Increased crimeware usage in August

Finjan SecureBrowsing (browser plug-in that adds safety ratings to URLs of search results) has uncovered a growing number of specific cases of crimeware toolkits used by criminals in August. The increased usage of crimeware toolkits by cybercriminals was forecasted by Finjan in its recently published quarterly and monthly reports. It identified 10 different types of crimeware toolkits in August alone. These crimeware toolkits are being sold by hackers for only a few hundred dollars, and are being used by criminals on the web today.

August’s crimeware toolkit list includes the known MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit toolkits, as well as new toolkits such as random.js, vipcrypt, makemelaugh and dycrypt.

Each of these crimeware toolkits is being updated frequently to include recent exploits and new anti-forensic techniques that allow them to bypass and escape detection by traditional signature, reputation and URL based security products. The dozens of versions for each of the crimeware toolkits provide the basis for hundreds of unique toolkits in use by cybercriminals today.

During August, Finjan SecureBrowsing alerted users to crimeware found on compromised financial and government sites as well as on many top-ranked portals and Web 2.0 sites. On a single day during August, Finjan SecureBrowsing issued alerts on 300 MySpace unique profiles referencing potentially malicious content on profile layouts.

In addition, Finjan SecureBrowsing identified six active affiliation programs (iframedollar, iframebiz, iframe911, iframestat, Neon, Vera) that typically pay website owners for infecting their visitors with crimeware. Such affiliation programs utilize the “iframe” method described in detail in Finjan’s Web Security Trends Report Q2 2007. Each affiliation program is present on hundreds of websites infecting their visitors for cash.

The prevalence of code obfuscation — a technique commonly used to bypass traditional signature, reputation and URL based solutions that was predicted in Finjan’s Web Security Trends Report Q4 2006 — is also on a constant rise. An analysis of the Finjan SecureBrowsing data indicates that more than 90% in the use of code obfuscation to infect end-user PCs with crimeware.