Hacking Toolkit Compromises Thousands Of Web ServersHacking Toolkit Compromises Thousands Of Web Servers

A hacking toolkit that enables allow cyber criminals to subvert computers and more effectively evade detection is responsible for compromising thousands of machines last month, according to Yuval Ben-Itzhak, CTO of security company Finjan.

In December 2007, Finjan identified more than 10,000 Web servers infected with a malicious hacking kit called "random js toolkit." In June, the company found an average of 30,000 newly infected malicious Web pages every day -- the result of "random js tookit" -- and the company claims the situation is much worse today.

Ben-Itzhak said the hacking kit is particularly difficult to deal with because it has been designed to hide from computer security researchers and security software.

The malicious software stores the IP addresses of Web crawlers -- used by search engines and security companies to analyze Web pages -- so it can identify them and serve them clean content. Visitors determined to be real people get malware.

The kit generates one-time use random URLs to prevent malicious Web pages from being blacklisted or analyzed by security researchers. And its infectious scripts are also dynamic, appearing to a new visitor and then never again.

"This malicious code will be served for users visiting the first time, but not the second time," said Ben-Itzhak. "The reason hackers are doing this is it's an anti-forensic technique." Finjan claims its real-time code analysis technology can detect the malware more effectively than signature-based techniques.

A single "random js toolkit" attack serves over 13 different exploits that attempt to infect the victim's computer, according to a report issued by Finjan. The exploits too are dynamic, and are changed to reflect vulnerabilities and patches on the victim's machine. This maximizes the chance of infection.

Unlike the technique of embedding hidden IFRAME elements in Web pages to fetch malware from a server other than the one being visited, "random js toolkit" exploits often come from trusted domains. This is because cyber criminals have been targeting the servers of legitimate organizations to deliver their malicious software. Of the 30,000 Web pages being infected daily as of last summer, Finjan said that 80% of them were located on legitimate hacked sites. If such attacks continue and prove effective, trusted brands will be trusted a lot less.

In its report on the "random js toolkit," Finjan said that it found infected Web sites in domains administered by U.C. Berkeley and Teagames Limited. The company said that it notified both organizations and that the hacked pages are no longer active.

According to a company spokesperson, other organizations with compromised Web servers -- recall that Finjan claims to have found 10,000 -- have been notified and their names are being withheld until they can address their security issues.

There are a handful of other hacking toolkits available besides "random js toolkit," including Dycrypt, IcePack, Makemelaugh, MPack, Multi Exploit Pack, Neosploit and Vipcrypt.

Finjan provided a screen shot of another hacking application, Web Attacker Toolkit, being sold online at a Russian e-commerce site in a "Light Edition" for $50, an "Econom Edition" for $100, and a "Professional Edition" for $150. Customer support and updates were available for $10 to $20 extra.

Hacking toolkits like MPack and Web Attacker ToolKit include online statistical reporting to help cyber criminals keep track of the number of systems they're infecting and other relevant data. That suggests there are a lot of hacked systems to manage.