Article

Siberia exploit toolkit gets update to evade antivirus

Robert Westervelt, News Director

The creators of the Siberia Exploits Kit have recently given it an update, enabling attackers to design more custom malware that can bypass antivirus and remain virtually undetectable on systems.

    Requires Free Membership to View

Siberia is another exploit kit catching up to some of its competitors in what is quite a busy market space.

Ed Rowley,
product managerM86 Security

The new automated features in Siberia can test malware success rates against signature-based antivirus engines. It uses a service called Scan4you, which doesn't report malware samples to security vendors.

Researchers at UK-based M86 security, who recently noted the changes, said the update brings Siberia more in line with its more popular competitors, including the Eleonore Exploit Kit, which can be purchased by cybercriminals on various underground hacker forums. Toolkits like Siberia and Eleonore can sell for as little as $300 and up to $1,500 for a package that includes software updates and additional modules such as encryption, said Ed Rowley, a product manager of M86 Security.

"Siberia is another exploit kit catching up to some of its competitors in what is quite a busy market space," Rowley said. "We frequently suspect that it is the same criminal gangs at it as they sell off their toolkits using a channel of resellers."

Siberia first surfaced in 2009 and has many of the characteristics of the now defunct Napoleon Exploit Pack. It been used in a variety of attacks against specific targets in Europe, South America and Asia.

Siberia's use of antivirus and URL filtering service Scan4you is similar to the VirusTotal service, which can be used by the public to check malware samples. Scan4you charges about 15 cents to check each sample against more than two dozen antivirus engine signatures. Rowley said the use of Scan4you is a fairly manual process, but it does improve the success rate of malware campaigns by enabling attackers to weed out malware that can be detected by traditional signature-based technologies.

Nearly all the toolkits on the market provide detailed reports outlining a campaign's success rate and enabling attackers to conduct more targeted campaigns. A recent attack on UK computer users in July targeted the customers of a specific bank, Rowley said.

Researchers have been studying the techniques used in exploit kits to evade detection. The Phoenix Exploit Kit is an example of the growing sophistication of the automated toolkits, Rowley said. Phoenix, which also surfaced in 2009 can circumvent recognition by URL filtering services by providing its owner the option to check whether a malicious domain has been blacklisted by malware researchers at security vendors. Phoenix also offers a paid service to its users, enabling them to re-encrypt exploits when the file has been detected by an antivirus vendor.

"Signature-based engines tend to be broadly catching malware, but unfortunately it's quite after the fact," Rowley said. "It's getting more difficult to keep up with their evasion techniques."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: