What security measures can be taken to stop crimeware kits?

What security measures can be taken to stop crimeware kits?

What defensive measures have been put in place to stop the sale of crimeware kits like MPack? How big of a threat are they to the enterprise?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

MPack is a nasty piece of work. Written by a group of Russian developers, MPack is modular PHP code that bad guys place on compromised Web servers. When users surf to an MPack'ed server, their browsers are pummeled with a barrage of client-side exploits that try to install bots, keystroke loggers, rootkits and other malware on the unsuspecting victims' machines.

The MPack developers sell their creation, which they keep up to date with the latest exploits, to a series of organized crime groups, and they do so for about $1,000 per toolkit. In July 2007, SecurityFocus posted a pretty spooky interview with the MPack developers, known as the "Dream Coders Team," in which they describe their business model and practices. In August 2007, MPack developers were implicated in an attack against the Bank of India's Web site, which compromised and served up 22 different exploits to unsuspecting surfers.

These types of crimeware tools are a significant threat to the enterprise, because they represent a major vector by which malware propagates today. Enterprises that don't have thoroughly patched browsers, PDF readers, media players and other client-side software are very likely to get compromised by MPack and similar tools. Once the bad guys have control of an internal enterprise network's machines, they can steal sensitive information, resulting in significant damages to an organization's profits and reputation.

From a defensive measure, there's not a lot that law enforcement can do to prevent the sale of this code. First off, most of the code is developed overseas, in countries where law enforcement lacks the resources to stop, or even track, such transactions. Furthermore, in many countries, the sale of such code isn't a crime in and of itself.

Thus, our best defense against these exploit-distributing attacks is to keep our Web servers hardened. The Center for Internet Security features downloadable hardening guides, many specific types of Web servers. Furthermore, clients must be patched thoroughly – especially browsers and third-party client software -- to minimize the chance of exploitation. Check out my recent tip that describes methods for patching third-party applications on Windows systems.

More information:

  • Yuval Ben Itzak talks about the growing use of crimeware kits.
  • The sale of crimeware kits is skyrocketing, according to a report issued by security vendor Symantec Corp.

    • This was first published in February 2008