Security researchers are reminding businesses to bolster computer security measures as two of the most widely used do-it-yourself cybercrime kits are soon to be combined into one super kit.
Attack toolkits or crimeware are convenient packages sold online to hackers that want to steal personal information and get access to bank accounts without having to do all the code work themselves. The kits come with prewritten code for exploiting many publically known vulnerabilities and can also include tools to deploy the attacks. Many even come with support contracts, according to security vendor Symantec Corp.
Zeus is one of the most infamous kits. In 2009, Symantec noted 90,000 variants of the kit being put to use. It has been used to siphon millions of dollars out of victims’ bank accounts. But the buzz in the online underground community is that the creator of Zeus has retired and handed over all of his code to an old rival, says Marc Fossi, manager of development, security response at Symantec.
“This is something we’re going to be fighting for a while,” he says. “It’s not just profitable, but fairly lucrative. It’s a desirable thing for the criminal element to get into.”
Symantec’s attack kit evolution timeline. Click for a larger image.
“Slavik,” the author of Zeus, handed over the kit’s source code to “Gribodemon” who is the author of SpyEye. SpyEye was noted in the research community last year for including a measure that sought out any traces of Zeus on an infected PC and eradicated it, allowing total control of the machine.
Now the security research community is expecting a new toolkit that combines the features of both to be released to the market, says Kevin Stevens, a senior threat researcher at Trend Micro. Development on the SpyEye toolkit has stopped and its expected an update to Zeus will improve it with the core SpyEye features previously not supported by Zeus.
“The talk is that Gribodemon is still working on coding up whatever this new thing is going to be,” Stevens says.
Related Story: Trojan behind phishing scam can be found via Google
There’s a silver lining to the deal – the new kit is likely to be more expensive to buy because there’s less competition in the marketplace. That could mean less casual cybercriminals can afford to buy it.
“When SpyEye first came out, you could get it for $300,” Stevens says. “So people without a whole lot of money could get a hold of it and start causing damage.”
But combining the two toolkits will make a more effective attack mechanism, Fossi says. While Zeus was used only to create information-stealing Trojans, SpyEye has the capacity to spread those Trojans and orchestrate attacks.
Attack toolkits typically sell on the Web from $300 to $2,000, according to Symantec. The economic success of this model of cybercrime is being credited as the reason that Web-based attacks have grown exponentially over the last couple of years.
“Kits are driving much of the attack activity online right now,” Fossi says. Smaller businesses are often a prime target for cybercriminals using the toolkits, because they have larger bank accounts than individuals and lack the security rigour of lager enterprises.
For businesses and end users looking to secure systems against the toolkit attack deluge, it’s the standard practice of keeping your software up to date by applying patches and using intrusion detection as well as anti-virus. But now those patches must be deployed much more quickly because there’s a higher likelihood an exploit will be attacked.
Kit authors “are taking publically available exploits and dropping them into kits,” Fossi says. “They get out there a lot quicker than before.” There’s also a greater risk of being hit by an exploit that hasn’t been patched by a software vendor.
The Zeus kit is known as being effective at evading anti-virus software. Security vendor Trusteer reported in September 2009 that 55 per cent of Zeus-infected PCs had up-to-date anti-virus installed.
The toolkits are also as easy to find as conducting a Google search.
Brian Jackson is a Senior Writer at ITBusiness.ca. Follow him on Twitter, read his blog, and check out the IT Business Facebook Page.
