Attack toolkits, such as Black Hole and Phoenix, put powerful automation in the hands of less-savvy cybercriminals, and features and capabilities added in recent years have only made these attack platforms more effective and more dangerous.
Users need to patch their Java, their Adobe software and their operating system vulnerabilities … These kits are not using zero-days; they cannot exploit you if you are patched.
security researcher, HP DVLabs
It is common for malware architects to update crimeware toolkits with new exploit capabilities a few short hours after a software maker issues patches to repair vulnerabilities, said Jason Jones, a security researcher at Hewlett-Packard Co.'s TippingPoint DVLabs. Jones is scheduled to talk about Web exploit toolkits and their sophistication at the 2012 Black Hat Briefings in Las Vegas. He said cybercriminals behind the attack toolkits not only license them to attackers, but also provide frequent updates and even support services.
"These guys are stepping up," Jones said in an interview with SearchSecurity.com. "We need to keep on our toes and pushing the envelope to protect users."
Security firms have been documenting a steady rise in attacks targeting Java, Adobe Flash and Microsoft vulnerabilities, fueled in large part by the Black Hole exploit kit. Like Phoenix and other attack toolkits, an annual license for the Black Hole toolkit had sold on hacker forums for as much as $1,500. Black Hole was made available for free download last year, creating the surge in Web-based attacks.
"Users need to patch their Java [installations], their Adobe software and their operating system vulnerabilities," Jones said. "These kits are not using zero-days; they cannot exploit you if you are patched."
More from Black Hat 2012
See more of SearchSecurity.com's special coverage of Black Hat 2012.
Attack toolkits have a lot in common. A control panel helps the attacker configure the toolkit to carry out a range of attacks. Most can be configured to ignore a specific IP range, Jones said, in order to avoid attacking a security firm or another entity the attacker doesn't want to attack. A dashboard typically displays reporting capabilities, letting the attacker know how many people viewed their attack pages and how many attacks were successful.
Attack toolkits can contain as few as four exploits or up to a dozen or more. The longer a kit is around, Jones said, the more exploits it accumulates.
Attack toolkits are largely from Eastern Europe, Jones said, but newer exploit kits are emerging from Asia. While the toolkits aren't as sophisticated, they have been offering exploits that target more recently known vulnerabilities. The kits have fueled competition, pushing toolkit authors to rush updates to license holders.
"The Chinese exploit kits were taking market share because they could get more recent vulnerabilities in their kit," Jones said. "They see the success that these other guys are having and they may think they will have the same success or do it better."