Exposed: An Inside Look at the Magnitude Exploit Kit

An in-depth look at one of the Web's most famous crime kits

1 2 Page 2
Page 2 of 2

However, another part of the kit's success comes from the victim profile. While the U.S. was the top location for victims (32,041), it was Iran (30,436) and Vietnam (19,304), followed by Argentina (13,657), India (12,367), and Turkey (11,939), that accounted for a majority of the victim pool.

Many of the locations targeted have Internet users on old systems, which rarely (if at all) see software updates. This is especially true of systems located within Internet cafes or other public locations.

In the admin panel, there was a recorded success rare of 68 percent in Vietnam, followed by a 43 percent success rate in Iran; a 32 percent success rate in Argentina; a 31 percent success rate in Thailand and Peru; a 27 percent success rate for India and Turkey; and a 24 percent success rate for Korea, Spain, and Brazil. The U.S., where the majority of victims reside, only had a recorded success rate of nine percent.

So what will it take to get users in developing nations to upgrade? It is a hopeless situation?

"We tend to see higher infection rates in countries where pirated software is more common as software vendors often provide patches only to those customers with a valid license. It's often therefore not that users don't want to upgrade but are unable to and feel that's a reasonable trade off to get free software," explained Michael Sutton, the VP of Security Research for Zscaler.

When it came to the malware delivered by Magnitude, the kit's stats shows that there were 211 unique malware samples in rotation, and each victim could get five or six of them.

While some of the malware may be from the same family (e.g. Zeus), the signatures were different. Using VirusTotal, only 85 of the samples had detections registered. The other 126 samples were completely unknown at the time they were scanned.

To give an idea of the types of malware delivered to the victim (outside of the Zeus family of malware) the most recent Magnitude campaign observed used the following:

  • Alureon (TDSS), a known Trojan that targets financial data as well as usernames and passwords
  • CryptoWall, a known Ransomware family and source of Magnitude's financial stability
  • Necurs, another Trojan that attempts to disable AV software and download additional malware
  • Nymaim, a backdoor that injects itself into running processes
  • Simda, another backdoor that attempts to kill security software
  • Tepfer, an information stealing application that targets usernames and passwords
  • Vawtrak, a backdoor that injects itself into the browser and can provide control to the attacker, as well as target banking credentials

A criminal's business model:

"It was impressive to see how mature the cybercrime industry as become. In a way it's a negative reflection of legit business," Mador said, offering his initial reaction to what he learned about the kit's operation.

The bulk of Magnitude's success comes from its scalability. The person behind Magnitude can run the entire operation from a single server if need be. Yet, in order to keep things undetected, and to increase the overall odds of a given campaign's success, the infrastructure can be scaled up or down, at will.

When it comes down to it, be it a single server or eight of them working together for a single campaign, Magnitude could be a glimpse of what's to come in the world of Web-based crime.

Trustwave has said that additional details on Magnitude, as well as other related threats, will be added to their interactive Global Security Report, scheduled for release later today.

This story, "Exposed: An Inside Look at the Magnitude Exploit Kit" was originally published by CSO.

Related:

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Get the best of CIO ... delivered. Sign up for our FREE email newsletters!