,” Smith said.

When it comes to exploits, there are three that Magnitude works with:

• CVE-2013-2551 (VML vulnerability in Internet Explorer 6-10)
• CVE-2013-2643 (Java
• CVE-2012-0507 (Java

The victim profile is straightforward – Magnitude only target’s Internet Explorer users. If a customer believes that another browser is exploitable, and worth the effort, they can email support, which will deal with the request on a case-by-case basis.

Based on the logs in the servers controlling a single, month-long campaign, there were 1.1 million systems directed to the kit’s landing pages recently, resulting in 210,000 confirmed infections. The Internet Explorer exploit alone had a success rate of 85 percent during the campaign.

Many of the locations with the highest victim counts have users on old systems, which rarely (if at all) see software updates.

The U.S. was the top location for victims by count (32,041), but Iran (30,436) and Vietnam (19,304), followed by Argentina (13,657), India (12,367), and Turkey (11,939) are where the majority of the victims reside.

In Vietnam, the success rate per attempted victim was 68 percent, followed by a 43 percent success rate in Iran. Argentina showed a recorded 31 percent success rate, and in each location the common factor was outdated software.

When asked if patching in these areas a hopeless situation, Accuvant’s director of research, Alex Wheeler, said that it isn’t – as long as software vendors innovate.

“Software companies need to innovate. Patches can’t require restarts. Upgrades should require no more than one click. Let the user work while patches are being applied. Upgrade downloads should [have the ability to resume]. Upgrading should have zero percent chance of bricking. [Software companies shouldn’t] require users to be on vulnerable versions for features they want, if it doesn’t fit your business model then change.”

However, even if that happens, it might not help. Tod Beardsley, the Metasploit engineering manager at Rapid7, said that he sees a two-tiered computing environment; one where PCs may be updated easily and regularly, but end-users are still left with devices they cannot control.

“Devices they are incapable of updating at any reasonable pace, or ever,” Beardsley said.

“Phones and tablets with slow release schedules for their vulnerable apps, and embedded/Internet of Things devices that have no reasonable firmware upgrade path (SOHO routers, thermostats, toasters). So, your PC may be rock solid, but your home network that PC lives on will be quite vulnerable to the enterprising Crimeware distributor.”

With that said, kits like Magnitude and the business process they are advancing, could represent the future of crime on the Internet. But only time will tell.