One-in-Four Hackers Runs Opera to Ward Off Other Criminals
Hackers using multi-exploit attack "toolkits" take defensive measures of their own against other criminals, a security researcher said today.
Thu, August 20, 2009
Computerworld — Hackers using multi-exploit attack "toolkits" take defensive measures of their own against other criminals, a security researcher said today.
Slideshow: When Rogue IT Staffers Attack: 8 Organizations That Got Burned
"Exploit kit operators do use mainstream browsers, but they're much more likely to use Opera than the average user, because they know that the browser isn't targeted by other hackers," said Paul Royal, a principal security researcher with Atlanta-based Purewire.
While the most generous Web measurements peg Opera, a browser made by Norwegian company Opera Software, at a 2% share of the global market, 26% of the hackers who Purewire identified use the far-from-popular application.
Because of its small market share, few hackers bother to unleash exploits for Opera vulnerabilities, said Royal.
Purewire obtained this insight, and others, by infiltrating hackers' systems using a bug in the analytics software included with a pair of hacker toolkits, notably one dubbed "LuckySploit," said Royal. "We forged a 'refer' field and put in a little JavaScript," he explained, "and that revealed the hackers to us via their IP addresses."
Out of 51 exploit kit-using hackers, Purewire's tactic successfully identified the IP addresses of 15, as well as the browsers they ran. "We essentially did a code audit," said Royal. "Even criminals who attack others cannot architect reliable software," he added, talking about the vulnerabilities in the toolkits.
Most multi-strike attack kits, including LuckySploit, serve up a grab bag of exploits, including code that leverages vulnerabilities in Microsoft's Internet Explorer (IE), in ActiveX controls that IE uses, and in Adobe's Flash Player and Reader.
Criminals also try to hide from law enforcement by distancing themselves from the servers that host their exploit kits, said Royal. Of the 15 hackers Purewire identified, only two -- both with IP addresses traced to Latvia -- resided in the same country that also hosted the system containing their attack kit.
Most had at least one country between where they lived and where their malware-serving machine was located.
"This is a first stab," Royal said when asked what value could be placed on the information Purewire rooted out. "If we can discover the IP addresses of exploit kit operators, we can then turn that over to law enforcement."
Exploit toolkits are a prominent weapon in hacker arsenals, especially for "drive-by" attacks launched when unwary users are tricked into visiting Web sites by spam. Last month, for example, thousands of legitimate, but compromised, sites served up a multi-strike kit that included an exploit of a then-unpatched vulnerability in a Microsoft-made ActiveX control.
